SHARE
TWEET

#Cryakl_ransom_210918

VRad Sep 24th, 2018 (edited) 272 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #210918 #Cryakl #Ransomware #SCR #ZIP
  2.  
  3. (!) Cryakl
  4. Identified by   sample_extension: email-<email>.ver-CL <version>.id-<random>-<random>.doubleoffset
  5. This ransomware may be decryptable under certain circumstances.
  6.  
  7. email_headers
  8. --------------
  9. Received: from konto-design.ru (konto-design.ru [95.213.203.178])
  10.     by mailsrv.victim.com (8.15.2/8.15.2) with ESMTP id w8LGeCtv003880
  11.     for <user1@vip.victim.com>; Fri, 21 Sep 2018 19:40:13 +0300 (EEST)
  12.     (envelope-from send@konto-design.ru)
  13. Reply-To: =?windows-1251?B?w+vu8Oj/?= <bounce@konto-design.ru>
  14. From: =?windows-1251?B?w+vu8Oj/?= <send@konto-design.ru>
  15. To: <user1@vip.victim.com>
  16. Subject: Сверка дублирую. вчера не тот файл вислали
  17. Date: Fri, 21 Sep 2018 19:40:06 +0300
  18.  
  19. files
  20. --------------
  21. SHA-256 5e82435a7f1a04d29a96bb56c3c1febe1124f556425b029a2c45f144e142c651
  22. File name   st140620.tmp
  23. File size   156.25 KB
  24.  
  25. SHA-256 bbcdfd57739dab2c4d1ea6e3e209a4b829f200e7bbc9cc78b616e9b358880ebe
  26. File name   чек повторной оплаты выписка из банка.scr (EXE)     packer  PECompact 2.xx --> BitSum Technologies
  27. File size   170 KB
  28.  
  29. activity
  30. -------------
  31.  
  32. proc
  33. --------------
  34. "C:\Users\operator\Desktop\1.scr" /S
  35. "C:\Users\operator\Desktop\1.scr"
  36. "C:\tmp\ADHLRUXBEH.exe"
  37. "C:\tmp\ADHLRUXBEH.exe"
  38.  
  39. persist
  40. --------------
  41. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              24.09.2018 12:02   
  42. 2889404871          c:\tmp\adhlruxbeh.exe   20.09.2018 16:42   
  43.  
  44. netwrk
  45. --------------
  46. 5.101.152.212   dyrovpa9.beget{.} tech  GET /inst.php?vers=CL%201.5.1.0&id=2889404871-43520714514599267111949&sender= HTTP/1.1  Mozilla/5.0 (Windows NT 6.3; WOW64)
  47. 164.132.235.17  www.vabel{.} fr GET /wp-content/uploads/2018/08/stat/inst.php?vers=CL%201.5.1.0&id=2889404871-43520714514599267111949&sender= HTTP/1.1  Mozilla/5.0 (Windows NT 6.3; WOW64)
  48.  
  49. encrypted
  50. --------------
  51. email-vally@x-mail.pro.ver-CL 1.5.1.0.id-2889404871-43520714514599267111949.fname-name_of_initial_doc.pdf
  52.  
  53. ransom_note
  54. --------------
  55. Your files was encrypted! Write us:
  56. vally@x-mail.pro
  57. vally@x-mail.pro
  58. vally@x-mail.pro
  59.  
  60. decryptor
  61. --------------
  62. https://id-ransomware.malwarehunterteam.com/identify.php?case=439a00e2de51c43e19560eff059316bb94d96d1d
  63. https://www.experts-exchange.com/articles/31579/Decrypting-Cryakl-1-4-0-0-1-4-1-0-FAIRYTAIL-Ransomware.html
  64. https://www.youtube.com/watch?v=oNqcWQ3WL20
  65. # # #
  66. https://www.virustotal.com/#/file/5e82435a7f1a04d29a96bb56c3c1febe1124f556425b029a2c45f144e142c651/details
  67. https://www.virustotal.com/#/file/bbcdfd57739dab2c4d1ea6e3e209a4b829f200e7bbc9cc78b616e9b358880ebe/details
  68. https://analyze.intezer.com/#/analyses/0c0a08ea-4f82-4540-a000-55c6b1f1a83b
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top