Resubmissions

15/05/2025, 07:39

250515-jg1v9abk5s 10

15/05/2025, 05:36

250515-garb5a1j17 10

General

  • Target

    encrypter-windows-gui-x86.zip

  • Size

    600KB

  • Sample

    250515-garb5a1j17

  • MD5

    6e7d53e8f4fead156637b404a9b87962

  • SHA1

    63a199642fcefcfa5d2e982bea6efc8b51a970a6

  • SHA256

    acf624fd5f6c21c41c4b67b4cc55075df81ad0e5ff10cfce97a1298b1dada421

  • SHA512

    4566a20e61af71cd39320d254e70dfcc53005dc46e1a951c8636c5c13e7b591afda4697091b9944d51ae24221f5a8ebfa5cdb1b0616f2bc2e42b226f0bde55f6

  • SSDEEP

    12288:8UBgtL58MnizZVnag3kmeD7F7NiUWlZKi1BTjzI4UpQ8h9e4fo:8wgtLXQZdpkmw73iZKirzk1fo

Malware Config

Extracted

Path

C:\73606aa2173bf79693c8b74b\README.TXT

Ransom Note
 Hello! Your data is encrypted! We do not dare to decide the future fate of your data, only you can decide it ! Since we have many years of experience in this field, we can help you solve this problem quickly and in the most convenient way for you. 1.The price of decryption directly depends on the time in which you decide to ransom, we know perfectly well how data recovery companies work and in the event that you are trying to recover data without us (this is almost impossible). But for decryption companies this is the main income, the price of decryption will be several times higher. If you admit your mistake and are ready to pay within 12 hours after the attack, in this case the price will be 50-30% of the main cost. 2.We also understand that some of you are forced to contact an intermediary! In this case, we strongly recommend that you act as follows, under no circumstances trust your fate to decryption companies and control every step, including negotiations with us, leave backup copies of the most important data in encrypted form with you, not giving decryption companies access. Their task is not to decrypt your data but to make money on you, remember this! They are trying to decrypt us only in order to earn more, in fact, your data is not so important to them.Carefully study the sources and trust proven companies (they create fake topics on forums in which they create their own ratings and reviews) be extremely careful! 3.In case of refusal to pay, we transfer all your personal data such as (emails, link to panel, payment documents , certificates , personal information of you staff, SQL,ERP,financial information for other hacker groups) and they will come to you again for sure! We will also publicize this attack using social networks and other media, which will significantly affect your reputation! 4. IF YOU CHOOSE TO USE DATA RECOVERY COMPANY ASK THEM FOR DECRYPT TEST FILE FOR YOU IF THEY CAN'T DO IT DO NOT BELIEVE THEM AT ALL! 5. The decryption process is not at all a complicated process; any experienced PC user can handle it with ease. In the event that payment occurs within 12 hours after the attack, we undertake to fully accompany you until all data is fully decrypted, as well as point out to you all the mistakes of your specialists. Point out to you how to make sure that no one ever gets into your network again. Price in this case will be ONLY from 30 to 50 % of full amount. 6. We will provide you with the decryption tool no more than 30 minutes after payment! We can provide you with several test files (you send us encrypted files, we decrypt and send you the whole file) so you can confirm our competence (availability of the decryption key). 7. We never deceive people who got caught for us it is absolutely not profitable for us (we have key), I remind you that you are far from the first and not the last who got into such a situation and it is resolved quite quickly and easily. We protect our reputation, therefore we remind you that you carefully monitor the entire course of the decryption process, including negotiations, test files, the time at which the payment should occur and you should receive the treasured decryption tool, thank you for your attention. 8. Make informed decisions, you are far from the first who got into such a situation! Remember, only we have the decryption key, do not waste money and time, you will only complicate the situation and will be left without your data, success to you in business and do not get caught, be careful with security, it is very important these days! Contacts : Download the (Session) messenger (https://getsession.org) You fined me: "0585ae8a3c3a688c78cf2e2b2b7df760630377f29c0b36d999862861bdbf93380d" MAIL:[email protected]
Emails
URLs

https://getsession.org

Targets

    • Target

      encrypter-windows-gui-x86.ex

    • Size

      1.1MB

    • MD5

      d0728e075e66bda22bb6c030502a689a

    • SHA1

      60c3cce7d1e1921794cd00308efb73f3412384fb

    • SHA256

      fb2fe8e18856af09231edefccc7d54b881d8f488f91ff61f4c09995c33aaafce

    • SHA512

      773f413ef51bc2493a940011645c40d1f55d06a53e8e60032ed01ad016184d67289a9fd9d3bb8af42fbdca29f0bb927e0137ff4f5f0914ea52b58646051962ef

    • SSDEEP

      24576:7u43pl7vAJusc1XsmJxYxm37IZ1EbdOn2XqKP/TMRxYWXE:7r3pl7pexGvdfXqKP/TMRGWXE

    • Renames multiple (5842) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v16

Tasks