Derin Analiz - LAN AES Delphi Ransomware | Tehdit: YUKSEK

Файл Kimligi

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
Размер535,040 byte PE32+ x86-64, Delphi, 11 section, TLS found
DilDelphi (System.SysUtils, SimpleStringList, Tobjects_map)

Yetenekler

LAN SIFRELEMESI: Yerel agdaki paylasimlari sifreleme kapasitesi!
folder_reserved_by_lan_encryptor   <- ag paylasimlari sifrelemesi\nfolder_reserved_by_local_encryptor <- yerel sifrelemesi\nAll wiper threads is finished, but network scan still in progress\n  => Network scan: ag uzerindeki hedef aranir ve sifrelenir

Sifreleme Modlari

AES-ECB modu: EncryptECB / DecryptECB\nAES-CTR modu: cmCTR AEScipher\nAESFixed     <- sabit anahtar modu\n\nDosya uzantilari:\n  e.-encrypted  f.-encrypted  fast encrypted\n  -ENCRYPTED    .-encrypted\n\nFidye notu: how_to_decrypt.txt

Komut Satiri Secenekleri

/stealth   <- sifreleme sureci gizli modda calisir\n/p [sifre] <- sifreleme anahtari icin parola (zorunlu: /stealth ile)\n/wipeonly  <- dosya sifrele degil sil (tam yok etme modu!)\n\nCMDListProcessor <- komut listesi isleyici\ncmd_list         <- komut sirasi\nSelfTests        <- dahili test sistemi (profesyonel yazilim kalitesi)

Teknik Detaylar

File already encrypted in stealth mode. Try to rename file.\nWARNING: Can't create or open TXT file.\nWARNING: Can't increase file size. Skip file.\nHINT: how_to_decrypt.txt file, NTUSER.DAT file, wipe file...\n\nWSAStartup socket  <- ag soket erisimi (LAN scan icin)\nAbility to use sockets test (WSAStartup) -\nTMonitor.PW        <- Delphi sinif izleme nesnesi

IOC

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
DilDelphi PE32+ x64, 11 section, TLS
SifrelemesiAES-ECB + AES-CTR
Uzanti.-encrypted, -ENCRYPTED, fast encrypted
Fidye Notuhow_to_decrypt.txt
LANfolder_reserved_by_lan_encryptor (ag tarama)

LANRansomware — Профиль вредоносного ПО

Tanimlanmamis Delphi tabanli LAN ransomware. AES-ECB ve AES-CTR modu sifrelemesi, yerel ag paylasimlari tarama ve sifreleme kapasitesi. /stealth, /wipeonly komut satiri secenekleri. how_to_decrypt.txt fidye notu. 11-section PE32+ TLS.

Тип вредоносного ПО
Ransomware
Язык программирования
Delphi
C2 Протокол
TCP/HTTPS
Целевые системы
Küresel

Возможности и поведение

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Список IOC (1 индикаторов)

IOC — LANRansomware
# SHA256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
ТипЗначениеПримечание
sha256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96

C2 Серверы (1 зарегистрированных серверов для этого семейства)

Адрес Тип Порт Протокол Статус Страна
tmonitor.pw domain 443 HTTPS inactive &mdash;

Адреса C2 предоставляются только на основе образцов вредоносного ПО, вручную проверенных командой KEYDAL. Коммерческое использование запрещено.

Теги
delphi-lan-ransomware-network-spreaderfolder-reserved-lan-encryptor-network-shareaes-ecb-ctr-mode-encryptiondot-encrypted-extension-file-renamehow-to-decrypt-txt-ransom-notestealth-mode-hidden-encryptionwipeonly-flag-file-destructionwsastartup-lan-network-scancmdlistprocessor-command-queueselftests-professional-ransomware11-sections-tls-anti-analysisdelphi-system-sysutils-tobjects-map