[thisisu]

MD5: d09aa5b65d18cef896df894efa1f0ae2

https://www.virustotal.com/en/file/e791 ... 368049328/

Pulled from a customer machine today. mp3 was on the desktop. Ransomware file in %temp%.
The ransomware screen did not appear for me but I have not connected the computer to the internet yet (some of these trigger only if connection is established). This should be the correct file though as it was the one linked in Autoruns.

[Xylitol]

31 Samples, directly from the affiliate.

[Mosh]

Hi Everyone

I found this on 50.63.70.1 (United States), looks active since 3 of july, I'm sorry if this belongs to other topic.

Code: Select all

hxxp://beyourownsuccessstory.com/Info.zip

VT: 35/47 -> https://www.virustotal.com/es/file/837e ... 374204176/

[Mosh]

This is a short analysis of the sample on my previous post

Encrypt the files with extensions: *.jpeg, *.jpg, *.pdf, *.pptx, *.ppt, *.xlsx, *.xls, *.rtf, *.docx, *.doc, *test.txt

Take the ransom image from: _hxxp://jkijjjkkji.rapsodia-networks.ru/get.php?id=11

Encrypt each byte of the target files XOR each letter from the string Pr1v37*Fr0m*Be10Ru551a and write back the file begining with the string *AES* maybe to mislead some users.



Finallly change the file extension to .ENCRYPTED_AND_LOCKED

See you