Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .Hela variant of Ragnorak ransomware
- Updated 2021-07-31
- https://www.virustotal.com/gui/file/e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412/detection
- I submitted the VirusTotal sample to Any.run and JoeSandBox for analysis. Wow but not surprised Hela did not execute on any.run
- JoeSanbox result 100% malicious
- https://www.joesandbox.com/analysis/824888
- Joe Sandbox Analysis:
- Verdict: MAL
- Score: 100/100
- Classification: mal100.rans.troj.evad.winEXE@98/293@0/2
- Threat Name: Ragnarok
- Hosts: 64.32.25.202 127.0.0.1
- HTML Report: https://www.joesandbox.com/analysis/457300/0/html
- PDF Report: https://www.joesandbox.com/analysis/457300/0/pdf
- Executive Report: https://www.joesandbox.com/analysis/457300/0/executive
- Incident Report: https://www.joesandbox.com/analysis/457300/0/irxml
- IOCs: https://www.joesandbox.com/analysis/457300?idtype=analysisid
- https://analyze.intezer.com/files/e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412?vt
- Detecion Rate: 57 / 70
- Acronis (Static ML) Suspicious
- Ad-Aware Gen:Heur.Ransom.REntS.Gen.1
- AhnLab-V3 Malware/Win32.Ransom.C4206081
- Alibaba Ransom:Win32/generic.ali2000010
- ALYac Trojan.Ransom.Ragnarok
- Antiy-AVL Trojan/Generic.ASMalwS.31053D4
- SecureAge APEX Malicious
- Avast Win32:RansomX-gen [Ransom]
- AVG Win32:RansomX-gen [Ransom]
- Avira (no cloud) TR/Dropper.Gen
- BitDefender Gen:Heur.Ransom.REntS.Gen.1
- BitDefenderTheta Gen:NN.ZexaF.34050.kqW@aaSCqp
- Bkav Pro W32.AIDetect.malware1
- CAT-QuickHeal Trojan.GenericRI.S16459585
- CrowdStrike Falcon Win/malicious_confidence_90% (W)
- Cybereason Malicious.288e16
- Cylance Unsafe
- Cynet Malicious (score: 100)
- Cyren W32/Kryptik.DHB.gen!Eldorado
- DrWeb Trojan.Encoder.32596
- eGambit Unsafe.AI_Score_99%
- Elastic Malicious (high Confidence)
- Emsisoft Gen:Heur.Ransom.REntS.Gen.1 (B)
- eScan Gen:Heur.Ransom.REntS.Gen.1
- ESET-NOD32 A Variant Of Win32/Kryptik.HGSY
- FireEye Generic.mg.65c3956288e16bdc
- Fortinet W32/Encoder.D40E!tr.ransom
- GData Gen:Heur.Ransom.REntS.Gen.1
- Gridinsoft Ransom.Win32.Ransom.oa!s1
- Ikarus Trojan.Win32.Crypt
- Jiangmin Trojan.DelShad.anj
- K7AntiVirus Trojan ( 0057175d1 )
- K7GW Trojan ( 0057175d1 )
- Kaspersky HEUR:Trojan.Win32.DelShad.gen
- Lionic Trojan.Win32.DelShad.4!c
- Malwarebytes Ransom.FileCryptor
- MAX Malware (ai Score=82)
- McAfee GenericRXMI-ST!65C3956288E1
- McAfee-GW-Edition BehavesLike.Win32.Kudj.ch
- Microsoft Ransom:Win32/Ragnarok.PC!MTB
- NANO-Antivirus Virus.Win32.Gen-Crypt.ccnc
- Palo Alto Networks Generic.ml
- Panda Trj/GdSda.A
- Qihoo-360 Win32/Ransom.Ragnarok.HwoC2WcA
- Rising Trojan.Generic@ML.100 (RDML:WIa8R9+9PgtJkuylWL9aVQ)
- Sangfor Engine Zero Trojan.Win32.Save.a
- SentinelOne (Static ML) Static AI - Malicious PE
- Sophos ML/PE-A + Troj/Ragnar-A
- Symantec ML.Attribute.HighConfidence
- TACHYON Ransom/W32.Ragnarok.173056
- Tencent Malware.Win32.Gencirc.11bb44a0
- TrendMicro Ransom.Win32.RAGNAR.SMTH
- TrendMicro-HouseCall Ransom.Win32.RAGNAR.SMTH
- VBA32 BScope.Trojan.DelShad
- ViRobot Trojan.Win32.Ransom.173056.A
- Yandex Trojan.DelShad!dG19UCBQNOw
- Zillya Trojan.Kryptik.Win32.2813933
- Basic properties:
- MD5 65c3956288e16bdcc55e3c9c6b94ba5b
- SHA-1 33aa83e00711a32e0960dcf670ae2fa891049170
- SHA-256 e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412
- Vhash 015046655d656az48!z
- Authentihash 56bc55c57e1a02d9deabe609f4df801ede0d05d34a22c75d6a41000eeb5fef6e
- Imphash 8ea5cdbcb00ec0db5419d8a29ba2f4ca
- Rich PE header hash cf3d96f8c13f4c3d772ef5c1fd6057ed
- SSDEEP 3072:jFgiMd04bHHr/QFDtarXNF69eK6d1mF61fXbE67YEn2PDqPF:7E3bHL/NK6du611YE27wF
- TLSH T1E0049D03B0D0C031E5E214B696BADBB49C3DFD31172898EB67D4396A1F344E27A35A5B
- File type Win32 EXE
- Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- TrID Win32 Executable MS Visual C++ (generic) (48.8%)
- TrID Win64 Executable (generic) (16.4%)
- TrID Win32 Dynamic Link Library (generic) (10.2%)
- TrID Win16 NE executable (generic) (7.8%)
- TrID Win32 Executable (generic) (7%)
- File size 169.00 KB (173056 bytes)
- History:
- Creation Time 2021-07-18 15:20:30
- First Submission 2021-07-26 17:57:12
- Last Submission 2021-07-26 17:57:12
- Last Analysis 2021-07-27 20:36:40
- Network:
- 64.32.25.202:8081 (TCP) Server: nginx/1.14.0 (Ubuntu)
- {
- "ip": "64.32.25.202",
- "city": "Los Angeles",
- "region": "California",
- "country": "US",
- "loc": "34.0522,-118.2437",
- "org": "AS46844 Sharktech",
- "postal": "90009",
- "timezone": "America/Los_Angeles",
- "readme": "https://ipinfo.io/missingauth"
- }
- Malicious Behaviours:
- - Delete shadow copy via WMIC
- - Shadow Copies deletion using operating systems utilities
- - Modification of Boot Configuration. Use of the bcdedit command to delete boot configuration data.
- -- bcdedit /set {current} recoveryenabled no
- -- bcdedit /set {current} bootstatuspolicy ignoreallfailures
- - File deletion via CMD (via cmdline)
- - Suspicious process starts on Windows systems based on keywords
- Processes:
- 2932 - bcdedit /set {current} recoveryenabled no
- 2788 - %CONHOST% "-960833871-1037925231-1215409270-10504111981538383003-16261957191301836361-385199060
- 2960 - %windir%\system32\vssvc.exe
- 2688 - %SAMPLEPATH%
- 2756 - cmd.exe /c vssadmin delete shadows /all /quiet
- 2884 - vssadmin delete shadows /all /quiet
- 2764 - cmd.exe /c wmic shadowcopy delete /nointeractive
- 2868 - wmic shadowcopy delete /nointeractive
- 2772 - %CONHOST% "-1615799604-1705459926-1168578821-567490367-1277653817210829689413994556211575966918
- 2912 - bcdedit /set {current} bootstatuspolicy ignoreallfailures
- Ransomware Ext: .*****.hela
- Ransomware Note: !!Read_Me.*****.html
- Ransomware Blog: http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/
- Ransomware Note Content:
- #ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK
- Dear Sir
- Your files are encrypted with RSA4096 and AES encryption algorithm.
- But don't worry, you can return all your files!! follow the instructions to recover your files
- Cooperate with us and get the decrypter program as soon as possible will be your best solution.
- Only our software can decrypt all your encrypted files.
- What guarantees you have?
- We take our reputation seriously. We reject any form of deception
- You can send one of your encrypted file from your PC and we decrypt it for free.
- But we can decrypt only 1 file for free. File must not contain any valuable information.
- When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.
- Are they really interested in solving your problems or are they just thinking about their profit and ambitions?
- By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...
- Here we upload sample files of your company and your private data on our blog :
- http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/
- We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.
- We also promise we can decrypt all of your data and delete all your files on internet after your payment.
- Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!
- For us this is just business and to prove to you our seriousness.
- Our e-mail:
- CHRISTIAN1986@TUTANOTA.COM
- Reserve e-mail:
- melling@confidential.tips
Add Comment
Please, Sign In to add comment