Derin Analiz - LAN AES Delphi Ransomware | Tehdit: YUKSEK

파일 Kimligi

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
크기535,040 byte PE32+ x86-64, Delphi, 11 section, TLS found
DilDelphi (System.SysUtils, SimpleStringList, Tobjects_map)

Yetenekler

LAN SIFRELEMESI: Yerel agdaki paylasimlari sifreleme kapasitesi!
folder_reserved_by_lan_encryptor   <- ag paylasimlari sifrelemesi\nfolder_reserved_by_local_encryptor <- yerel sifrelemesi\nAll wiper threads is finished, but network scan still in progress\n  => Network scan: ag uzerindeki hedef aranir ve sifrelenir

Sifreleme Modlari

AES-ECB modu: EncryptECB / DecryptECB\nAES-CTR modu: cmCTR AEScipher\nAESFixed     <- sabit anahtar modu\n\nDosya uzantilari:\n  e.-encrypted  f.-encrypted  fast encrypted\n  -ENCRYPTED    .-encrypted\n\nFidye notu: how_to_decrypt.txt

Komut Satiri Secenekleri

/stealth   <- sifreleme sureci gizli modda calisir\n/p [sifre] <- sifreleme anahtari icin parola (zorunlu: /stealth ile)\n/wipeonly  <- dosya sifrele degil sil (tam yok etme modu!)\n\nCMDListProcessor <- komut listesi isleyici\ncmd_list         <- komut sirasi\nSelfTests        <- dahili test sistemi (profesyonel yazilim kalitesi)

Teknik Detaylar

File already encrypted in stealth mode. Try to rename file.\nWARNING: Can't create or open TXT file.\nWARNING: Can't increase file size. Skip file.\nHINT: how_to_decrypt.txt file, NTUSER.DAT file, wipe file...\n\nWSAStartup socket  <- ag soket erisimi (LAN scan icin)\nAbility to use sockets test (WSAStartup) -\nTMonitor.PW        <- Delphi sinif izleme nesnesi

IOC

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
DilDelphi PE32+ x64, 11 section, TLS
SifrelemesiAES-ECB + AES-CTR
Uzanti.-encrypted, -ENCRYPTED, fast encrypted
Fidye Notuhow_to_decrypt.txt
LANfolder_reserved_by_lan_encryptor (ag tarama)

LANRansomware — 악성코드 프로필

Tanimlanmamis Delphi tabanli LAN ransomware. AES-ECB ve AES-CTR modu sifrelemesi, yerel ag paylasimlari tarama ve sifreleme kapasitesi. /stealth, /wipeonly komut satiri secenekleri. how_to_decrypt.txt fidye notu. 11-section PE32+ TLS.

악성코드 유형
Ransomware
프로그래밍 언어
Delphi
C2 프로토콜
TCP/HTTPS
대상 시스템
Küresel

기능 및 동작

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC 목록 (1 개 지표)

IOC — LANRansomware
# SHA256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
유형메모
sha256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96

C2 서버 (이 패밀리에 대해 1개의 서버 기록)

주소 유형 포트 프로토콜 상태 국가
tmonitor.pw domain 443 HTTPS inactive &mdash;

C2 주소는 KEYDAL 팀이 수동으로 검증한 악성코드 샘플에서만 제공됩니다. 상업적 사용은 금지됩니다.

태그
delphi-lan-ransomware-network-spreaderfolder-reserved-lan-encryptor-network-shareaes-ecb-ctr-mode-encryptiondot-encrypted-extension-file-renamehow-to-decrypt-txt-ransom-notestealth-mode-hidden-encryptionwipeonly-flag-file-destructionwsastartup-lan-network-scancmdlistprocessor-command-queueselftests-professional-ransomware11-sections-tls-anti-analysisdelphi-system-sysutils-tobjects-map