[Grinler]

You can send files or your computer to any experts or antivirus companies, recovery companies but you just lose your time, money and nerves.

You can go to the police or fbi or other departments - but this is will not help you, we are working about 12 month and no one can trace us, because we are working using chain of servers in different countries and using only offshore ecurrency internet payment systems as payment method (We will not accept Western Union or Bank transfer directly to us, because this is not secure for us.) and withdrawal money using anonymous offshore bank accounts and ATM cards belong to other people.

I love how they admit to being criminals and then continue state BS about the user's being hacked because they had child pornography on their computers.

[Fabian Wosar]

New version so it seems, I'll be on the lookout for any droppers.

Unless the attacker got careless or were interrupted during their attack you won't find any full droppers as they securely delete their droppers during the attack. The only droppers that are available are from when they started out. Here is list of both the actual crypto malware samples as well as the droppers that I came across so far:

Code: Select all

Active in the past 2 months:
0c9dbef352e5ae1ebec601e194e184dd12820691635e926c2df2bee3bda13b02
148e7883289d8b048b0b586bfb3c8faf48a49ab44a011cfa6d050d58a0a68dda
4450e156c7be7afd8907124050fe1a00abb28d0dcee583d087ed3d4255a43fcc
5aa61f92aa4f7d4ba4767a52615d253c0af37fe06bffa19384da58ba87447d17
67b1c7582c0151638d887d258c3bf055894309a19dee90e8850a893b1979bd50
7bade48e9bd7d5a75571fb6d02be95bc5a74191b983e1fd1615ef38aaf8d266f
7f0e61359b22af8e80e90d189d981ddc22ea61640373e58ad3505d35c04e8833
831bcc3dd2504d571936d145fd758477d5ff60427f6fe910aee3863103333a08
916b2242f3558c8d10302b76bc6cbedfb32313ee79d6eb255d778684b0d5176b
940aaa1c0bfd3dab187794d0c86a36824a960b100f1c273aa0fb6871422b5d84
96bdb9226a72277ca9986ffc16e4495f5766d518b976648845bfa5a70f0dd81a
979d6ef998a2cfbaa5cd8511bff679e7ce37f3f692feb06ade18af379b20aadb
9eb0b5a4cf031d56175172cca4196b527792c711b46e094b646d601cbed8cdd9
ae9c61b41bd12fb7c85e6e1cba0897f1e3f6ce191dfc63fb688a01516ff6c92e
def27aee873c7139ddabbae6615d86fd934ee2c101749308907b81f218926e83
e3a31b110d973319aa5c18a50523ed65f872f84d9dc04000f8cc6dc3542376f9
ea6b5c084446093545ded104213070beb4accc2e749aae2460df8326081ae007
f511913f51621ac29a238da3492ac4bfb1bf44bbf63ce9d9f98311bfc625b402
f7f1bd431432e774859927f12b4029435ddafb86616125f2f9733585de2f65af
f8d8ffe3d14b6daa2d959b0c675d8974a5ee73e0d23169af34d4cb9ec34cb5d2

All samples so far:
0075a5ee77bc26df158ae848b33550428273fc6f2c2e0c30725656b7e8d21c31
03ad42f2dea5cd363ec600286d9d7764002f1dfdf0460165862f68888070cc29
04beef000bb7c93b16bbc4917d4a15d919126a5cee7468b2401b29fc1c82a2a9
08a5df14dab3462540af9b4cc2f23e66b7360eec995ff926d94585709774e814
0c9dbef352e5ae1ebec601e194e184dd12820691635e926c2df2bee3bda13b02
125d078cce7085822564f436e7c186cbee9707388927315d47f87b2eb9ecf4c8
148e7883289d8b048b0b586bfb3c8faf48a49ab44a011cfa6d050d58a0a68dda
17c2dedb46b8f7fa34e05f9be9c9a16476eb72066bff42bbd699d6c8bd821dc4
18ed72105e8401b69225e823780b89fccc352c8e00a577493e989331015620e3
192879bfd7e86e905d9379c0644cd7c869e39095d4f9564caf9c5060cd85f1f4
1ef79b3e5fe613a46682a7abe7dd02e669d1c0e56193054811216f01f624970d
222a6493c6613875837325f3b3984317cba8a80fa054ede0f3fe8a0b09f2d164
2462ad1402abc35620ac9d5f78132cd4e20644bb9dd98aed074a0ec1443b0b50
33341de854d6484ecefe57b696dc0a36a9e34bc87bd7510975f25986f3dd8dcb
33f7ce6dfc03b82f152f50b47af4187db7b3888fc75656b00778819f5aa61df0
34a6d1dd2e9d6e5f11307b41770d9a1ca050fd0890015b36cee7b9bbaef591c8
39fba3bb9abca8ce9037e07242219b5ef8032f40736ba7c5c070f333b77f11d8
3a1c209abcf2bf05893fa8220c895c1bc93841d71aff6a3ff09866858a25a9a6
3ea8795705cea56fd00a84547ea21780824e661f469492a95628a9af3c5f3a15
4450e156c7be7afd8907124050fe1a00abb28d0dcee583d087ed3d4255a43fcc
460d5817b2e1d8d711b038fc2757bcc1d88236ea8ce7b46377d87b7596662fab
478534144c943a62b043d3d74499e01d32efc573d18a875a911121f624c6ade1
48f64fa48dd5d0a280aa0c7d375c2944dfefa39cce3503b17302c95bc3c639ed
4dbd2a3b4f68ebb301eac373a9b0f588ffbf7011b680e135747ae4c0ddfcb541
4febd122aeffbeacc06b5539810137706da8fcf5727fc71cccb8477c66500dca
5227a02003e1c8799e3c70b88d8311c16183e668a94311725e4d0c57a5cbd50f
533b175825168f2724d4bbe9a16054e702bb159aa1c1104d1d95bd06e40c18bf
55ee5219ac0679ac948bd1f9a2b1f2a299820e6ebcf76b30f59262126c56ea35
5aa61f92aa4f7d4ba4767a52615d253c0af37fe06bffa19384da58ba87447d17
5e00eb161c4731cbb18f10bee5346cf48b24f34a719069579c89fef2d7ba5349
5e1b8c7865126bb744c518af96e3dbcaadf4ec7021c6752b77b430777a2a307d
5fe370a8a4cf56cf4b12ded40a2e5cd5bdad4c815876f5dc815a086978bfb64a
61020afbd8a9612a6d9e9247dbca8b4fac7476f9db3c33d569c69d445d00da11
622d4a87e16b622435da2faa3c0ef29fde66a91d2708935663a29e97c412dd46
661059ecee281db1a654030d000e25e101bbaa2a32e0779970544440940f2006
67b1c7582c0151638d887d258c3bf055894309a19dee90e8850a893b1979bd50
6b8cdf81a83ea75cd2e2c0530b4dc00ed6ce64f27ab8a48dcf1ba65dacda8892
6c90e3d04693002ad3ff7713e90ac2b70e6e875bbc8a66cac0e2df7e0841ea00
7467369e268196abfb8ff217c9240ee9ca6295730835515bfd67f767489fda4f
7579e601b0934dd3a84920a48073622aa6efbcdd1a98ae05391800ef19f7a20d
7664e005f3110581a50420425d613b7fdb52c507adf3f568214edd6d00494408
7bade48e9bd7d5a75571fb6d02be95bc5a74191b983e1fd1615ef38aaf8d266f
7cbdef2b7812c4d274b7324107d43fa2ca9b505f642d412305e4f8eca03575e6
7f0e61359b22af8e80e90d189d981ddc22ea61640373e58ad3505d35c04e8833
81392ce63681aa687422f726d6db596a40dc945f28f72dc4ce22ad6a2e8902ac
831bcc3dd2504d571936d145fd758477d5ff60427f6fe910aee3863103333a08
8491b03e7b9f4c4997bd846f9fa8fa6e68d95d7233bdb8029fe2b67b630b1ebf
882d1c8e1982c73b93d2dd4b83da0874a06e9f32db968bdb6f5fc4fa47dc46b1
8a6ec0c95b91592f4defcc12fa6b9b913ec1fbcd11f26c702a7cd2324f5ea902
916b2242f3558c8d10302b76bc6cbedfb32313ee79d6eb255d778684b0d5176b
9195da994cb00a01bf57bf472ad636c9fe3227e338684c27f2824938d18aba51
940aaa1c0bfd3dab187794d0c86a36824a960b100f1c273aa0fb6871422b5d84
959cc2475d84010976a00986fe42577fbdae5e48b6311c429773c3d898b9272f
96bdb9226a72277ca9986ffc16e4495f5766d518b976648845bfa5a70f0dd81a
979d6ef998a2cfbaa5cd8511bff679e7ce37f3f692feb06ade18af379b20aadb
9c8e08980b981ac2eada033973206b6f6563b60f6a90ce45e8630e11dff18d7a
9d73c1cec17b19cad84ce694d0a20b351a762913b104bcd1b40dd6077de95d7f
9d7e57fce56013b34407b20a3af021ecd1a7780c7c92faa803ff6ccf504f2c35
9dc9273e17127638098652d4e28847284b713a7d18a4b44115ad160b35924940
9eb0b5a4cf031d56175172cca4196b527792c711b46e094b646d601cbed8cdd9
a4b61fb69d373628c3fdbaf5718f2da4b4953424d9edd1c13b6831d3eea82417
a5cade33f8d28b8727b9acbb1d96f14003f2227b495f619ba2814d98ad78c385
a954b9ea1d98c71671c30359772e35953c98664adffc6ef33656144d60eac55c
aa550f4df93d5d3e0940561c226a8c1718902e4b3af40471da49a862b52069dc
aba02b1357b0e37563782ec01f888ec7ed025bda064ca1be232c1def9c764dd2
ada831f1f891a472c3a11563c709e54e0d128875ad5729d5f9c7fad86aa3a185
adccaedf0876aed2e39fa7de47b4725f3c687d88dda97b7d45809bbab11abf78
ae9c61b41bd12fb7c85e6e1cba0897f1e3f6ce191dfc63fb688a01516ff6c92e
b25601c5f7da4f7c532f2b1e821d13af2606647be09c1caf53edb8c30424197a
b3dc1b8dfa7c4639b4acc8d6f3f1c57646e24553cb1e026af658d1a049348a81
ba179f357218285c4518f792f1736ec0ee831c85298998a184ac4a1c6145eb7e
bbc880481a19e37945cf2ff36253f70e9ece1342dbcf499e07baac8adb99819f
c2d77331eb864154c6f9540f28674a7e517af0061b52feba780491f4e9e59f56
c4d9d33a436727fb6f2fe4c32fe6d99c32fe3c5ae856d9f2347ea82f0405296a
ca062f15a49616257b4776c1e4e405b3ede78980708c346d2ad0373c9928fcf3
caefdcebe4ad9a5a3130c91187015fa7964fd127ed8d82f8b9875ed228374aaf
cb130fe30a9664bc82201205f3a23e8af686183335ffc1e5c1ebefaef283e846
d09fdb84e505ea62f8dd4c4c45be4b4b0a6616869afecba11d0fceb81cc537c5
d0cabd65f90586fc1106d95b723d0386833e9f66ca2a71c7ed87c84ddcb2fa38
d8980e959be7564cfc6f37c3fc6f9632566b533166f6bad87963a716a4b642e4
def27aee873c7139ddabbae6615d86fd934ee2c101749308907b81f218926e83
df84e57dc10c3ef8832901028e926cccee7e9b472b3edcb108d03a5e077eebd4
e054051fc4d6acd6eba82d21317fb29a7b68674456da0f2cfa47b3f1d51b6133
e3a31b110d973319aa5c18a50523ed65f872f84d9dc04000f8cc6dc3542376f9
e3e035f1a788465e8e7aef223bf635a6de19542ffd914c975dadbeb4cb04513e
e7610e1568b2fdf85feea37d238bdc5b0cdfb3ca00ce741ebd26207f11d18dc1
e771d96b731526aecffb82f4f0f54fdd4a2f56112bd20802073de32fdbd76889
e77cfafd7ffdea5dc03a0cc34333ecf3f34f4c6e9628053463c4ac9e9448ed3f
ea6b5c084446093545ded104213070beb4accc2e749aae2460df8326081ae007
ebe0f95b789ad275cd14f63658d9a98c5372accfa95a159885963379964ac8a6
eda9b66889e3fd79119b099cb33cd71057ad5319a54393996a0ca8cc183f1710
f511913f51621ac29a238da3492ac4bfb1bf44bbf63ce9d9f98311bfc625b402
f566fc7a7404ae1b2e447f641b04fdd16cb1f6a4bcd8b696afe4bc2f6622c016
f7c4a17b698c35bb89055eb187ea496aeb501087203a784ee77be1b4e3aa1b66
f7f1bd431432e774859927f12b4029435ddafb86616125f2f9733585de2f65af
f8d8ffe3d14b6daa2d959b0c675d8974a5ee73e0d23169af34d4cb9ec34cb5d2
f971bb3111235b359e3928c8a7effc9d07b95cf0903d1fc68470f85d4e0a924b
fd4a32c82eabfb006bb81ff8de2a8bea630a16b1d5e11af597967497c9fa9d68

Droppers:
1979cb361eebd9c3083445a21fd5aaadb4630b41819631825ffd16c390e23519
286cc6474590d802d1fca4da81c9a7eae45095e31c4682cf98ec1ce6e7a367c7
2996b7869d34a46a4c6fe93f0d24a262e4b7674d8f1c56925b2861fbce062925
388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b
41925b5dde87add5aee0a38c2e0b8ab991bee5e42afc0cc952748f3c251b3df8
475499595676f0ee481734933a8c8d35628d02b9fb825360c3cb6e2626b770b3
5c29a6038378bba647cd6e31e781778695785170f8fc9256fb31dd0422d255a6
7d1dab83e737f066339a1f529603b109df91b2bcb887c3f00a0590ab3ad337ce
7ea13edebecbf79bdef3679f2f20c1c19efaecd47385fd00b783642ae177fdc4
9ec3504ac7e66e4a92c9e3a0b7048a2ac24e2edb2dd649a1daa0467ec040dca8
cfc6c96a43391bee0ad8fab50bc208d07113c170b175ddfd8cf0f1d0b898c5e4
db7cf45c551389835b9abb9563c23ba38a7b0aae7bf6e73fc56d20eda96e00b5
e285dd85b72991a2f8e6312ce6443cbf863bc4ced4f0c80a7ec3d37d7c8081d1
ff6ef2da7a4ec48c8f8d564fcb2700b28f634559fd1aded5d9046ae30176c763

I also attached the entire collection.

[Blaze]

Indeed Fabian, I was hoping they'd become more careless, but unfortunately I have not stumbled upon any droppers yet. Thanks for your reply!

[Fabian Wosar]

If you want I can share my Yara rules with you (or anyone else who is interested) to generically detect new droppers and crypto malware samples at places like VirusTotal. I have been using those to track the activity of the group behind this malware.

[Blaze]

Fabian, that would be awesome. Please do share if possible. Thanks!

[frame4-mdpro]

I second that Fabian, would be much appreciated.

[Fabian Wosar]

Sent you the rules through PM :). If anyone else is interested, please let me know.

[Grinler]

Fabian, I would love to see the rules as well. Thanks

[domin]

fabian i would never say no to yara scripts :D

[g4lyfe]

fabian paste scripts :arrow: