Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #200918 #dharma #ransomware #SCR #ZIP
- !Dharma (.cezar Family)
- !This ransomware has no known way of decrypting data at this time.
- https://id-ransomware.malwarehunterteam.com/identify.php?case=4c0357717bd8f840d2c3ecc269cfeea45a31237e
- email_subjects
- --------------
- #1 сверка конец месяца
- #2 счет + акт за август
- email_headers
- -------------
- #1 Return-Path: <senders@spravedlivotver.ru>
- Received: from spravedlivotver.ru (spravedlivotver.ru [212.92.98.5])
- for <user1@victim.com>; Thu, 20 Sep 2018 01:37:23 +0300
- Reply-To: =?windows-1251?B?yuDw6+A=?= <bounce@spravedlivotver.ru>
- From: =?windows-1251?B?yuDw6+A=?= <senders@spravedlivotver.ru>
- #2 Return-Path: <senders@add2board.ru>
- Received: from add2board.ru (add2board.ru [5.189.227.173])
- for <user2@victim.com>; Thu, 20 Sep 2018 01:53:12 +0300
- Reply-To: =?windows-1251?B?y/7h4OLg?= <bounce@add2board.ru>
- From: =?windows-1251?B?y/7h4OLg?= <senders@add2board.ru>
- urls
- ------
- #1 h11p:\bit{.} ly/2ppnl13
- #2 h11p:\bit{.} ly/2pnoPt2
- files
- -----
- ZIP1
- SHA-256 5023afdaf8cb121770ce3f3d6355ed84f3d103ef82e1257e14313ee17461a705
- File name приложение.zip [Zip archive data, at least v2.0 to extract]
- File size 323.23 KB
- ZIP2
- SHA-256 6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f
- File name приложение 1 информация.zip [Zip archive data, at least v2.0 to extract]
- File size 322.88 KB
- SCR
- SHA-256 82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d
- File name приложение 1 информация.scr (EXE) [PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed]
- File size 335.5 KB
- activity
- --------
- "C:\Users\operator\Desktop\sample1.exe"
- "C:\Windows\system32\cmd.exe"
- mode con cp select=1251
- vssadmin delete shadows /all /quiet
- C:\Users\operator\Desktop\sample1.exe" -a
- "C:\Windows\system32\cmd.exe"
- mode con cp select=1251
- vssadmin delete shadows /all /quiet
- "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
- persist
- -------
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 17.09.2018 16:33
- sample1.exe
- c:\windows\system32\sample1.exe 19.09.2018 19:14
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 17.09.2018 16:33
- sample1.exe
- c:\users\operator\appdata\roaming\sample1.exe 19.09.2018 19:14
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup 17.09.2018 16:33
- sample1.exe
- c:\programdata\microsoft\windows\start menu\programs\startup\sample1.exe 19.09.2018 19:14
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 17.09.2018 16:33
- desktop.ini.id-AC38D1C7.[help@x-mail.pro].combo
- c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.id-ac38d1c7.[help@x-mail.pro].combo 17.09.2018 16:33
- sample1.exe
- c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\sample1.exe 19.09.2018 19:14
- encrypted
- ---------
- .id-AC38D1C7.[help@x-mail.pro].combo
- ransom_note
- ----------
- all your data has been locked us
- You want to return?
- write email help@x-mail.pro
- # # #
- zip1
- https://www.virustotal.com/#/file/5023afdaf8cb121770ce3f3d6355ed84f3d103ef82e1257e14313ee17461a705/details
- zip2
- https://www.virustotal.com/#/file/6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f/details
- scr
- https://www.virustotal.com/#/file/82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d/details
- https://analyze.intezer.com/#/analyses/a96d8e29-1e9a-4210-8a7f-cd3c55c00a62
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement