DeriaLock Ransomware - IOC


1) Ransomware Name - DeriaLock

2) Encrypted Extensions - .deria

3) Ransom Note File - unlock-everybody.txt

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/&sa=D&ust=1500466598635000&usg=AFQjCNHWUgJ-tg18jLcS3YM2Auz-6f14-Q

6) Screenshots -


7) Indicators of Compromise -
Skype account: "arizonacode"
xxxx://server-address/[full_MD5_hash].txt
C:\Users\AppData\Roaming\Microsoft\Windows\Start menu\Programs\Startup\SystemLock.exe
LOGON.exe
Ransom.exe
downloader.exe
C2 IP: 144.76.167.69 (Германия)
bplaced.net (5.9.107.19 Германия)
***GommeHD.net
***wallup.net


8) File Details -
the MD5 93dd4fa22e6cf3f1e21ce69a4f3049be
the SHA1 0ec02afb61ff281aa9373f937aad439af78377c3
the SHA256 a293bcccc00c2c8db5fd24b08e5133c650a432e5d741a58383f87356ceca052d
ssdeep6144: qrFSB / roeWlrjMSxkl3r8IO + 7M / gr3z96VWHI7Xw7z + K / NRh4hSx: qrFI / PWJ / wJwgr3z9qX7XwPJ / Lv
authentihash  5a60abdb2e62846428ef66a0f502bdf66b9a997806f2f3c6d00ede8a4f23582c
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 458.0 KB (468992 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

the MD5 8541c9b144e41fee0011d194a09c41d6
the SHA1 9edf1aac0f6f6a7c1bef9d91dae1af1e49427726
the SHA256 4a48e2b618315801ee9c5d5615906890d34565de225606015a3418565a7b7492
ssdeep768: IsxAV8IUgBNHjQN7L2XP1I714A1WSdfsInQUnGuSbTm898cq: gW + kN32f + 1V1pdk8 + m898cq
authentihash  a05ebab4137684e38f89377e515c4f5764094a74567edc648cac631ebe664035
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 195.0 KB (199,680 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

the MD5 0c1295f0e9b94abd144c9788cb84dcf9
the SHA1 2a5c54322650adda4963a3f76dbf63d796b52d92
the SHA256 95733f0dde71bb64c861089abad1018a3202b53a54ccf25206c9aa228075cf7d
ssdeep24576: 7RLWZzZSnxve4QwVy / HSjoe0f7dPgl1NK: VW9ZSnxvXNy / yjoec7dPw
authentihash  e3b28d60bed5dd2e776079ce22f656a1fa0d23d3449569ff3d723e3c77830efc
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 775.0 KB (793,600 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

the MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
the SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
the SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
ssdeep6144: lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx: lqHoyHNj / nVhvLcyII
authentihash  3dfd53d32710a08d5d12349d6654034137d3d4d4f59a7ea48902e382ecaeae41
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 484.0 KB (495616 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

Comments