General
-
Target
240417-2k5byshe9z_pw_infected.zip
-
Size
301KB
-
Sample
240622-yhszcswelm
-
MD5
4fd4c157830539ca06e7bc4b51f535bf
-
SHA1
37ac83d2269c26ce2142d156543e12190e911432
-
SHA256
a030bbfbafcd881d49500f18a98f9942e8e1e05376cc2dcf64e9e41ee2ab7b11
-
SHA512
2648b2e9b9c96095993377952ebce69583325799dc843304fd21d86827e8398543d307a918883218e3dba43de4b7bbfe2dbaede6ba975c1d4d3e04cd55bcf7da
-
SSDEEP
6144:9CO6ZoaYGVK0DeauMe1oQnCOZaaVNyYLTbn3fjsquZb7wBs+ECGHWIaxv:9CZMr7lpCFa3fLH3rZ0Ks+ECwWIgv
Static task
static1
Behavioral task
behavioral1
Sample
78E.tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
78E.tmp.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
djvu
http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php
-
extension
.sarut
-
offline_id
pQseAIqgTVhPujMMiqH1ILPNUg3soGVim0NAnkt1
-
payload_url
http://pool.ug/tesptc/penelop/updatewin1.exe
http://pool.ug/tesptc/penelop/updatewin2.exe
http://pool.ug/tesptc/penelop/updatewin.exe
http://pool.ug/tesptc/penelop/3.exe
http://pool.ug/tesptc/penelop/4.exe
http://pool.ug/tesptc/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1aTCryfzhK Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Our Telegram account: @datarestore Your personal ID: 078AKsudu438fyasfs
Targets
-
-
Target
78E.tmp.bin
-
Size
466KB
-
MD5
246d6fa957bd9bd9bd444ba8a6c38457
-
SHA1
fb90a2e9e3f3d4bf350a5c8d475c843f072bc1f5
-
SHA256
9c17cc38feddc8aec42f4d7e84ff85260e0e5d955c38e42573a21c18836c7a59
-
SHA512
95e3135f417fdfd91c8e57545c246c5a0f5efc40fe1e3ef745b8283c35b156d7814934be5983dd5532b7fb789a4032a3e1d619281d0e4e1b465b86f2a036e3bb
-
SSDEEP
6144:agBl9KO2wSlnYlm8px3b3RY+F2q9QgW6jw5oJ48ph1nt2EuqAs00:aEKOZSlnbE3b3RiqW6jw5o6831/A
Score10/10-
Detected Djvu ransomware
-
Renames multiple (203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-