SHARE
TWEET

#dharma_ransom200918

VRad Sep 20th, 2018 629 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC  #OptiData #VR #200918 #dharma #ransomware #SCR #ZIP
  2.  
  3. !Dharma (.cezar Family)
  4. !This ransomware has no known way of decrypting data at this time.
  5. https://id-ransomware.malwarehunterteam.com/identify.php?case=4c0357717bd8f840d2c3ecc269cfeea45a31237e
  6.  
  7. email_subjects
  8. --------------
  9. #1 сверка конец месяца
  10. #2 счет + акт за август
  11.  
  12. email_headers
  13. -------------
  14. #1 Return-Path: <senders@spravedlivotver.ru>
  15. Received: from spravedlivotver.ru (spravedlivotver.ru [212.92.98.5])
  16.     for <user1@victim.com>; Thu, 20 Sep 2018 01:37:23 +0300
  17. Reply-To: =?windows-1251?B?yuDw6+A=?= <bounce@spravedlivotver.ru>
  18. From: =?windows-1251?B?yuDw6+A=?= <senders@spravedlivotver.ru>
  19.  
  20. #2 Return-Path: <senders@add2board.ru>
  21. Received: from add2board.ru (add2board.ru [5.189.227.173])
  22.     for <user2@victim.com>; Thu, 20 Sep 2018 01:53:12 +0300
  23. Reply-To: =?windows-1251?B?y/7h4OLg?= <bounce@add2board.ru>
  24. From: =?windows-1251?B?y/7h4OLg?= <senders@add2board.ru>
  25.  
  26. urls
  27. ------
  28. #1 h11p:\bit{.} ly/2ppnl13
  29. #2 h11p:\bit{.} ly/2pnoPt2
  30.  
  31. files
  32. -----
  33. ZIP1
  34. SHA-256 5023afdaf8cb121770ce3f3d6355ed84f3d103ef82e1257e14313ee17461a705
  35. File name   приложение.zip    [Zip archive data, at least v2.0 to extract]
  36. File size   323.23 KB
  37.  
  38. ZIP2
  39. SHA-256 6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f
  40. File name   приложение 1 информация.zip     [Zip archive data, at least v2.0 to extract]
  41. File size   322.88 KB
  42.  
  43. SCR
  44. SHA-256 82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d
  45. File name   приложение 1 информация.scr (EXE)   [PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed]
  46. File size   335.5 KB
  47.  
  48. activity
  49. --------
  50.  
  51. "C:\Users\operator\Desktop\sample1.exe"
  52. "C:\Windows\system32\cmd.exe"  
  53. mode  con cp select=1251
  54. vssadmin  delete shadows /all /quiet
  55. C:\Users\operator\Desktop\sample1.exe" -a
  56. "C:\Windows\system32\cmd.exe"
  57. mode  con cp select=1251
  58. vssadmin  delete shadows /all /quiet
  59. "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  60.  
  61. persist
  62. -------
  63. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              17.09.2018 16:33       
  64. sample1.exe        
  65. c:\windows\system32\sample1.exe 19.09.2018 19:14   
  66.  
  67. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              17.09.2018 16:33   
  68. sample1.exe        
  69. c:\users\operator\appdata\roaming\sample1.exe   19.09.2018 19:14   
  70.  
  71. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup                17.09.2018 16:33   
  72. sample1.exe        
  73. c:\programdata\microsoft\windows\start menu\programs\startup\sample1.exe    19.09.2018 19:14   
  74.  
  75. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup             17.09.2018 16:33   
  76. desktop.ini.id-AC38D1C7.[help@x-mail.pro].combo        
  77. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.id-ac38d1c7.[help@x-mail.pro].combo 17.09.2018 16:33   
  78. sample1.exe        
  79. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\sample1.exe 19.09.2018 19:14   
  80.    
  81. encrypted
  82. ---------
  83. .id-AC38D1C7.[help@x-mail.pro].combo
  84.  
  85. ransom_note
  86. ----------
  87. all your data has been locked us
  88. You want to return?
  89. write email help@x-mail.pro
  90.  
  91. # # #
  92. zip1
  93. https://www.virustotal.com/#/file/5023afdaf8cb121770ce3f3d6355ed84f3d103ef82e1257e14313ee17461a705/details
  94.  
  95. zip2
  96. https://www.virustotal.com/#/file/6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f/details
  97.  
  98. scr
  99. https://www.virustotal.com/#/file/82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d/details
  100. https://analyze.intezer.com/#/analyses/a96d8e29-1e9a-4210-8a7f-cd3c55c00a62
  101.  
  102. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top