Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #210918 #Cryakl #Ransomware #SCR #ZIP
- (!) Cryakl
- Identified by sample_extension: email-<email>.ver-CL <version>.id-<random>-<random>.doubleoffset
- This ransomware may be decryptable under certain circumstances.
- email_headers
- --------------
- Received: from konto-design.ru (konto-design.ru [95.213.203.178])
- by mailsrv.victim.com (8.15.2/8.15.2) with ESMTP id w8LGeCtv003880
- for <user1@vip.victim.com>; Fri, 21 Sep 2018 19:40:13 +0300 (EEST)
- (envelope-from send@konto-design.ru)
- Reply-To: =?windows-1251?B?w+vu8Oj/?= <bounce@konto-design.ru>
- From: =?windows-1251?B?w+vu8Oj/?= <send@konto-design.ru>
- To: <user1@vip.victim.com>
- Subject: Сверка дублирую. вчера не тот файл вислали
- Date: Fri, 21 Sep 2018 19:40:06 +0300
- files
- --------------
- SHA-256 5e82435a7f1a04d29a96bb56c3c1febe1124f556425b029a2c45f144e142c651
- File name st140620.tmp
- File size 156.25 KB
- SHA-256 bbcdfd57739dab2c4d1ea6e3e209a4b829f200e7bbc9cc78b616e9b358880ebe
- File name чек повторной оплаты выписка из банка.scr (EXE) packer PECompact 2.xx --> BitSum Technologies
- File size 170 KB
- activity
- -------------
- proc
- --------------
- "C:\Users\operator\Desktop\1.scr" /S
- "C:\Users\operator\Desktop\1.scr"
- "C:\tmp\ADHLRUXBEH.exe"
- "C:\tmp\ADHLRUXBEH.exe"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 24.09.2018 12:02
- 2889404871 c:\tmp\adhlruxbeh.exe 20.09.2018 16:42
- netwrk
- --------------
- 5.101.152.212 dyrovpa9.beget{.} tech GET /inst.php?vers=CL%201.5.1.0&id=2889404871-43520714514599267111949&sender= HTTP/1.1 Mozilla/5.0 (Windows NT 6.3; WOW64)
- 164.132.235.17 www.vabel{.} fr GET /wp-content/uploads/2018/08/stat/inst.php?vers=CL%201.5.1.0&id=2889404871-43520714514599267111949&sender= HTTP/1.1 Mozilla/5.0 (Windows NT 6.3; WOW64)
- encrypted
- --------------
- email-vally@x-mail.pro.ver-CL 1.5.1.0.id-2889404871-43520714514599267111949.fname-name_of_initial_doc.pdf
- ransom_note
- --------------
- Your files was encrypted! Write us:
- vally@x-mail.pro
- vally@x-mail.pro
- vally@x-mail.pro
- decryptor
- --------------
- https://id-ransomware.malwarehunterteam.com/identify.php?case=439a00e2de51c43e19560eff059316bb94d96d1d
- https://www.experts-exchange.com/articles/31579/Decrypting-Cryakl-1-4-0-0-1-4-1-0-FAIRYTAIL-Ransomware.html
- https://www.youtube.com/watch?v=oNqcWQ3WL20
- # # #
- https://www.virustotal.com/#/file/5e82435a7f1a04d29a96bb56c3c1febe1124f556425b029a2c45f144e142c651/details
- https://www.virustotal.com/#/file/bbcdfd57739dab2c4d1ea6e3e209a4b829f200e7bbc9cc78b616e9b358880ebe/details
- https://analyze.intezer.com/#/analyses/0c0a08ea-4f82-4540-a000-55c6b1f1a83b
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement