Hela variant of Ragnorak ransomware

1. .Hela variant of Ragnorak ransomware
2. Updated 2021-07-31
3.  
4. https://www.virustotal.com/gui/file/e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412/detection
5.  
6. I submitted the VirusTotal sample to Any.run and JoeSandBox for analysis. Wow but not surprised Hela did not execute on any.run
7.  
8. JoeSanbox result 100% malicious
9. https://www.joesandbox.com/analysis/824888
10.  
11. Joe Sandbox Analysis:
12. Verdict: MAL
13. Score: 100/100
14. Classification: mal100.rans.troj.evad.winEXE@98/293@0/2
15. Threat Name: Ragnarok
16. Hosts: 64.32.25.202 127.0.0.1
17.  
18. HTML Report: https://www.joesandbox.com/analysis/457300/0/html
19. PDF Report: https://www.joesandbox.com/analysis/457300/0/pdf
20. Executive Report: https://www.joesandbox.com/analysis/457300/0/executive
21. Incident Report: https://www.joesandbox.com/analysis/457300/0/irxml
22. IOCs: https://www.joesandbox.com/analysis/457300?idtype=analysisid
23.  
24.  
25. https://analyze.intezer.com/files/e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412?vt
26.  
27.  
28. Detecion Rate: 57 / 70
29.  
30. Acronis (Static ML) Suspicious
31. Ad-Aware Gen:Heur.Ransom.REntS.Gen.1
32. AhnLab-V3 Malware/Win32.Ransom.C4206081
33. Alibaba Ransom:Win32/generic.ali2000010
34. ALYac Trojan.Ransom.Ragnarok
35. Antiy-AVL Trojan/Generic.ASMalwS.31053D4
36. SecureAge APEX Malicious
37. Avast Win32:RansomX-gen [Ransom]
38. AVG Win32:RansomX-gen [Ransom]
39. Avira (no cloud) TR/Dropper.Gen
40. BitDefender Gen:Heur.Ransom.REntS.Gen.1
41. BitDefenderTheta Gen:NN.ZexaF.34050.kqW@aaSCqp
42. Bkav Pro W32.AIDetect.malware1
43. CAT-QuickHeal Trojan.GenericRI.S16459585
44. CrowdStrike Falcon Win/malicious_confidence_90% (W)
45. Cybereason Malicious.288e16
46. Cylance Unsafe
47. Cynet Malicious (score: 100)
48. Cyren W32/Kryptik.DHB.gen!Eldorado
49. DrWeb Trojan.Encoder.32596
50. eGambit Unsafe.AI_Score_99%
51. Elastic Malicious (high Confidence)
52. Emsisoft Gen:Heur.Ransom.REntS.Gen.1 (B)
53. eScan Gen:Heur.Ransom.REntS.Gen.1
54. ESET-NOD32 A Variant Of Win32/Kryptik.HGSY
55. FireEye Generic.mg.65c3956288e16bdc
56. Fortinet W32/Encoder.D40E!tr.ransom
57. GData Gen:Heur.Ransom.REntS.Gen.1
58. Gridinsoft Ransom.Win32.Ransom.oa!s1
59. Ikarus Trojan.Win32.Crypt
60. Jiangmin Trojan.DelShad.anj
61. K7AntiVirus Trojan ( 0057175d1 )
62. K7GW Trojan ( 0057175d1 )
63. Kaspersky HEUR:Trojan.Win32.DelShad.gen
64. Lionic Trojan.Win32.DelShad.4!c
65. Malwarebytes Ransom.FileCryptor
66. MAX Malware (ai Score=82)
67. McAfee GenericRXMI-ST!65C3956288E1
68. McAfee-GW-Edition BehavesLike.Win32.Kudj.ch
69. Microsoft Ransom:Win32/Ragnarok.PC!MTB
70. NANO-Antivirus Virus.Win32.Gen-Crypt.ccnc
71. Palo Alto Networks Generic.ml
72. Panda Trj/GdSda.A
73. Qihoo-360 Win32/Ransom.Ragnarok.HwoC2WcA
74. Rising Trojan.Generic@ML.100 (RDML:WIa8R9+9PgtJkuylWL9aVQ)
75. Sangfor Engine Zero Trojan.Win32.Save.a
76. SentinelOne (Static ML) Static AI - Malicious PE
77. Sophos ML/PE-A + Troj/Ragnar-A
78. Symantec ML.Attribute.HighConfidence
79. TACHYON Ransom/W32.Ragnarok.173056
80. Tencent Malware.Win32.Gencirc.11bb44a0
81. TrendMicro Ransom.Win32.RAGNAR.SMTH
82. TrendMicro-HouseCall Ransom.Win32.RAGNAR.SMTH
83. VBA32 BScope.Trojan.DelShad
84. ViRobot Trojan.Win32.Ransom.173056.A
85. Yandex Trojan.DelShad!dG19UCBQNOw
86. Zillya Trojan.Kryptik.Win32.2813933
87.  
88.  
89. Basic properties:
90. MD5 65c3956288e16bdcc55e3c9c6b94ba5b
91. SHA-1 33aa83e00711a32e0960dcf670ae2fa891049170
92. SHA-256 e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412
93. Vhash 015046655d656az48!z
94. Authentihash 56bc55c57e1a02d9deabe609f4df801ede0d05d34a22c75d6a41000eeb5fef6e
95. Imphash 8ea5cdbcb00ec0db5419d8a29ba2f4ca
96. Rich PE header hash cf3d96f8c13f4c3d772ef5c1fd6057ed
97. SSDEEP 3072:jFgiMd04bHHr/QFDtarXNF69eK6d1mF61fXbE67YEn2PDqPF:7E3bHL/NK6du611YE27wF
98. TLSH T1E0049D03B0D0C031E5E214B696BADBB49C3DFD31172898EB67D4396A1F344E27A35A5B
99. File type Win32 EXE
100. Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
101. TrID Win32 Executable MS Visual C++ (generic) (48.8%)
102. TrID Win64 Executable (generic) (16.4%)
103. TrID Win32 Dynamic Link Library (generic) (10.2%)
104. TrID Win16 NE executable (generic) (7.8%)
105. TrID Win32 Executable (generic) (7%)
106. File size 169.00 KB (173056 bytes)
107.  
108. History:
109. Creation Time 2021-07-18 15:20:30
110. First Submission 2021-07-26 17:57:12
111. Last Submission 2021-07-26 17:57:12
112. Last Analysis 2021-07-27 20:36:40
113.  
114. Network:
115. 64.32.25.202:8081 (TCP) Server: nginx/1.14.0 (Ubuntu)
116. {
117. "ip": "64.32.25.202",
118. "city": "Los Angeles",
119. "region": "California",
120. "country": "US",
121. "loc": "34.0522,-118.2437",
122. "org": "AS46844 Sharktech",
123. "postal": "90009",
124. "timezone": "America/Los_Angeles",
125. "readme": "https://ipinfo.io/missingauth"
126. }
127.  
128. Malicious Behaviours:
129. - Delete shadow copy via WMIC
130. - Shadow Copies deletion using operating systems utilities
131. - Modification of Boot Configuration. Use of the bcdedit command to delete boot configuration data.
132. -- bcdedit /set {current} recoveryenabled no
133. -- bcdedit /set {current} bootstatuspolicy ignoreallfailures
134. - File deletion via CMD (via cmdline)
135. - Suspicious process starts on Windows systems based on keywords
136.  
137. Processes:
138. 2932 - bcdedit /set {current} recoveryenabled no
139. 2788 - %CONHOST% "-960833871-1037925231-1215409270-10504111981538383003-16261957191301836361-385199060
140. 2960 - %windir%\system32\vssvc.exe
141. 2688 - %SAMPLEPATH%
142. 2756 - cmd.exe /c vssadmin delete shadows /all /quiet
143. 2884 - vssadmin delete shadows /all /quiet
144. 2764 - cmd.exe /c wmic shadowcopy delete /nointeractive
145. 2868 - wmic shadowcopy delete /nointeractive
146. 2772 - %CONHOST% "-1615799604-1705459926-1168578821-567490367-1277653817210829689413994556211575966918
147. 2912 - bcdedit /set {current} bootstatuspolicy ignoreallfailures
148.  
149.  
150. Ransomware Ext: .*****.hela
151.  
152. Ransomware Note: !!Read_Me.*****.html
153.  
154. Ransomware Blog: http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/
155.  
156. Ransomware Note Content:
157.  
158. #ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK
159. Dear Sir
160.  
161. Your files are encrypted with RSA4096 and AES encryption algorithm.
162. But don't worry, you can return all your files!! follow the instructions to recover your files
163.  
164. Cooperate with us and get the decrypter program as soon as possible will be your best solution.
165. Only our software can decrypt all your encrypted files.
166.  
167. What guarantees you have?
168. We take our reputation seriously. We reject any form of deception
169. You can send one of your encrypted file from your PC and we decrypt it for free.
170. But we can decrypt only 1 file for free. File must not contain any valuable information.
171. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.
172. Are they really interested in solving your problems or are they just thinking about their profit and ambitions?
173.  
174. By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...
175. Here we upload sample files of your company and your private data on our blog :
176. http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/
177. We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.
178. We also promise we can decrypt all of your data and delete all your files on internet after your payment.
179. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!
180. For us this is just business and to prove to you our seriousness.
181.  
182. Our e-mail:
183. CHRISTIAN1986@TUTANOTA.COM
184.  
185. Reserve e-mail:
186.  
187. melling@confidential.tips
188.  
189.  
190.