General

  • Target

    a399a293cc3f25f6250ebee65e6e60e818831925769d540354275e9ad87bb5bb.exe

  • Size

    418KB

  • Sample

    250519-prf7gsfr3s

  • MD5

    70569247c1a50277840141ce7ed19d3d

  • SHA1

    e9a1ece9e9670d58d50fa5db92d99b171398b00f

  • SHA256

    a399a293cc3f25f6250ebee65e6e60e818831925769d540354275e9ad87bb5bb

  • SHA512

    de9a0281e43b7aa50c54cfea73304588e91355a3135565ab72d18b70f7e7bdcd8deb322fb0cddc05e34a627d44baa2d9d4374cbc7f0af44cf8b3b52b3b1a2fad

  • SSDEEP

    12288:FnvxplpMAX99S4B009MqyQMKNT72HfAD8xE:FvxplpMAtU4Bl9MdQFT72HIoS

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Ransom Note
Good afternoon, As you can see you have been attacked by a ransomware program! We The DragonForce Ransomware Cartel offer you to make a deal with us. We can make a deal with you, all you need to do is contact us by following the instructions below. We are in no way connected to politics, we always keep our word. You have a chance to decrypt your files and avoid being published on our blog! Use this opportunity and also don't waste your time. The approximate date of deletion of the decryptor program, as well as publication on our blog 13/05/2025 00:00 UTC. - # 1 Communication Process, In order to contact us you need to click on the special link below, which is listed in #2. After that the negotiation process begins, in which you have the opportunity to request several things from us, 1. make a test decrypt. 2. get a list of the files stolen from you. At the conclusion of our negotiations we agree on a price, we set the price ourselves based on your income/your insurance. We scrutinize your documents and are well aware of how much income your company has per year. - # 2 Access to the meeting room, To access us please download Tor Browser which is available here. (https://www.torproject.org/) Once you download the special anonymous browser you need to follow this link, http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion Your unique ID: 97B5A4A61FCC5CD297B5A4A61FCC5CD2 - use it to enter our meeting room. - # 3 Additional Support Contacts, Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 - # 4 Recommendations, Do not try to recover your files with third-party programs, you will only do harm. Do not turn off / reboot your computer. Be courteous in our meeting room. Do not procrastinate. - # 5 Blog and News, Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion DragonNews: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news
URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news

Targets

    • Target

      a399a293cc3f25f6250ebee65e6e60e818831925769d540354275e9ad87bb5bb.exe

    • Size

      418KB

    • MD5

      70569247c1a50277840141ce7ed19d3d

    • SHA1

      e9a1ece9e9670d58d50fa5db92d99b171398b00f

    • SHA256

      a399a293cc3f25f6250ebee65e6e60e818831925769d540354275e9ad87bb5bb

    • SHA512

      de9a0281e43b7aa50c54cfea73304588e91355a3135565ab72d18b70f7e7bdcd8deb322fb0cddc05e34a627d44baa2d9d4374cbc7f0af44cf8b3b52b3b1a2fad

    • SSDEEP

      12288:FnvxplpMAX99S4B009MqyQMKNT72HfAD8xE:FvxplpMAtU4Bl9MdQFT72HIoS

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks