Derin PE Analizi — TorRansomware | Tehdit: KRITIK

Fichier Kimligi

SHA25667a78b39e760e3460a135a7e4fa096ab6ce6b013658103890c866d9401928ba5
Taille1,261,752 byte
DerleyiciGCC 7.3-win32 MinGW-w64, 17 sections

Tor C2: xri65fopcxkdfxhi4tidsg7cad.onion

xri65fopcxkdfxhi4tidsg7cad.onion -- Tor Hidden Service C2\nFidye odeme ve anahtar teslimi Onion aginda\nKurban Tor Browser ile sitenin acmali\nOperatorun kimligi gizli, sunucu yeri bilinemez

Kurban Secret Key

"with your secret key 6F2PQ14O2POZ1JB5PSD65HUJP19Y9DU1"\nRSA sifreleme: rsa_encrypt_key, rsa_encrypt_IV\nKurban bu key ile odeme yapar, operatorden decrypt key alir

Duvar Kagidi Hijack (Registry)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop -> NoChangingWallPaper = 1\nHKLM\Policies\System -> Wallpaper = C:\Users\Public\bg.jpg\nKullanici degistiremez (NoChangingWallPaper=1)

SetThreadContext Enjeksiyon

SetThreadContext x3 referans -- process hollowing\nFPU anti-disassembly, TLS callback (1 func)

IOC

SHA25667a78b39e760e3460a135a7e4fa096ab6ce6b013658103890c866d9401928ba5
Tor C2xri65fopcxkdfxhi4tidsg7cad.onion
Kurban Key6F2PQ14O2POZ1JB5PSD65HUJP19Y9DU1
Fidye BGC:\Users\Public\bg.jpg

TorRansomware — Profil du malware

Tor .onion network kullanan C/C++ (GCC MinGW) ransomware. xri65fopcxkdfxhi4tidsg7cad.onion Tor C2. Kurban secret key: 6F2PQ14O2POZ1JB5PSD65HUJP19Y9DU1. RSA-encrypted file keys. Wallpaper hijack (C:\Users\Public\bg.jpg + NoChangingWallPaper=1). SetThreadContext process injection. 17 section obfuscation.

Type de malware
Ransomware
Langage de programmation
C (GCC MinGW)
Protocole C2
Tor/.onion
Systèmes ciblés
Küresel

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — TorRansomware
# SHA256 67a78b39e760e3460a135a7e4fa096ab6ce6b013658103890c866d9401928ba5
TypeValeurNote
sha256 67a78b39e760e3460a135a7e4fa096ab6ce6b013658103890c866d9401928ba5

Serveurs C2 (1 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
xri65fopcxkdfxhi4tidsg7cad.onion domain 80 custom inactive —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
torransomwaretor-onion-c2ransomwaresetthreadcontextwallpaper-hijackgcc-ransomware