Skip to main content

FabSysCrypto Ransomware - IOC


1) Ransomware Name - FabSysCrypto

2) Encrypted Extensions - .locked

3) Ransom Note File -
_HELP_instructions.txt
fabsyscrypto.exe

4) Encrypted Algorithm - RSA-2048 and AES-128

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -

xxxxs://www.torproject.org/download/download-easy.html
1. xxxx://32kl2rwsjvqjeul7.tor2web.org/56D592DC7A9DDlDB
2. xxxx://32kl2rwsjvqjeul7.onion.to/56D592DC7A9DDlDB
3. xxxx://32kl2rwsjvqjeul7.onlon.cab/56D592DC7A9DDlDB





8) File Details -

MD5 ddcd198ef8d39196a515f9ba27ebfdea
SHA1 bc35e9ca0a01696c4ae7fd7fbe63114d6b12ae5b
SHA256 99beefe151f73494d923e40c1b43d8f525441eb88df303d0a13c293c309c2f62
Ssdeep1536: syJpWAMFfumsolagIrRuw + mqbz9j1MWLQsg: jTM1umsol3IrRuw + mqv9j1MWLQr
Authentihash  9f721a272cd773454883e6f417c7f91c8f3a030e3b809bb49352428d9b9d4a5b
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 116.0 KB (118784 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly



MD5 340eabcabd383c768d5d8eaff3e16de8
SHA1 76b79ed26a409c2ceb83c2b2d1b4470d8b99565f
SHA256 8feec8ca1026ea0392b80524ace8d637b9c96ad975ead4c764c3a1401ff921de
Ssdeep1536: o8EAMFfumsolagIrRuw + mqbz9j1MWLQsg: 1M1umsol3IrRuw + mqv9j1MWLQr
Authentihash  3cc20e55c4788cc96e3f99204052c5db8d9d4388048b4ec2d1a49b7c0bf9a2f8
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 113.5 KB (116224 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly

Comments

Popular posts from this blog

Locked-In Ransomware - IOC - File Details

1) Ransomware Name - Locked-In

2) Encrypted Extensions - .novalid

3) Ransom note File -
RESTORE_CORUPTED_FILES.HTML
RESTORE_NOVALID_FILES.HTML

4) Encrypted Algorithm - AES-256

5) Decryptor Link - https://www.google.com/url?
q=https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/&sa=D&ust=1505219068689000&usg=AFQjCNF9ioLcjI8uj-Oh5swSsBA9DBqXMw


6) Screenshot -


7) indicators of Compromise - NA


8) File Details -
MD5 b6ffac29f16e859b7aa8ab7f62b0bcef
SHA1 2eb0644345f4fbde656f316c7d9ce6866ec4335e
SHA256 8cc8125ce0cace7e1f090015a7a2e55aa0bbd06318a3f29c0a11cb6c85ad2264
ssdeep768: L / 1L41c / gaxme9hpfILteybyD1D9Hnfl9AtSy: L9LQOALMybyDJ9N9Aoy
authentihash  e4ca172031e3b85a97b9ca031b97ec94c9d32d9e7cdb33a6349462c01130ead4
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 38.0 KB (38912 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly

CryLocker Ransomware - IOC

1) Ransomware Name - CryLocker

2) Encrypted Extensions - .cry

3) Ransom Note File -
!Recovery_[random_chars].html
!Recovery_[random_chars].txt

4) Encrypted Algprithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
хттп://imgur.com
хттпs://pastee.org/
хттпs://maps.googleapis.com
UDP Traffic to ip addresses in the 37.x.x.x range
***mbfce24rgn65bx3g.rzunt3u2.com (66.23.246.239:80 - США)
***fortycooola.top (54.165.109.229:80 - США)
***smoeroota.top
***newfoodas.top
***84.200.34.99 (Германия)
***7gie6ffnkrjykggd.rzunt3u2.com
***7gie6ffnkrjykggd.er29sl.in
***7gie6ffnkrjykggd.onion



8) File Details -
the MD5 feb7967965c46e655c247054a0f500f1
the SHA1 ccdaa1dcbc450db0b9bdcbc22538137856fcc0b8
the SHA256 a37108a8960fcee98058261486a15ab2d8680844513ba60f266185b9d3d7d981
ssdeep192: 3zsQmb9geQ9ilbqibqHpjAjgIkotjv9d909 / Sc: wr5luppmz1jaac
File size 11.0 KB (11232 bytes)
File Type Text
DescriptionASCII text, with very long lines

Hermes Ransomware - IOC - File Details

1) Ransomware Name - Hermes

2) Encrypted Extensions - NA

3) Ransom Note File -
DECRYPT_INFO.txt
DECRYPT_INFORMATION.html
UNIQUE_ID_DO_NOT_REMOVE - файл с ID
hermes.exe
Reload.exe
system_.bat
shade.bat
shade.vbs

4) Encrypted Algorithm - AES

5) Decryptor Link - https://www.google.com/url?q=https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/&sa=D&ust=1504791164932000&usg=AFQjCNFF6L6BKQM0Gy3ludx8JBJ5nDRdiA

6) Screenshot -

7) Indicators of Compromise -
primary email: BM-2cXfK4B5W9nvci7dYxUhuHYZSmJZ9zibwH@bitmessage.ch
reserve email: x2486@india.com
8) File Details -
MD5 61075faba222f97d3367866793f0907b
SHA1 cc033c3bf41550563a180444b6166515faa53c3a
SHA256 059aab1a6ac0764ff8024c8be37981d0506337909664c7b3862fc056d8c405b0
ssdeep1536: 9 + Gy5E9sg99CxI4dqFhTfLZ8Lb1WyHVviF9k6zeEkA5YaH88C5Wa / HR: D2E9R9sxfdiqLP1a9keeEkA5YA9afR
authentihash  2504f77bf5514730023a60626445ee71d8ee4e60c18ad92ea5c8f33efc5ed43d
imphash  ff847787dd14576ae2…