bb559e393dfd758a6a4fea745fcd651cff5363025d632b53d81d8111d4843f4e

General

Target

Conti-0xb.zip
Size

94KB
Sample

250404-bwjxaaxwgt
MD5

3d656512d6b78f7c66f33cb035d5da0a
SHA1

ce6e17897897ef3d9200e62561330bdba733dd75
SHA256

bb559e393dfd758a6a4fea745fcd651cff5363025d632b53d81d8111d4843f4e
SHA512

ece34614bc9c9593f66781607c429c704b8aff70d7c5047740ce234bf9149a58753d562350b7f0b3a56bf0923359b803ccaf06b5dc51702a97a347e977c992af
SSDEEP

1536:Tym7MFMgyTibDcyNonvMa+hLcHOCbGvJguN9ja7dscCmkyqiQ6IsQ6J:Tg2rQOnvMa+hdJgWgd3s6t3J

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Ransom Note

All your files are encrypted and the backup is corrupted. Don't worry, only our team can recover files. We only accept BTC transactions for payment. Before payment, you can submit 1 file for decryption testing. The file cannot be a backup, database, key, and the file cannot exceed 80kb. Hopefully the head of the organization will contact us directly. We have no other purpose. We just want money. We have always been honest. There has been a period of time in your organization and obtained almost all of your applications, people, dealers, products and other data. If we are ignored, this incident will be made public. Sell your data. Contacting us as soon as possible is the best way for everyone. Contact us tox.id: "F03697478C23619141468DF39D14C3EBAECF1D93EF0AE14A14338741141C566671CB3F4C3A1A" If you do not contact us to pay the ransom within 7 days, the amount will double. 1. Do not restart the operating system or isolate the LAN. 2. Do not modify the encrypted file without authorization. If an encryption barrier occurs, some files cannot be recovered by the decryption key and we will not be held responsible. ---BEGIN ID--- bLkGYvN43a3tVNzPJrQGfNEQgFhqFSSmCdCSQABgOyLPZNKGgmfYktRw510bKGsR ---END ID---

Targets

- Target
  
  Conti-0xb.exe
- Size
  
  225KB
- MD5
  
  4cd1bdd51aad677e34b28eb8fdbb8713
- SHA1
  
  15f0d03511fb8b97e8e25e2c88ce287a3daeacd7
- SHA256
  
  8cc0af07f6a734190daa831d3636db4d88a5c9e74872ebcfb3aa9b5beea77804
- SHA512
  
  a41f63165c721db042ed7be26f93c7703dbaca0e502051ea9723ffa077285f21683138d3874a6854264a4d0b5c46be02a0590113475fd8366c6e08f5ab1de52b
- SSDEEP
  
  3072:n6syAG2L/wgMrxFSbY3Fq5dQWQC0F0+aLTZtjaPPZMtcdlrRMC/T2wc:6iG2EgwFSc3U5dv0FOTDaPPZMEfBc
Score

10^/10

credential_access discovery ransomware spyware stealer
- Renames multiple (8702) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral1