#dharma_ransom200918

1. #IOC #OptiData #VR #200918 #dharma #ransomware #SCR #ZIP
2.  
3. !Dharma (.cezar Family)
4. !This ransomware has no known way of decrypting data at this time.
5. https://id-ransomware.malwarehunterteam.com/identify.php?case=4c0357717bd8f840d2c3ecc269cfeea45a31237e
6.  
7. email_subjects
8. --------------
9. #1 сверка конец месяца
10. #2 счет + акт за август
11.  
12. email_headers
13. -------------
14. #1 Return-Path: <senders@spravedlivotver.ru>
15. Received: from spravedlivotver.ru (spravedlivotver.ru [212.92.98.5])
16. for <user1@victim.com>; Thu, 20 Sep 2018 01:37:23 +0300
17. Reply-To: =?windows-1251?B?yuDw6+A=?= <bounce@spravedlivotver.ru>
18. From: =?windows-1251?B?yuDw6+A=?= <senders@spravedlivotver.ru>
19.  
20. #2 Return-Path: <senders@add2board.ru>
21. Received: from add2board.ru (add2board.ru [5.189.227.173])
22. for <user2@victim.com>; Thu, 20 Sep 2018 01:53:12 +0300
23. Reply-To: =?windows-1251?B?y/7h4OLg?= <bounce@add2board.ru>
24. From: =?windows-1251?B?y/7h4OLg?= <senders@add2board.ru>
25.  
26. urls
27. ------
28. #1 h11p:\bit{.} ly/2ppnl13
29. #2 h11p:\bit{.} ly/2pnoPt2
30.  
31. files
32. -----
33. ZIP1
34. SHA-256 5023afdaf8cb121770ce3f3d6355ed84f3d103ef82e1257e14313ee17461a705
35. File name приложение.zip [Zip archive data, at least v2.0 to extract]
36. File size 323.23 KB
37.  
38. ZIP2
39. SHA-256 6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f
40. File name приложение 1 информация.zip [Zip archive data, at least v2.0 to extract]
41. File size 322.88 KB
42.  
43. SCR
44. SHA-256 82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d
45. File name приложение 1 информация.scr (EXE) [PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed]
46. File size 335.5 KB
47.  
48. activity
49. --------
50.  
51. "C:\Users\operator\Desktop\sample1.exe"
52. "C:\Windows\system32\cmd.exe"
53. mode con cp select=1251
54. vssadmin delete shadows /all /quiet
55. C:\Users\operator\Desktop\sample1.exe" -a
56. "C:\Windows\system32\cmd.exe"
57. mode con cp select=1251
58. vssadmin delete shadows /all /quiet
59. "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
60.  
61. persist
62. -------
63. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 17.09.2018 16:33
64. sample1.exe
65. c:\windows\system32\sample1.exe 19.09.2018 19:14
66.  
67. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 17.09.2018 16:33
68. sample1.exe
69. c:\users\operator\appdata\roaming\sample1.exe 19.09.2018 19:14
70.  
71. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup 17.09.2018 16:33
72. sample1.exe
73. c:\programdata\microsoft\windows\start menu\programs\startup\sample1.exe 19.09.2018 19:14
74.  
75. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 17.09.2018 16:33
76. desktop.ini.id-AC38D1C7.[help@x-mail.pro].combo
77. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.id-ac38d1c7.[help@x-mail.pro].combo 17.09.2018 16:33
78. sample1.exe
79. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\sample1.exe 19.09.2018 19:14
80.  
81. encrypted
82. ---------
83. .id-AC38D1C7.[help@x-mail.pro].combo
84.  
85. ransom_note
86. ----------
87. all your data has been locked us
88. You want to return?
89. write email help@x-mail.pro
90.  
91. # # #
92. zip1
93. https://www.virustotal.com/#/file/5023afdaf8cb121770ce3f3d6355ed84f3d103ef82e1257e14313ee17461a705/details
94.  
95. zip2
96. https://www.virustotal.com/#/file/6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f/details
97.  
98. scr
99. https://www.virustotal.com/#/file/82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d/details
100. https://analyze.intezer.com/#/analyses/a96d8e29-1e9a-4210-8a7f-cd3c55c00a62
101.  
102. VR