- First seen: 2016
- Aliases: CrySiS,Phobos
- Samples:
- bf20b92755cd5c2542cdcef804ee795932cc4b0e070ca6b81ff8fd30908a8f97 | windows | ransom | pe
- 2534d60a94e3190f4d8bb3025c523b3bac76fee6c81e9cf61e604b3e68ba6bc1 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 94720 bytes |
| CRC32 | 0x29f3aae1 |
| MD5 | 2bbb2d9be1a993a8dfef0dd719c589a0 |
| SHA1 | c03d6401902a7b07ac88dbde7f93c6cc74e57221 |
| SHA256 | bf20b92755cd5c2542cdcef804ee795932cc4b0e070ca6b81ff8fd30908a8f97 |
| SHA512 | b810d0b4b775afbc7d69e7159363d9778b6d22bd7cdc0271dac595500ed3243aadae47b060ba55374c27b6c00137bdc3c2277ecef9b18242a0d62c15e0941343 |
| Ssdeep | 1536:mBwl+KXpsqN5vlwWYyhY9S4AecO0xq0j9OnjXZFekIaOaUBRUpkqa:Qw+asqN5aW/hLUcJc0jQjJ7Oa1Gq |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2010 SP1)[-] PE: linker: Microsoft Linker(10.0)[EXE32] |
| TrID | 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13) |
- Avast: Win32:RansomX-gen [Ransom]
- Avira: TR/AD.Crysis.hrjci
- Bitdefender: Trojan.Ransom.Crysis.E
- Clamav: Win.Trojan.Dharma-6668198-0
- Comodo: TrojWare.Win32.Crysis.D
- Drweb: Trojan.Encoder.3953
- Eset: Win32/Filecoder.Crysis.P
- Fsecure: Trojan.TR/Dropper.Gen
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Troj/Criakl-G
- Symantec: Ransom.Crysis
+ Trendmicro: clean
- Windefender: Ransom:Win32/Wadhrama!hoa| Property | Value |
|---|---|
| Size | 93696 bytes |
| CRC32 | 0x5642495b |
| MD5 | 7e9531be989e908bb0571f8751e05c58 |
| SHA1 | eae3ba696d38eb2b3ace15efbc4b06ecbd205825 |
| SHA256 | 2534d60a94e3190f4d8bb3025c523b3bac76fee6c81e9cf61e604b3e68ba6bc1 |
| SHA512 | 5ec36ad0c48d889e2aed7e2e2005594c2b95c9000745e757fc7f23de1a6b1cb12415268857cd61c209641b33f2d0974aaed1239eb9761ac3a290bf40bc7d4e95 |
| Ssdeep | 1536:JxqjQ+P04wsmJCBrczBracRvoU+XfE9ICf4t1OwruWiy101Q:sr85CoB36X89NfsjruWiy0Q |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Borland Delphi(-)[-] PE: linker: Turbo Linker(2.25*,Delphi)[EXE32] |
| TrID | 92.2% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 1.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 0.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
- Avast: Win32:Apanas [Trj]
- Avira: W32/Neshta.A
- Bitdefender: Win32.Neshta.A
- Clamav: Win.Trojan.Neshuta-1
- Comodo: Win32.Neshta.A
- Drweb: Win32.HLLP.Neshta
- Eset: Win32/Neshta.A virus
- Fsecure: Malware.W32/Neshta.A
+ Kaspersky: clean
- Mcafee: W32/HLLP.41472.e
- Sophos: W32/Neshta-D
- Symantec: W32.Neshuta
+ Trendmicro: clean
- Windefender: Virus:Win32/Neshta.A- https://www.acronis.com/en-sg/blog/posts/dharma-ransomware/
- https://www.fortinet.com/blog/threat-research/dharma-ransomware--what-it-s-teaching-us
- https://www.cyber.nj.gov/threat-center/threat-profiles/ransomware-variants/crysis-dharma
- https://unit42.paloaltonetworks.com/ransomware-threat-assessments/6/
- https://www.welivesecurity.com/2016/06/07/beyond-teslacrypt-crysis-family-lays-claim-parts-territory/
- https://www.malwarebytes.com/blog/news/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses