Tuesday, December 18, 2018

latest samples of Gandcrab ransomware (hashes)

Malware researcher spotted the latest samples of GandCrab in the wild. Please refer samples hashes table:

File Hashes
07352c50cbd7b33d8f4f25003a22acb81b0c12d760a48381b7218e96883db3d0
afd19d99fe1bbdb6b3a39c44da944d221391aaebb03483c0835df39a27b258e0
2b31c924296ed03f0a56ec8a803676445dec44996105bd6a3a174cfb0ff5c37d
ec2be4772af2ba186647767c5709a9ab9571a8e2ddc6853d067cb10d234d7870
bb73eec7e3048710816c2b4c48cec74fb85ab2fdbaf4fd757c7442d1fdda4444
ec234db2717349685699d5c680c753ba137f3ded7443c2eb0a3be65668ba38af
13eae8d976a0887f4f3335ec1ccfa6fd927b0b102abfef9ed570019cf402b4e1
874b7e73d8609c3dc2e4c0cef9bd661f9fdddc1fbd8ba8a9e102f499d991301c
3b6b2e7182deba9fef91134a83dbf977e9e5cebb366d6461f6dd08004906a3de
3f1dde3ff8fcb869d150ed547b1af79fa6c6fddf0d2c4c4b5715523d6f7717fb
1a74af4d95f260bc93216d132196f6e820f55968daf771bb719aded893da7f0f
c2b86832fd2509b3183b8542ffb78dd70c5ab7c07ae136c6ff8f65a3ba1b28eb
3bd207423d0ac1c993dc7f0981bf6dc380ebaab1b8efbd04ccb924299c787c26
5d13c8592c209a74b1ac1614e7521b1a0389743eadfe4ed7a1e9933d6466ead4
54075a283edb5352b252563da3aa225b0e0c2fedbc3eefb832383369c3f83b2c
ac6492e5285fb59404d1a4363987126b75acc826db5035289179bc9af6ab0458
44b42617e9d51de205d1a25f7e2c99d85bfc1f60db7a7c249f324b0e4ca9be20
dc6cd1df1c93a06b09da60894ccfc88d48594c8fed7b6227075f2fe2e5b6f574
44066d3244099f4ca44581bbe7f23edc7acb60a88abc63c159c3013f8f3609a6
fdaf07c6a63635162cf53e340dabdd7904be889f657494b387cdbdd815945957
694ec395450aa42257c41cd5b90c5df36afa2a6ec2728143bfa15f91944301e4
43f63e9c58dc3391f9282352c8adabfbaae3840fd0689b985847b6e4f3a86e79
d2902a536a2406cb793e63071ce848229df5a988fe494361d8306fb5be6f71f4
b138371ffa789064c83e314ae63a762a73041779498dd586de5d3650b472e938
9c07c772d1aff143854285ed851f51b565b171448e1e90413721e2b94d407d29


Latest versions of Gandcrab


Post by

Monday, December 17, 2018

Quantum Physics:

Mathematics representation and the modification of the actions among heavy object and the sub-atomic particle. Classical mechanics also need a lot of mathematics representation to understand and back the theory. Though, classical mechanics are easier than quantum mechanics. This made classical physics easier to understand. Quantum physics demands more mathematics system to firm the theory. One must have strong mathematics knowledge to understand theoretical physics.
Quantum physics requires the following mathematics system:
  • Advanced probability theory
  • Complex number
  • Partial differentiation
  • Matrix algebraic



Quantum physics is very uncertain and completely different from the normal world. We can predict the orbit of the planet but can’t predict the subatomic particle. One of the famous principles, Heisenberg uncertainty principle says that if we predict the how fast it goes then we can’t predict where that thing is, but if predict where that thing is, we can’t find how fast it goes. Pretty confusing right (FYI, we didn’t write anything technically yet). You can predict and be sure where will the ball falls to and how the ball falls after being thrown. In the case of particles such as an electron, where will the electron locate after being “thrown”? This is a wrong question. No matter how many times the electron be “thrown” in the same magnitudes is it, the felt locations will be always different. As a result, physicist preferred to ask how much is the probability to find the electron at the location that we want. (Please refer to Young's double slit experiment). Yes, that is weird and difficult to understand. It is one of the strange behaviors of the particles. Quantum physics also showed very unexpected experiment results, it was totally different to the reality. To study quantum physics, step by step is the key. Please start working on the following topics:
  • Photoelectric effect
  • Wave-particle duality
  • Schrodinger's cat
  • Quantum entanglement
  • Superposition



Quantum physics is always an interesting topic and someday it reveals the mystery of the universe.



Related post:





Friday, December 14, 2018

Is really Einstein performed poorly in Mathematics?


To become a theoretical physicist, one must have strong knowledge in the field of mathematics. In other words, mathematics is a way of expressing physics to others. Many questioned us, is really Einstein good in mathematics? Is he really performed poorly in Mathematics during school times?

Our Answer is very simple: Look at the mathematical expressions in the relativity paper, especially field equations in general relativity, people will understand how strong Einstein in the field of mathematics.

Let's discuss this topic little elaborately:

Einstein, obviously, was splendid at math. At a youthful age, he stepped up with regards to contemplating propelled math with the help of his family. The sayings on Einstein was terrible at math is not a valid one.



Time Magazine quoted: 
"In 1935, a rabbi in Princeton showed him a clipping of the Ripley’s column with the headline “Greatest living mathematician failed in mathematics.” Einstein laughed. “I never failed in mathematics,” he replied, correctly. “Before I was fifteen I had mastered differential and integral calculus.” In primary school, he was at the top of his class and “far above the school requirements” in math. By age 12, his sister recalled, “he already had a predilection for solving complicated problems in applied arithmetic,” and he decided to see if he could jump ahead by learning geometry and algebra on his own. His parents bought him the textbooks in advance so that he could master them over summer vacation. Not only did he learn the proofs in the books, he also tackled the new theories by trying to prove them on his own. He even came up on his own with a way to prove the Pythagorean theory."



Related post:


Physics - arguably the greatest branch of science:


Physics is the characteristic science that reviews the matter and its movement and conduct through existence and that reviews the related elements of vitality and power. Physics is a standout amongst the most crucial logical orders, and its principle objective is to see how the universe carries on. Physics is one of the most established scholarly teaches and, through its consideration of cosmology, maybe the most established. In the course of the most recent two centuries, physics, science, science, and certain parts of arithmetic were a piece of regular reasoning, yet amid the logical unrest in the seventeenth century, these common sciences developed as extraordinary research attempts in their own right. Physics crosses with numerous interdisciplinary territories of research, for example, biophysics and quantum science, and the limits of physical science are not inflexibly characterized. New thoughts in physics frequently clarify the principal systems contemplated by different sciences and recommend new roads of research on scholastic trains, for example, arithmetic and rationality. Advances in physics frequently empower progresses in new advances. For instance, propels in the comprehension of electromagnetism and atomic physics drove specifically to the improvement of new items that have significantly changed current society, for example, TV, PCs, household apparatuses, and atomic weapons; progresses in thermodynamics prompted the improvement of industrialization; and advances in mechanics enlivened the improvement of math.



Physics amid medieval time

- Europe: 
The Western Roman Empire fell in the fifth century, and this brought about a decrease in scholarly interests in the western piece of Europe. On the other hand, the Eastern Roman Empire (otherwise called the Byzantine Empire) opposed the assaults from the brutes and kept on progressing different fields of getting the hang of, including physics. In the 6th century, Isidore of Miletus made an essential arrangement of Archimedes' works that are replicated in the Archimedes Palimpsest. In 6th century Europe John Philoponus, a Byzantine researcher, scrutinized Aristotle's instructing of physics and taking note of its blemishes. He presented the hypothesis of the driving force. Aristotle's physics was not investigated until John Philoponus showed up, and not at all like Aristotle who put together his physical science with respect to verbal contention, Philoponus depended on perception. John Philoponus' analysis of Aristotelian standards of physics filled in as a motivation for Galileo Galilei ten centuries later, amid the Scientific Revolution. Galileo refered to Philoponus generously in his works when contending that Aristotelian physics was imperfect. During the 1300s Jean Buridan, an instructor in the workforce of expressions at the University of Paris, built up the idea of force. It was a stage toward the cutting edge thoughts of latency and energy.

- Islamic locale: 
Islamic grant acquired Aristotelian physics from the Greeks and amid the Islamic Golden Age created it further, particularly putting accentuation on perception and from the earlier thinking, growing early types of the logical technique. The most remarkable advancements were in the field of optics and vision, which originated from crafted by numerous researchers like Ibn Sahl, Al-Kindi, Ibn al-Haytham, Al-Farisi and Avicenna. The most outstanding work was The Book of Optics (otherwise called Kitāb al-Manāẓir), composed by Ibn al-Haytham, in which he definitively refuted the antiquated Greek thought regarding vision, yet in addition, concocted another hypothesis. In the book, he introduced an investigation of the marvel of the camera obscura (his thousand-year-old variant of the pinhole camera) and dove further into the manner in which the eye itself works. Utilizing analyzations and the information of past researchers, he had the capacity to start to clarify how light enters the eye. He attested that the light beam is centered, however the real clarification of how light anticipated to the back of the eye needed to hold up until 1604. His Treatise on Light clarified the camera obscura, several years prior to the advanced improvement of photography. The seven-volume Book of Optics (Kitab al-Manathir) enormously impacted reasoning crosswise over orders from the hypothesis of visual recognition to the idea of the point of view in medieval workmanship, in both the East and the West, for over 600 years. Numerous later European researchers and individual polymaths, from Robert Grosseteste and Leonardo da Vinci to René Descartes, Johannes Kepler, and Isaac Newton, were in his obligation. Without a doubt, the impact of Ibn al-Haytham's Optics positions close by that of Newton's work of a similar title, distributed 700 years after the fact. The interpretation of The Book of Optics hugely affected Europe. From it, later European researchers had the ability to fabricate gadgets that imitated those Ibn al-Haytham had manufactured, and comprehend the way light works. From this, such critical things as eyeglasses, amplifying glasses, telescopes, and cameras were created.


In the upcoming post, we will cover the last 1000 years of physics.

Post by Physics Universe

Router:

A router is a systems administration gadget that advances information bundles between PC systems. routers play out the traffic coordinating capacities on the Internet. Information sent through the web, for example, a site page or email, is as information bundles. A parcel is commonly sent starting with one router then onto the next router through the systems that establish an internetwork until the point when it achieves its goal hub. A router is associated with at least two information lines from various systems. At the point when an information bundle comes in on one of the lines, the router peruses the system address data in the parcel to decide a definitive goal. At that point, utilizing data in its steering table or steering strategy, it guides the bundle to the following system on its voyage. The most well-known kind of routers is home and little office routers that essentially forward IP bundles between the home PCs and the Internet. A case of a router would be the proprietor's link or DSL router, which associates with the Internet through an Internet specialist organization (ISP). Increasingly advanced routers, for example, undertaking routers, interface vast business or ISP arranges up to the amazing center routers that forward information at rapid along the optical fiber lines of the Internet spine. Despite the fact that routers are ordinarily devoted equipment gadgets, programming based routers additionally exist.

The first ARPANET router (1969)


Uses of router

A router may have interfaces for various sorts of physical layer associations, for example, copper links, fiber optic, or remote transmission. It can likewise bolster distinctive system layer transmission models. Each system interface is utilized to empower information bundles to be sent starting with one transmission framework then onto the next. Routers may likewise be utilized to interface at least two coherent gatherings of PC gadgets known as subnets, each with an alternate system prefix. Routers may give availability inside endeavors, among ventures and the Internet, or between web access suppliers' (ISPs') systems. The biggest routers, (for example, the Cisco CRS-1 or Juniper PTX) interconnect the different ISPs or might be utilized in expansive undertaking systems. Littler routers more often than not give availability to a common home and office systems. All sizes of routers might be found inside endeavors. The most ground-breaking routers are normally found in ISPs, scholastic and research offices. Vast organizations may likewise require all the more ground-breaking routers to adapt to regularly expanding requests of intranet information traffic. A various leveled internetworking model for interconnecting routers in substantial systems is in like manner used.


Post by newWorld

Cyber attack on the Italian oil and gas administrations organization Saipem

Saipem has clients in excess of 60 nations, including Saudi Arabian oil and gas goliath Saudi Aramco. It could be viewed as a key focus for a wide scope of risk on-screen characters. The assault has been recognized out of India on Monday and principally influenced the servers in the Middle East, including Saudi Arabia, the United Arab Emirates, and Kuwait. Principle working focuses in Italy, France and Britain had not been influenced. The assault influenced just a predetermined number of servers in its foundation, Saipem said it is attempting to reestablish them utilizing reinforcements, a condition that could recommend that a ransomware hit the organization.




Saipem revealed to Reuters the assault started in Chennai, India, however the character of the aggressors is obscure. The Italian oil administrations organization Saipem was hit by a cyber assault, it affirmed the occasion however has shared a couple of insights regarding the assault. At the time it is difficult to property the assault, it isn't clear is the organization confronted a focused on assault or whenever was hit in a more extensive battle completed by risk on-screen characters. We can't reject that assailants hit the organization to focus on its colleagues as well, for instance, Saudi Aramco that endured Shamoon assaults in 2012 and 2016. Saipem told media it was announcing the episode to the capable experts.

Post by newWorld

Hashes of Latest Ransomware variants:

This list of hashes are added here for analysis purpose and also helpful for blocking them in host-based detection.
Image from Archive of old ransomware

List of Hashes (SHA256)

  • 3416bdb49c534fc05c4c2de19063c1227fbc4489edb0cabdef438f459cfeba24
  • 09fb9a9219fe4b0bfff15d7c55d4d4121178129226c9f986e88b195e84eb05b6
  • 9939416f4f376a7b5a5351ed9564d32125fcd118a44791617dfbb49584fa2a7e
  • 5a58d33e7a71d7b5b0d7ab71c44188eb51f70365ce2916be413d65d417f4d35a
  • d41d64ad1197769e6e1e085482d03e56bd08ee7407d79f3ace24dcfde49f2405
  • 45682aecd2486f0574dc9bd510ecea5c108418ebed66494214a144ce6221bc6f
  • 2ade62bef7c7e7097b8976331380d139115acb7b7244e4eb56032a1fa73b3208
  • 958259eae582be868d92261ef751abcbb829b53a92c3bf1f7f5e508c267fdad0
  • 7b6654c73c56b8fc8f7c0cb0b1de8d2ea0946aee9bfc7de9ff435f44430567ff
  • fbf71461103a9234c195bfdbab12cdb5f24e891658cb4932e54f58a350cba653
  • 5ff682c17c0df3c66e45ea96f6b4cf7f2f6fcad4ea60309f0a04308fbaa71004
  • e57e854feeb225ba7488ffa42dacd6ccbbd0dda9557be5182dc4d6bc9684d142
  • a52d07007b769bc71849a2f54a901c13e3d95ffb965b871c189de9e563c72fc4
  • e7420eab56b9ce407f38f30af393255c3a7e8c5b5b8a0b3d00baac9c1d102070
  • 2b0977cc2c30520b19f727b03eedb656973c83ec2d0263081b522ac03bec629b
  • dde2fbc02b70203a8214ed1713036f184ff878358997633cfb9637480289f5aa
  • 90d99c4fe7f81533fb02cf0f1ff296cc1b2d88ea5c4c8567142bb455f435ee5b
  • dd8f267654c63bd177362e6e0634f8ba718b284f414a70e4a1ef399d69e5e601
  • dc8f856e879796f8c1c46d087ec2cca1b94848b4095769c23b0c839edd529096
  • ac7e094fda0299255c7c833054dd0f75ea9a2a9211be0d8db90800c73f2e265d
  • c805920b3f0d64789d7aeb1ebc4ae8a0519d500bb6e8d39c84a3bee103189320
  • b0ac973c57292f75deff73b282bd6d2cb9fffe09513e2e9b5dd149658c2ad940
  • 490de12b04949e87b7fc42cd439955f053e847d8f6bd22fe1214e3d2a21b823c



Post by newWorld


Other interesting posts from newWorld team on ransomware:



Novidade EK (Exploit Kit) Targets routers

Security researchers at Trend Micro have found another EK, named Novidade ("oddity" in Portuguese), that is focusing on SOHO switches to trade off the gadgets associated with the system gear. The Novidade misuse unit uses cross-site ask for falsification (CSRF) to change the Domain Name System (DNS) settings of SOHO switches and divert traffic from the associated gadgets to the IP address under the control of the assailants. Since its first disclosure in August 2017, specialists watched three variations of the adventure pack, incorporating one engaged with the DNSChanger arrangement of an ongoing GhostDNS crusade. Right now, Novidade is utilized in various crusades, specialists trust it has been sold to different risk on-screen characters or its source code spilled.

A large portion of the battles found by the specialists influences phishing assaults to recover managing account qualifications in Brazil. Specialists likewise watched crusades with no explicit target geolocation, a situation that proposes assailants are growing their objective regions or a bigger number of danger performing artists are utilizing the endeavor unit.

Specialists say that the point of arrival performs HTTP asks for produced by JavaScript Image capacity to a predefined rundown of neighborhood IP tends to that are utilized by switches. When setting up an association, the Novidade toolbox questions the IP deliver to download an endeavor payload encoded in base64. The adventure pack aimlessly assaults the recognized IP address with every one of its endeavors. The noxious code likewise endeavors to sign into the switch with a lot of default qualifications and afterward executes a CSRF assault to change the DNS settings. Underneath the rundown of conceivable influenced switch models dependent on Trend Micro correlations of the malignant code, arrange traffic, and distributed POC code.

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)


For more analysis, please refer to the TrendMicro page: https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/

IOC table from Trend Micro:


Threat identification
Specifies
globo[.]jelastic[.]servint[.]net
Novidade exploit kit domain
landpagebrazil[.]whelastic[.[net
Novidade exploit kit domain
light[.]jelastic[.]servint[.]net
Novidade exploit kit domain
52[.]47[.]94[.]175
Novidade exploit kit IP address
pesquisaeleitoral2018[.]online
Social Engineering Domain
pesquisaparapresidente[.]online
Social Engineering Domain
108[.]174[.]198[.]177
Suspicious DNS server
144[.]217[.]24[.]233
Suspicious DNS server
172[.]245[.]14[.]114
Malicious DNS server
192[.]3[.]178[.]178
Malicious DNS server
192[.]3[.]190[.]114
Malicious DNS server
192[.]3[.]8[.]186
Malicious DNS server
198[.]23[.]140[.]10
Malicious DNS server
198[.]46[.]131[.]130
Malicious DNS server
23[.]94[.]149[.]242
Malicious DNS server
23[.]94[.]190[.]242
Malicious DNS server
23[.]95[.]82[.]42
Malicious DNS server


Post by

Thursday, December 13, 2018

French Foreign ministry reported its Travel Alert Registry Hack:

French ministry affirmed that malicious hackers ruptured into the Ariane framework, its movement ready library site, and individual information of residents "could be abused". The Ariane framework gives security cautions to enrolled clients when voyaging abroad. At the time there aren't specialized insights concerning the interruption or the quantity of influenced individuals. articulation did not show who may be behind the assault.


The service began telling the occurrence to the influenced clients, it additionally educated media to have taken fundamental measures to maintain a strategic distance from comparable episodes later on. The Ministry affirmed that the site was currently anchored.

What is Intraday Trading?

Purchasing and moving of stocks inside a similar exchanging day is known as intraday exchanging. Commonly, in such cases, the aim of the speculator isn't to contribute for the long haul dependent on the development prospects of an organization, yet making additions dependent on the unpredictability of offers on a specific day. Intraday exchanging should be possible through a demat account. Merchants or financial specialists need to specify while purchasing a specific offer whether she plans to contribute for intraday or conveyance (to hold the offers for over one day).
Intraday exchanging is clearly a utilized amusement. That implies your dealer will enable you to take an exchanging position that is numerous of your edge cash in the exchanging account. To that degree, it is progressively unsafe and requires an alternate arrangement of abilities and mental makeup contrasted with conveyance exchanging.


Some important tips for Intraday traders are starting to learn from their own mistakes, focus on risk factor, trade with a positive mindset, and set a realistic goal.


Post by
newWorld

Saturday, November 17, 2018

Top scientist/physicist - Not listed on Rank basis:

Humanity would achieve its next milestone when people would be able to recognise more scientists than movie stars.
Choose your favorite scientist

1. Werner Heisenberg
2. Max Planck
3. Albert Einstein
4. Niels Bohr
5. Paul Dirac
6. Ernest Rutherford
7. Erwin Schrödinger
8. Michael Faraday
9. Enrico Fermi
10. Sir Isaac Newton
11. James Clerk Maxwell
12. Galileo Galilei
13. Marie Curie
14. Richard Feynman.
15. Stephen Hawking
16. Nikola Tesla

Readers, comment your favorite scientist - we write about them in upcoming posts. 

Post by

Friday, November 16, 2018

Old RTF Exploit Used for targeting the bank users:

Security researchers spotted an old RTF exploit used for targeting 137 bank users.

For the security researcher twitter status, please refer the following link or below snapshot:

https://twitter.com/sS55752750
 Post made by
newWorld

Thursday, November 8, 2018

Kraken Ransomware - Latest Specimen hashes

These are the file hashes for the latest Kraken sample. Please use it in your IoC.



File Hashes in SHA256
File hashes in MD5
61007f8fca637dfa40304e8e39a211fc30771daaadb6c1491d91cc14b529b017
7b075361ea6f1ef2f5dc9fe2e6e6d638
9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14
e2251a00f5d025ee89228720dc5c2f65
4f13652f5ec4455614f222d0c67a05bb01b814d134a42584c3f4aa77adbe03d0
1564f9d385a7a91bd82d3a58cb0524c9
7fb597d2c8ed8726b9a982b2a84d1c9cc2af65345588d42dd50c8cebeee03dff
a4ea1a3c4749808539470e528dc9cd22
f7179fcff00c0ec909b615c34e5a5c145fedf8d9a09ed04376988699be9cc6d5
e8b299a3c1a1b6556d95580931b0f964
6f347bcbe6f06db4219aa2376319fa949f4205a5a8c98c15c71707e95ac49a80
3f8bd126d092c721ce949dd3a51c6511
32f6289a99aa4aa52eb725b82681ef1b2a2dd52f6192ce154f20ccab7b04d3a7
732eabe16e1e499fb19e75877f7a477e
528e4d24c18160b6bdd73c9a612d38a78fc58bd40c8ab415973a94429b321dfc
14fd33d833b37fdd0df997f5e108c43f
0955167fb9c42aa9613654001262ef93cd2d3f86dd08e077a5799e1e10288545
b214a9cd3c2fc0ccecc8d1e52b4f5020




Post by newWorld


Monday, November 5, 2018

Analysis of recent variant of Crysis/Dharma ransomware

Contents of the analysis

Overview
Infection (Static+ Dynamic)
Encryption
Threat Indicators
Forensics Investigation (data recovery)
Conclusion


     OVERVIEW
Dharma ransomware aka Crysis ransomware was first reported in the campaigns of 2016 and 2017. Even today, it evolved and released a new variant and spotted in the wild. We found the recent sample during a threat hunting activity and let’s see the analysis of that latest sample in this article.

File Hash (MD5): BA67DD5AB7D6061704F2903573CEC303
File Size: 92.5 KB
        
                                       INFECTION
The delivery mechanism of Crysis ransomware is caused by manually infecting the victim PCs via Remote Desktop Protocol (RDP) access. The attacker prior to the infection, they brute forcing the Windows RDP protocol on port 3389. In case of weak or default credentials, the attacker will get the access to the victim machine and execute the Crysis ransomware.


Analysis of the Ransomware sample
The Ransomware file 1taskp.exe (md5: BA67DD5AB7D6061704F2903573CEC303) is custom packed based on the Entropy value as shown below.


Figure 1 Entropy value and packer detail
 The file contains only very few API functions such as GetProcAddress, LoadLibraryA in the import functions. The malware author has used the Dynamic API Calls to load the dll files and import the API functions. They encrypted the names of the required dll files and functions.


Figure 2 API details

Decryption loop
Ideally, this ransomware specimen must have a decryption loop and we spotted the below instruction sets which are doing the decryption works.


This decryption loop looking for data to be decrypted. The below data is fed as input for this decryption loop (Refer the below snapshot for the data as given as input to decryption loop).


After the Decryption loop, we can see the import functions of kernel32.dll which are going to get invoked through dynamic invocation. The file checks the function from the list of API Hash values for kernel32.dll

The above APIs are used by the sample to proceed the ransomware functionalities. Let’s see the behaviour of the sample.

Behavioural analysis
We executed the sample in control environment. It exhibits the behaviour of ransomware variants by encrypting the files and added file extension.


All the encrypted files are added with ‘.combo’ extension with the email id bitpandacom(at)qq(.)com followed by an id tag as ‘id-F0861AD0’.

To maintain the persistence, the malware creates run registry entry as follows:

Key: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: 1TASKP.EXE
Physical location of the file: %WINDIR%\System32\1taskp.exe

The file creates a duplicate file in the system32 location which is added to the registry run entry.
Further, it deletes the shadow volume copies using “vssadmin delete shadows /all /quiet”.


                                                 Threat Indicator
IOC details:

File Hashes (MD5)
BA67DD5AB7D6061704F2903573CEC303

File extension added by this variant of ransomware:
‘.combo’ extension with the email id bitpandacom(at)qq(.)com followed by an id tag as ‘id-F0861AD0’


Registry entry added as:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: 1TASKP.EXE
Physical location of the file: %WINDIR%\System32\1taskp.exe


Files dropped in app data:
 % WINDIR % \System32 \ 1taskp.exe

We collected the hash details of the same variants in the following list:
SHA256
MD5
7724a6c8243c626f008d960c2d7912a11131f9318ec98e8d7983420a004b45ae
83db1ae5b68af8693e3bfe15e7f73e23
46a3838892e1f8ccbbaa07f2b24fbdb22ff3f6e5cb3b194d0bb3254568335541
a32e4d2699466c5a99242c1b6322a68b
44ebb3550c94dd00766ab125206827ab7bd35e532a04d7d7c88e7d74da0f07ac
1d84c5a06c3bd175c12d625bb5259237
6ff6037243dc68bd7183564d98257edfd7f1b87675eceada2bd809545280d17b
dec22084f515b2c145f9019143d860a3
00d290adbb184cb52ee6a6cae7c4a3b02edcda1f99acfadf1fbac11c44ed081e
0c2b066f9bb0ed1c3d68f0e13d5eb318
95db01ec6398fb556cc71ffd45bf1d916a1625cb96f67c37539fc1f5d704afb1
fa67049b7aad8fe8bbec301078ed9e15
02e055beeed3d56c1fd2d17e92d36312e4168774885e5f068edc45a3ddf1e39c
4cff9617b843e6859e908c068b7c2146
e64fd6baf57c5f0c151ef93caaf0a90324eacf72bf3cb9e3790d09849cec9275
5945e4e537e62e4edff15471169b6cd5
2a247b244687022fb6090c065355c40040494a2dec57c0d9180f948cf3acc8e7
3e682a53560a6694ee6bda65182a7e44
a249ac15d4f1fd063c0b335e649b4df7656e4e4ae93390761a28eb8c0f0bf95a
048f74e060126d93acc04674e64995ad
c7d8de88b30c72884e1479b5d750267d05c6736fd64bc1a2a75823d6f911c1ac
136f4190084e2d50edab15094dd9fb31
a43dab9c34af5a49a2a615e86db3e2bf4c5467853dd5bd4f1a1c73619b683ab2
6ed029b9794717d305103e9eb20a8d1f
73fe0716303ae868b78e4d380120d0c3ca0a87d6dea2ad2126fbbef1e56507ac
237e96c9cfc0a9658fe5858df7dde8e0
046af53654b1fb8e0d61515a2f660b6f985c0ccb86e278a227dbd732577e43b4
7d815928c8213da10001001d105cf5ba
fa5c8a038524da851671585b52326f00d1462974117a76a629c5b0ad50931ff8
d61b6a33e4ffe8a5477eaf36a1a19814
5cec86494711c0700e876922ad52c7aec3caabecd7a2577ce4a7f0cd40b0aa31
b443d5c04e420ad73636247c48894667
45babf993f443a7318517c147af4181bc6e2562f81b924686cc3e3c42b6ba4a6
0730fa733c939be1d68686fd1e17f451
01373738b4fd57431f1eb9153ec0db2cc5dc47791f026e75a5dbd23ae3b499c1
2db826610f232612e908e7c0454184e7
bf20b92755cd5c2542cdcef804ee795932cc4b0e070ca6b81ff8fd30908a8f97
2bbb2d9be1a993a8dfef0dd719c589a0
c2955c6ce87e18f5a45a51b94a1fb1d4e47197c5d1500b0e59a3e6613b20b0e6
e3decd65ee08bf1ab3ec0dd3b5bca71b
1634c748c870a0f770507956aefe1597daf8acb364f6bc1829d0da75235daf1b
1c1755d03fa70c9da84439d0d2bde9f7
2c9c4ff5089f5c80cc51a2c10b3cb88b75f58450eaa819502f3af6fb1490a5e0
47f6b6d1ab3f3b27175a724f39095ce4
3430e53a0a19e1a6442fc677146ea3a0b81fdd1cffc1363b0f4bb28bca339623
3fe685e43949e8faba76bd69d261ac75
153834ac3c6b67f479548e8069a1de8419764a18df200bd429eb77c062d1b36d
26bd8a37e289236f7f3508ae5969649c
b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546
5bcad58742ab33a6a5bd9c9cab7ad515
87c9aa9af35120809ee1aece0774f04b548e9dec947c14e2f5361aadacf7ea74
1c72cd7310c7c05b82d76efea069fa7b
11b50c8a2156e0f3c31ddda3b68e51365f3660d2f8c3223b69bf8612f80dbceb
db8e7e08bfda9dc386b8b4941fef6ff1
2339d62696501ccfe1bb19d3770a854b8391860f1d2d99f037b883703edf2cf1
4dfe4688a2093c46c5b038965b30af89
9b21f9aa91d281a628fede6fa4ab5835bc979ac60861d20adb88e388a0f89a7a
a9477e3b31f86eac0424da995ffedba0
1dbcb082ba3d73c1521f61ffcd145706021ecd77fdf1872770cb7afaf665a080
fe7d8a022b4dd18b98cef610b8d355f4
51cc147e61829e14c8e0553dc9e64c14d91e5e5e753c9233e69e96b0f7642571
1526e038d35fe8f011b20210d57004c3
ea980c6e9ff2fc329035d7851755827758be51076f71d2d655d4bb4ecfc78f00
7db301bb46c75eaaf7e5930071d9a4a9
af6748905a340c81bebf09d5132d65f7712b4d8f581fc290b5b3639437e6eaf2
af52d0d65b5fac92d4f60e7ea7293b0d
34c47fc60a989ca969147b7d8137aa068ce547bddf424b9325c2aa2ad2bd819b
0dfddf70a6c5c202db2ee9ba018fc0a2
ac9cbd9a9abf6973590cb197f83ec1c1b0b19dc1bdc7a40695e1b7bce88d2fc4
6d85d51de947f12ad2a74ae7b92c7995
2b88e191fe0b2caae6f6ea9f8e7ed09a563e9dbd22d7aae807ccdb4aee77ebd2
673c287b59c80ea57e507e64782ddf44
699d94416586447e2b8a6fe3aa28af6f0f01cede25b37872aa861f10bedf5338
331d08a2baaa71f41ba232656a4b80a0
4ae32178ce4942b6746c2ff58b9ee79141201e2606aed5b73111887845beda0d
48a417edacbb364f630212c337896189
9a013559071bdb2b3a1806af87511052f237da1c32e4405cfd4b17199c871b48
b34ea01a86cb1df2989c6d4e63f9e5d7
5f61a96a5fe02b0415e7a6271633a723fe850005952796e35e153081cc49b65f
dfeebb7b595f63abc5c7ff3dda3d4ed0
a35e2d11055a4e70aad21c4899f465564146fc6fbedd8cb415a2339f8b21923c
5fb1f01a8566b1489d8c82726fb3598e
5d2efa78eb6fa2393745859c1ae84485f84a5525b27bb1ea064a6a152a3c89b7
e71c4ac7b966d9ed696cdf8705455dfb
b6b2c1f4bbe4259e0279a0c3db98a69db12ab6ae0b549085c714f1497f3c8300
be47139183c40fceb264c6946627b93f
fc8077df45ed3c1805b77c198453982f3150eebce496c86bda7800b503a3ecd2
98b300cbc8c7a11af1f08bd3d0847f78
8919c0d539f4530cac932e2807093d7bda4f6afade02ca8ea09f5541b1065eed
324fad08ec1d63cd492c0725b03d72ff
c19507dcd2c9cd3cb2032d455562b2b5e98bd9d32401a34b193269cd47991270
d011920feb6ebd30657094d09ab8a419
617f5407d59857e2df7b6770707db4bff8369b9361f33428fc89beacf9fc40c6
ed4d6aaccab0628e512932ec9a238f7f
64b37c4ff747e690d6cd7538e9b1b9a3d9deb6814c4f67951e2f54c0c87dddc0
bb6e229ef6ca2448bc7d12d934b6f43c
18edd97d0ba3ee3e502552986e90447e60d81102220cad58547234242000ea71
fd0138b38d3c0b25bab0294312e556c8
1e774891be7630d10b0310ef552207aa31d843baf59a19892f18221e73ca3cae
28fc7ea7c6e3bffa647b3ce9d96c2f5b
1d667f6523ab2b32dc07fe34ef259f0fcf49ecf5d56add50e0f62cc55ef94526
1b7158c58b648e8032f2e46b6f05747d
7b4049d573bebd1e09ae152cd9eb697d5859bd44a9430ad277d3a3d61f082cd3
3c5b06a8e03d78bcb217c42560f4c7f3
27b2966b29f10e63590bc6cfd99f1a3d9e3759620a15ffb44c4833bfa27c6312
3b7d819265f84e15ff2c0b6e9b0a1ad4
2c79c0e3dbf22b623fd6e21d31d1d1d234926e666a7b127efa5e4810f267d02e
123e699b9964d32388310a3c85f76526
ca7742e5c93e0557c4edfee8771f4fb1d630afbf8da9965cea05856d40e8fb6b
21d3d08f7879a93f7489b3da5cfaf822
7af890c71121d682203be3b23497272f4338cdc27f5af49c41f8275d582e85e1
bf6e423769b1dc31dafc847cbfe9076a
cdaa959c11debbd84088f2fb102c01a91136adabc30526fcc7f5848257df7547
3d0803d35a79316b85731be79d251701
fd69e3fa161dfbd2c710ab62d5ffe2c959941f229c1cb2895851126059ceacd4
214cb82d7781364799c202045d324c12
6918a5cb740ec49c6ff724c04c6a9e9816240d50c6985b75ff8caa77aaabdd13
f65e5c890565b8438d3a944296c9cd85
419b89b21e49f60ad69fda2d4d3ae9cc8313eaa0c260035ab3405063e0345f95
a4c32fc63fa627f88862442e4833c4ca
0385d6ec663cf2201e01f5d41cfc13181b498b1edd8c2978ca3c3bc2d958313d
98f21d7536877cc2ecbe36ab9d76101e
95f02e56171b12d761d0bbb93f37029abc251b551549243a1d1edcb70b6bdb88
2a4f3f82e8f181013c3452e1a64a0151
c103b705c60ccdfae31631411331f4dae3531b998c5eeebe85f59aded7d5360d
79d977acafbce159b9815c1e8152e52c
b6257fb219a2694fab13b8f10f9ccb62993fcbf439daaa0f8deddc0e5f1f575d
05e6d49d39145db03cbbff672e12e6aa
a14c76aad7e738e80a87f23b8f99053e8f5b63023cc300be541f51d2d1487f0f
7ace2d4ba23b30259e1e620299220d3a
d467b4499dd5c2cdef3c693870ab03aa58b231814c831d13036a8f6c729642a3
58fb827f2ce70c65b73465984a39dea7
3fd81849db777d21b0b00d174e95800f6e10f2289a0d5014fec1147615d1fba3
a934bafd35e8be173bb9b83bd70cf1a2
62a39a934a37c2cec3495c0a13d3208eab55ab1caa4efe64a08cd5d8e1277ab0
b5d99562172733b2d88b338b06ff6de2
c27025bcfc544ced363e0ceff8b6bece8910003aa449de35ef6ad41a5416b40a
f769130c19fdc0b66814a761d657c56f
264dd2dddd6e0bc3968fba5a9ddf7b341b29fe3b0de65c2e34a94efdbcce865d
555a9b5b3073798f009e9b22084979fd
1d75bf2930e46e9a95b1cc93b084861f7f1405857309747d6ee486433bd80508
039234fbba29c4befc8e80aa08f912ef
ccd4dc61ad4152456c974751a32928d8610402c863555a0f2683677475fca724
0070b3a9bd8c3b7e93f44e20ac019b3a
de672a8e8ef7517c826a93eec63d07129f4f726f62b6db89dab6b41e7ee3d188
c7ba039c79b62e2fd6778bbf56f19850
775661185dbc00d0697daa993d511d593d7c1ccd2bfa2cda8fce8ffb36a8af38
a232b7adf4e73f5fc71fca71da16b1e6
5dfecdc3261ee18b70380c09cb115e8797afe41132723fbbf8b68d248454a87d
47a482c3c7d3843c1dec4ec0a73d08a1
56cd2186a20b3979a24bf2118e6c430abdfbc9be01d2d1d5bd207c1a2e4d19b8
5149b801d62cb2e851282246e2ca6e69
cb04415eaf9b92fac700ae47abae1522b6ac7667fe5898f68d28ad9aa3820db1
d05ef0b0ecd1b8e378f0105d8a7629d8
f7edd98e3421c2b27dfe7049942b5b339641b5d48629fb4579c1a23c752bfb0d
e38ca8505089e7e352c5c250cad746f0
4b7330326953fe6dfc2f8bfaec3d9d686631645c516a9555ac66a1c12f95ee63
ccf62ef4b026308795f5e614a8cdc02a
247bae290ebb4092b94b61385ca2431103fd880dd7fad4d71a93ea32bda66467
edc656e75dc3e24e774869ab3ca0dac5
56dc935942a71fcd8803e7b86b02b2335f2c3e4e26ceb8b2a11af6ba83b8b76c
bb46f91acd46a38fe61ae668b0d3f525
2192e837ae2f051a5f9922a8c32cd3ba4effbcec5ec668450a22ec7880de6756
eb0cfb65da9e9e8e00828b79501b8874
87e1ba0601fb2b5cfd28dda82a7ba8d731bf22bd7d23eb21606f1b2a644707cd
1063eb8c67f6844cf56d3728834bbecc
d7b97f131b4f95e41bd25e03eca865d83282c2e79a783e35957c120fb214d01c
dff289161977d6137e8c9b11286d058d
406c711c3b06008b7cf3a4bba0bbbb1cbc830d6a2ed782835a4de0ef43a48308
c20057370cb9d538bfe4dc961db5b6f7
2f40aa9aaae679ae3b56e87255f821f2897032a29a1dd189a72c7c0e133a1fe5
563cad9faf4e0592b7e627573fcb4e38
2e11e0491bf2d80420c4c3ba77a0b0fa065e099d17c0b498d49ca7334277025a
6ba12b1a97b6ed2dda6eaa934c1fed2a
794abd65f54f08768a86fb39809e14b5e5a55a50d29272f8f3f92716c25f97d2
19dcbd61821a498825c1ad290ec6a178
0291e99acfedf4e277d56babb2783ce0a01e873a42627b4e3f4a56c2a10cc24d
29320eedebbf9198c3dad888578d0707
85d429c484e9226b2c9f633e9bf1ae71374897144957ed4f1ae4856490c11447
3b30e9fa580984ac9adfbf31ddf2b006
b61b24d5cb9ec5147971640e1b07164cdcf5ec06d84be6abccdd0c170d24afa4
0e29454b4eaa920cb1f9ee057736ff23
2f177850ab1ae18dd8841b82974761345aaa9633dc6b869ca358d31f9128cfdf
e9b62b802b5516decc25f84f4d856653
11d33c6b492661c05cc35c3125640667d590a5faad6a4edd4392492436cec87b
3d868062982b6d8204a18e1006bbec3f
993df150d87348a9fa790cb20eaa658426ecf0aee9ee129621ec81369a6dcace
f3fe092beff633342041305675b25c86
009cae35a7941981424d7bde944845d85902c760f9633cee64a4a46a37af1d8b
de76f743753b572564153bbdd67c97b3
c963d736b4b016539ffe2625594871011b526d61f682880589cf48b02212ffb7
16b18d12be6c6f92896bfb94573af495
2d63f38fcc86ff109227ea1e1ed740710d104caf92c568142a76e16dad4c46a9
9955dfaeefb32c5f49ba74dec5bdc049
4ce9dec0085269d618af2500aa4057aa929e808f1c766513e23e05bb52543afe
e210331c8dd70b288dcf209c5aac46a6
e6138416318ceb8b9f1d79eb8bb8bd42fdf8add5dfd620b6a7ab6ed0d6d3134e
71c98ef6d83c24427fdd3c73947d48a1
83052a9912adf4e64cc12250dc93e15e0a7bb91a36ec9620cc6173080da256aa
beaf201b693bb3bf92a1f7817019510a
b91281cdc5fbd7fefd5bfb71f21abeb937e9004679db5f95f90663d8d306808f
35d42c2fb17bfa384cd2378fc6d2d7a3
caf8e5b9412b364bef07376eaec060b7abef98b996ce16ca18da36a8e3f54417
8c548bc807b97bfdebc64ab0e325d082
6872b03bbaa954e27aca8a6be03ca45addd29cf2fd99cb6cfd1a60abb371c6a3
bd27013efb4c1d36150781ab040d95db
3a6e832eeb5cf94450e4a234c8946b66f895f2b8c36f49559651892d0086a2be
7193aa272f01c2f2389d5bde11a58808
354f068bdf83842bd41cc50f6cd616df9145de4f105d65c5eb80412611476dd5
11f9ff8926091c74a84f9ec044b78798
5ce4f9f7004f96e927d6405c82fcf3e44eb1e1309f60e54ecdb070f4cd7f3e93
2ff72cab0eda9b5a655e5b7db28d09cf
18e2d23dbae8547a6e3beab91332a003b16462a986469fbf5fc47913c9207809
541736269755013f375b077a2bb52085
35aaa81326c39c648b582af143947c3b52942cd9990929a1a9b3450cad856b66
662d7601ccd6e582d62cf5642ff0fd11
022b4e46c345f4d66c2653db6e8cea99400f5bc40805601dee51b0ba79ef3513
cfa275bc89d543105a9b4a696fcfffa2
770e78aac1954c0c734f32f27ef4cc6e6165da34b490d1e9aa5242dfdca8ca7e
6191dfae04320300f9d344e0db644603
8d79132b16457b5104ba739ead1c65eec922179e566cd319f750e91383c3c56d
f6421b7c80d3591fd8952d031b39aa0e
3717518a41db06f88b25a8fdb00a0874f44a6abcc41a2177fa5135911f246436
0befb212f2c19e73321cef58fdba7458
4cf5c566635b0fe0e9603e4099d71d747d8b4a84217a45f2681e75f3cb0b1134
afa8c90da13bbdddcbac2b2e693a0039
f9255c0f457be9afba910903c5957afc29777066e633a83d94b95ad03d958f08
47ed3778faa5610fc2c1f4482958a5e8
0c9c6a3f89ec69cf1bb1db2c10d23a49ed221fc4ef65c05f360d1660ccf6b255
fa5229c3f84195f49ce7a40d60eb4664
2f231e546ff2a50fcff4b5196f663bbd5039e5887c189f34829dc6bf091dfdeb
3b075a659fe37098adcbc91693b03edf
148dac19c371954a571ef2e0b9e17a0dc5bf7589668fe68c2dc9bd1e596c22dd
d663380a1d5ed54d3975f8776e9c9d80
d2fd0b405df36a61bae17ccbe489bf4244a0bf1659b67d733cb7c82e4c2ee84f
55355cc32dbe121613c2d07036e3383d
85c41e5bdaaa20b64f8061980a60038a0ee841733eb8487afe8962f25dedc38f
c6c90cd9263f04f799b36e6d4d7e04a5
141177b13d2e34cb4f7914cd6686a9e449f3e203087051ceb0264dd1f0f2e126
0281cc298275cdbe627372f66a9e8f1a
805df4fbe75aad8fe13c7af3feaf5d085f3a44d018a80634c7e10773e8d7c1f0
7a1ae0a4dd3dcbd2d3ae182d5aa0b4e0
4d33db29037b5e3bf771119c10df19e30619b664600dbfca8d659b3074db1262
02be8ea632f267ee866524eebe8db9ad
6499dbbfb75cfc28e9ed0fd72d1af27dfd13e503733b711e48b39bb0fcb6fba8
cdab412d5d4f4b599d7bf11732965e29
d620c3c04374720707991d6721bc62279f51c94ff1516b58c03019cc18c613e3
736ac683fcc9baed410a4d4162d5f8a9
068c88a4d0750094df9108d9138acb2bad23cc4f5ea4393aac1f3260a27cfcb4
c88250273ab89c6b91d1d1140ddc3c3e
41fa0d45f0b9a9dc35b5a65803601fc82719f14f520fe17b08f0b3cd01d5e762
18294bab5096d85cd5fee5cd1dc0556f
9c0a9f38a3ad7a2d865ff0d8f9acc05637be8443d120bfa52b152989bd3eb500
2266706d6cbf663258b5cb8aef0973a5
bc7aacea6d3154a97735287ce92482379fd441c1a131753271c3c735a50a524b
c775503d3249670212a107eaf91dc618
54ca0713035b302e5b5d5109e24aef2e27c6a5f4ee6c2ce493b78ee84959f39b
0edf16581886a9c15f0280dab118c232
97c8ba3ced1812d771496baf555524be4f851e553e3227d37c8a541aaf43312f
cd74f16ead5d4367de3cedcbbcd86601
4de8a0b1dc695c8cd5624b1f8e3f45ffa74dd6cd6ac0b7cb74679e07e3a9d56d
2e85456f601359d8720f6566d03f7d7e
ee95d12c3327cebcfa52a0a8a59b5bd580476a8d90846e06975b094054eb3f63
e187c71919217895bdd564aed62c2bba
ebd569bf0c07349aaf618a70a55330b045ae7c311b8d138a7f021437c213033d
fad2f9b8c0c1309d613f089f85c8fb4a
f6419143b8cfc9ee74dd8bcdbf429f0df085ae98e9731d8a5713278ca7230b22
28c540886bdc75fb275bd46bde768853
c4324da8623cb15ff7200fd6dbd94aa024cf7932d7132f1096d4ec34b2a239c3
24368e69bda84af06a9b0154f4037848
d163aa7f7afe657006be3d72ab74691d0f5f0cb37eb00c91fddc440f8e9ff34f
deaad9155b2f2e6566af301a45655f61
3666419bb4ba9a8dc17cbc930bff4a6d2ba765ecb89dffea3bebb84dd254b4ab
36ecc8e96de225d2b05eced15a4da164
d08385a1d388f62637dd5c105a4b712a37b690a99b4bfd7719fcf74ba1054df3
71d9f826f255768c2001c3fb846edf11
e037d77145ea7ce53d4fb56a820583dcd318fd2a26c1bfd1b1600c7df5f8ba13
62a5161042dfa0e9e3fca7b8ae8f2ae0
f7eca111229df970b8e9af8f1fe41e4d5179267a21df9151c227fb8ec9cde14c
923b58fa2f68e89e66551586684f5f8c
d80eb01dd89cda65a679e5b1b3bb85f143cc6922a58714520911143752285158
8993329935050f945cdb4ca5a531a52c
c7e4cd6189912fd4a89935f69ec94874317fcc712961151a160831c11aa737b4
880ca1e5a6ffb501fa0c9326f150b565
3adfe7387c9ce5b981274cc0fb7c7dfb14c01cf3197f9a2ec1f9190f6263fb8b
87eb4cbc3b22316a8d7be7c171f1eb21
97b1f232093be55bf1982ea81e7dc9707edac68f957cbd79955dd58344aebd16
85b2f8e961cff15a61a7147c08593106
119cab6a8c7459b4d92958d096f6f38085c6129a2bc1eb4870cbfb8cb02c7d6a
7e86d1472f00899aa62b0961fe388fde
8a2933a7c821468e6c6b7826185397476c88105033d2216b069c432b34be8583
7e47a03449709c8f00b993ea35a13b1d
568e11795e7245c5e4b22bec1de8c227735e7a9bd8f4965cdb7e0543fb7b413b
7cdfb07c516c491ab54f5b75853fdd4a
dade2ca7298973edcb56fc02114409579751930ecf99d2850cd94cf11d8bce23
796fc9c7427b75e9db9f4c13177f4b96
15ec32b2f222c81589dbe87a744e2043dfdc61874241b1a1a1dcb32d3bff42f1
75956a0f0c0e43ea331182df1b16af30
4e05834f526898374496e2a94c31afd0d3095efbc4b2280aeb067a505d8c691c
7506fb7324c768c1afb1c4d1fced6ea3
68037ed066299695f0a234f6f9503dcc67851dad5fc2387449d583372bbaea80
71397b9b649a66c2e9d5643302bece03
f0a44f853ed66959137ff1192be7690db27807b5ed0a75517d98043bb412c6f9
711b3b253ae9e661b00c84a688e10adf
2f234c36112479333783da7800a7fe0b8d176c54aaf8dbdb8fb9a4d9f97597eb
70b168f66a173da5e4054e8bb9dad49c
a8e0f4d34d43188ef87096ba14ce5158f33443e0ee8e06441b5d8ed3294b60d2
6f117a0f50992cb71b2754d8e6e6ad3f
250831291ccd0c329ad174e292bfbbe23b298174f116134b1276d19e843348c4
6cdd0019f1bfd3675ae51f565996a34c
b479ea2f99f865ecc4291f154a044fbbd27a3e5c0fa73836570749b8f1d4b2f8
6c09c505f8adf5adcfcfead400c06eef
778110352f0d82ef349b2d351f7f214876cd04a69f13aa5f93cebf3492f1968d
681c5b46e8b05ad2506a693ff278a064
59448dbe849dbcc21b1c07a4348c2f9cfbbdabf7fad0a85a847076a6bc3923f8
65a530bf7b01dea0dbfb52b4553394e7
5981a608856fdc8ae4a3e3d45f96730247f779567c6c4e096700324c50699969
643da28b13bec75b540ee2dcbe752183
0feb28060b81382fda3aeb9b242522e9b6b380771b1160b155583c06c309cebf
61591ba6abf3420bd6233dcccc50ade1
329dfa603302f9805edb20e3a0e3c39a608481ffcb3e09e2a27ab684140d876a
60dd27358d1aa49ae6af217141c22a8a
8c22eeaa571fe6adf1ae23580faf370d51fb9ba554dcc7f5ddca968b2330a97f
5c178e6581b3d78c058559b2bdeb9bde
a7a28023e74cefa778104b2f9d143ccaa8c908b46c4ff276106945125abc3227
5b860e4b700aa17847ec937a3edf2cc3
304f8a0f7873cce98349601ee1e5c6d871b557e4f92046c0a01dcaa4af0a7d03
5b853cae7eb6066802f5cb8285487762
2d7518a28c6956680e927be1ccc0597644366c6550676209e7c0a7ebdda9e56a
5a90641d65db7e37b4283e69266f77cb
357f1159a5954414bdacf07bbf8b0c4ba7f5196e38eaff83146a1ea14b3883a0
4caa19191cbf21c02cc75b11886f8757
4ce0eebc87e53dd9c4561395795be529bfb495b9e6aefd8ed8762d58cf0f189f
35fe3d787bc21668a21fe4c021c081cb
67938313405f49955c1d038b7fbc973a691f3abc2de49eec66c7f38fe4bd4047
31c6905b32ead699999caf0f127dbdf8
c3eeed0a028abe9edfd7547a7b591d1f39597575a878ae2f37acd40c8fd7d3d4
2df71403f364e36f074af098cd023b72
608947f2f0f564b5efdd300c47882c0191b0a32d7aafaa77a5200b7dd7016927
2671372f3c3664d3589f0b3d78086147
e0b215c05bf09f2eda12550474f9a9cc9fcfc260313d335c566566fda20976eb
14c44fec9bfe1f92823c0154cd0e6d4e
384a305c3abf5b4802fba8a22e8656ca0fe2de3a4fa82f1080b90328db176895
140fd5aad5f6692dbc0cb2bb70ea251a
6eba3a5d5bfb094e1be7e25d019016e67ba7f84a563118edcda81c3d6e62f865
1256d75bda02601039e7f298b376a172
316e30a96db291708415515737515996c5faff8e7b31f8ca0f80363dbf88da73
0f6e2594c3b54f031e2dccd471ba88be
f56314feafbc05a9f37d8266cba9103063bacf0141d5db58575d929ae216df5a
0f547fdfa1cdf124245dc179ee40a575
a11f26b7c9c806aae20ef4ea97bab85bea587980d3f881bae17ebf22e22ab633
0e5b83f7a09d219e2f8a8163745badb4
d37e644fa5e45a6bacac496187c009fe21fa59f9108cb6cba9d204c3ceaaff34
0b0bbd4d77ad4397f45986fc3815a46a
654d234825ea743085a76125072dbeb38014d1e6012e5f6284869dbdfcafd1fc
05dffc77c69a1a63288c90efacc6cf8a
ba6933c1444c599138fcd87865041c31a0bf557605cf0571868227312c41f608
034f47d6046eedaf861c0c5798a81e56
71a6629f7e311aa037ca1107f438ea1379c77745f65702955b439579e6123d0e
ffb00af3edc6c673b497125de17ecfb8
6f6ba54ad7cca0a25829b9b1580f4c58f5a2554456c8cde4893a83ab43db0fdd
fed6bab503393e70ab6ebac59c646fe7
4f0d9dbdcf862eaf9aae8b60abe83bed10c609ff739b1962c71fc53d17a9c1c4
f155bf9ba88b69acac018054b65af5f8
03ecad250880c6a733b3eee83cc82c8cc13e5914f6e8caa5392363cab577ad72
ed3693e02af576c2d10c72ba8c38919b
8f36e536014735c016d851adde2303149b8e59a62ca542b770b44a5fb742b175
ea4741f214c08b1632bacebff92a6b63
4997f3ad8f15f62b5088fe9eb4a0b1a756154179cc3b1df587a18417b28c428e
e91af25c2a09fecc6f1f763c4be8f71d
1016f3820fe824e15d918e028d4f70836e935e10145594c51e5ba5890ee4fde1
e68b8af5d73dc4a259e27a1b95702b4e
a8e572c0ebabc35d51276c63afaeda78a96a04baf84ec2e6e316ebe78aa84b16
e58678da9fb3eb13661e434c2007341f
8469d3da7f14ac75bf94e5b80c43ecf22cadb7f502eab8a5f839a890658b2eca
e4e1fe69466a7bde456bace768bfd835
78232401ffc7ca35a495770a5f3e6a6a8b470fb40c6d3203f7405f5ed955d0ff
e241693672f7ce5b5d2eec3d0b6a6c4c
d68e2c8fad413884bb0fcc13533627ec365b590d34debc3291644c9db5ad8c61
dbedc7be9e0302fd389c1976d1e864f1
8be43769cd5879c959927262744d9755691adb0c6fa51ea6713515a6ed05d44e
d545d02cb932dd82b33b9e6832e89107
d7ba501ed8e80f7bf2f3c51b36c0a08d3b37fe64635fd773d355be43738b1443
d517639a17b2a75576fded8e03f593f4
0052256edc2159e5fc5f19967a1f80736f127469482a178785f6ed80c1168bcb
d1d70f79631c991600657d159c21bf1d
d15527669d16170e219caf3e4b403594a898c00c3a1b7ef1ec2d4e61c8261fb9
d0d7f617e35bd8b9f0a11431db40cd4e
3a86e86b23d261b3df74fa8616b9bddc0b8e4d20c78ebf23d7c786200131b70b
cc74a1fbac899947a1a22a281799ada2
9d34d9c392ac7cd98179bbe95718d97bfcd24f6a4b24509bb9ccf664c93076f8
cb066ac40ed293bfc95822ff21671cea
5ea73a00ffd59acf26822a67a9ce70d835d75f8f0f12eec240d054fe1f405840
ca6f8bf9c45e8ca7f18add5587c0ee99
29222cc1f615b0747c6ec907f96c114cebffe18acb4838fc477ad645c78048b3
c08f853000b5fdfb2f83e69c3da8d4ec
bb2959df524ea7c3639d8a641b00195839db9f24c2d9cd7a115d8d913030affb
beb9efff9b44ef3415c71687bf22fb32
d50c8ac998d6b01f62bdeff896871e3abb71a86c419de933fdc7cd0ee57aac37
bb441579fce0981424e6a1dd437f5c95


                                   Conclusion
We recommend users to update their security patches with the latest update. User awareness on security basics will be helpful in combat this variant of ransomware. For threat hunting and precaution measures, we recommend blocking the hashes mentioned in the IOC section.



Concepts of Portability across different Hardware and CPU Architecture

In this article, we can understand the concepts of portability across different hardware and CPU architecture specifics.   1. Portability Ac...