Ransomware encoder from Breaking Bad fan. Pretty much generic for these days.
Payload downloaded from 194.109.206.212 encrypted, decrypted, dropped to %temp% and executed. Run from usual HKCU\Run key. Stored inside ProgramData\Windows as csrss.exe
Does usuall bullshit
They must be pissing in their pants with scare now.
Site in Tor as usual.
VT
https://www.virustotal.com/en/file/d460 ... 458206518/
I miss the time when Ransomwares were much more creative with all these annoying top most windows with ridiculous messages and pictures.
All the important files on your computer were encrypted.Uses MS Office exploit to penetrate the system (CVE-2015-1641).
To decrypt the files you should send the following code:
%INFO%
to e-mail address post77999@gmail.com or post7799@yahoo.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the reserve email. You can get it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptorzimsbfbkx.onion/
Press Enter and then the page with reserve emails will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptorzimsbfbkx.onion.to/
http://cryptorzimsbfbkx.onion.cab/
Payload downloaded from 194.109.206.212 encrypted, decrypted, dropped to %temp% and executed. Run from usual HKCU\Run key. Stored inside ProgramData\Windows as csrss.exe
Does usuall bullshit
Code: Select all
Contains message to Kaspersky Lab.wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb|xltm|xlt|xlam|xla|mdb
|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xlw|uxdc|pm|udl|dsn|iqy|dqy|rqy|oqy|cub|bak|xsn|xsf|xtp|xtp2|accdb|adb|adp|mda|accda|mde|accde|accdw|accdt|accdc|mdw|dbf|tab|asc|frm|
opt|myd|myi|db|onetoc2|one|onepkg|vcs|ics|pst|oft|msg|pptx|ppt|pptm|pps|ppsm|pot|potx|potm|odp|thmx|wpd|wps|ppa|ppam|wmf|emf|pub|ps|xps|vsd|vdx|vss|vsx|vst|vtx|vsw|vdw|emz|dwg|dxf|
docx|doc|docm|dotx|dot|dotm|djvu|chm|htm|html|mht|mhtml|shtml|shtm|asp|aspx|dwt|stm|cs|css|psd|pdd|3ds|max|crw|nef|raf|orf|mrw|dcr|mos|pef|srf|dng|x3f|cr2|erf|sr2|kdc|mfw|mef|cin|
sdpx|dpx|fido|dae|dcm|dc3|dic|eps|kmz|iff|tdi|exr|pcx|pdp|pxr|sct|u3d|obj|ai3|ai4|ai5|ai6|ai7|ai8|ai|epsp|epsf|hdr|rgbe|xyze|flm|pbm|pgm|ppm|pnm|pfm|pam|pct|pict|psb|fxg|swf|hta|htc|ssi|
as|asr|xsl|xsd|dtd|xslt|rss|rdf|lbi|asa|ascx|asmx|config|cfm|cfml|cfc|tld|phtml|jsp|wml|tpl|lasso|jsf|vb|vbs|vtm|vtml|edml|raw|jpg|jpeg|jpe|bmp|png|tif|tiff|dib|gif|svg|svgz|rle|tga|vda|icb|wbm|
wbmp|jpf|jpx|jp2|j2k|j2c|jpc|avi|mkv|mov|mp4|wmv|3gp|mpg|mpeg|m4v|divx|mpv|m1v|dat|anim|m4a|qt|3g2|f4v|mkidx|mka|avs|vdr|flv|bin|mp3|wav|asx|pls|zip|7z|rar|tar|gz|bz2|wim|xz|c|h|
hpp|cpp|php|php3|php4|php5|py|pl|sln|js|json|inc|sql|java|class|ini|asm|clx|tbb|tbi|tbk|pst|dbx|cbf|crypted|tib|eml|fld|vbm|vbk|vib|vhd|1cd|dt|cf|cfu|mxl|epf|vrp|grs|geo|elf|lgf|lgp|log|st|pff|
mft|efd|md|dmp|fdb|lst|fbkKaspersky analysts, we know about your illegal methods like breaing into our servers. Be careful, this information can become public.
They must be pissing in their pants with scare now.
Site in Tor as usual.
http://cryptorzimsbfbkx.onion.to/File is under usual shitty crypter and UPX. Inside code mess from multiple open-source crypto.
http://cryptorzimsbfbkx.onion.cab/
VT
https://www.virustotal.com/en/file/d460 ... 458206518/
I miss the time when Ransomwares were much more creative with all these annoying top most windows with ridiculous messages and pictures.
Attachments
pass: malware
(1.73 MiB) Downloaded 226 times
(1.73 MiB) Downloaded 226 times
Ring0 - the source of inspiration
