Derin Analiz - LAN AES Delphi Ransomware | Tehdit: YUKSEK

Fichier Kimligi

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
Taille535,040 byte PE32+ x86-64, Delphi, 11 section, TLS found
DilDelphi (System.SysUtils, SimpleStringList, Tobjects_map)

Yetenekler

LAN SIFRELEMESI: Yerel agdaki paylasimlari sifreleme kapasitesi!
folder_reserved_by_lan_encryptor   <- ag paylasimlari sifrelemesi\nfolder_reserved_by_local_encryptor <- yerel sifrelemesi\nAll wiper threads is finished, but network scan still in progress\n  => Network scan: ag uzerindeki hedef aranir ve sifrelenir

Sifreleme Modlari

AES-ECB modu: EncryptECB / DecryptECB\nAES-CTR modu: cmCTR AEScipher\nAESFixed     <- sabit anahtar modu\n\nDosya uzantilari:\n  e.-encrypted  f.-encrypted  fast encrypted\n  -ENCRYPTED    .-encrypted\n\nFidye notu: how_to_decrypt.txt

Komut Satiri Secenekleri

/stealth   <- sifreleme sureci gizli modda calisir\n/p [sifre] <- sifreleme anahtari icin parola (zorunlu: /stealth ile)\n/wipeonly  <- dosya sifrele degil sil (tam yok etme modu!)\n\nCMDListProcessor <- komut listesi isleyici\ncmd_list         <- komut sirasi\nSelfTests        <- dahili test sistemi (profesyonel yazilim kalitesi)

Teknik Detaylar

File already encrypted in stealth mode. Try to rename file.\nWARNING: Can't create or open TXT file.\nWARNING: Can't increase file size. Skip file.\nHINT: how_to_decrypt.txt file, NTUSER.DAT file, wipe file...\n\nWSAStartup socket  <- ag soket erisimi (LAN scan icin)\nAbility to use sockets test (WSAStartup) -\nTMonitor.PW        <- Delphi sinif izleme nesnesi

IOC

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
DilDelphi PE32+ x64, 11 section, TLS
SifrelemesiAES-ECB + AES-CTR
Uzanti.-encrypted, -ENCRYPTED, fast encrypted
Fidye Notuhow_to_decrypt.txt
LANfolder_reserved_by_lan_encryptor (ag tarama)

LANRansomware — Profil du malware

Tanimlanmamis Delphi tabanli LAN ransomware. AES-ECB ve AES-CTR modu sifrelemesi, yerel ag paylasimlari tarama ve sifreleme kapasitesi. /stealth, /wipeonly komut satiri secenekleri. how_to_decrypt.txt fidye notu. 11-section PE32+ TLS.

Type de malware
Ransomware
Langage de programmation
Delphi
Protocole C2
TCP/HTTPS
Systèmes ciblés
Küresel

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — LANRansomware
# SHA256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
TypeValeurNote
sha256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96

Serveurs C2 (1 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
tmonitor.pw domain 443 HTTPS inactive &mdash;

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
delphi-lan-ransomware-network-spreaderfolder-reserved-lan-encryptor-network-shareaes-ecb-ctr-mode-encryptiondot-encrypted-extension-file-renamehow-to-decrypt-txt-ransom-notestealth-mode-hidden-encryptionwipeonly-flag-file-destructionwsastartup-lan-network-scancmdlistprocessor-command-queueselftests-professional-ransomware11-sections-tls-anti-analysisdelphi-system-sysutils-tobjects-map