- First seen: July 2020
- Aliases:
- Samples:
- 4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273 | windows | ransom | pe
- f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963 | windows | ransom | pe
- 30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83 | windows | ransom | pe
- 2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 78848 bytes |
| CRC32 | 0x5164f9c9 |
| MD5 | 23ba9903c5073f8637cfb4476ccc86b0 |
| SHA1 | 268248c43bc4d9f803a1eb6a941b0bd5622d5445 |
| SHA256 | 4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273 |
| SHA512 | acdf49c35eaf42c37a57b89053ea24cf8935ed0062060be3903e257396063c1c0257df2a58712d9446a7881140c52be5a29d8c1cf9efdfcb8fea8de6288adc53 |
| Ssdeep | 1536:UhDsZ7FBET6FIsr4XSZ32tcOGwpin2lROhhSQCr1d:EDsBF6T6+srGi32tcOGwpin26hhor1d |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(6.0)[-] PE: linker: Microsoft Linker(14.12, Visual Studio 2017 15.5*)[EXE32] |
| TrID | 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1) |
- Avast: Win32:Malware-gen
+ Avira: clean
- Bitdefender: Generic.Ransom.GarrantDecrypt.B.79AD0F59
- Clamav: Win.Ransomware.MountLocker-9802291-0
- Comodo: Malware
- Drweb: Trojan.Encoder.32749
- Eset: Win32/Filecoder.MountLocker.B
- Fsecure: Heuristic.HEUR/AGEN.1220829
- Kaspersky: Trojan.Win32.Zudochka.ewc
+ Mcafee: clean
- Sophos: Mal/Behav-116
- Symantec: Downloader
- Trendmicro: Ransom.Win32.MOUNTLOCKER.THJOHBOA
- Windefender: Ransom:Win32/MountLocker.BM!MSR| Property | Value |
|---|---|
| Size | 96768 bytes |
| CRC32 | 0xe8dca33a |
| MD5 | e7fde51fc294e7365618a72ac50cb1a4 |
| SHA1 | 23c4fe41acb2114b3a1b07e3c8ef1814c6cf4175 |
| SHA256 | f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963 |
| SHA512 | 02d6facd15ae597f285ad89be8581d0ba55a341b55e570469ab4b8cd4786bb912dd033c969dbbee583e9f9baf8758d5d96c7d92f7592649fb92607bc514f0446 |
| Ssdeep | 1536:zumzFe61Icro3yJn2ds+Gwpin2MRRn7H7ur/5WgS09clN1dtVl1dFt9lN1dtV9l:zuP6ucrWSn2ds+Gwpin2mgr/UH0S |
| Magic | PE32+ executable (GUI) x86-64, for MS Windows |
| Packer | PE+(64): linker: Microsoft Linker(14.12, Visual Studio 2017 15.5*)[EXE64] |
| TrID | 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 27.6% (.EXE) Win64 Executable (generic) (10523/12/4) 13.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) OS/2 Executable (generic) (2029/13) 5.2% (.EXE) Generic Win/DOS Executable (2002/3) |
- Avast: Win64:Malware-gen
+ Avira: clean
- Bitdefender: Gen:Variant.Ser.Midie.1582
- Clamav: Win.Ransomware.MountLocker-9802291-0
- Comodo: Malware
- Drweb: Trojan.Encoder.32749
- Eset: Win64/Filecoder.MountLocker.A
- Fsecure: Heuristic.HEUR/AGEN.1220861
- Kaspersky: Trojan.Win32.Zudochka.ewf
+ Mcafee: clean
- Sophos: Troj/Ransom-GIH
- Symantec: Downloader
- Trendmicro: Ransom.Win64.MOUNTLOCKER.A
- Windefender: Ransom:MacOS/Filecoder| Property | Value |
|---|---|
| Size | 114688 bytes |
| CRC32 | 0xcc798cb8 |
| MD5 | ce3969ab935f0f5b1301cd70d2e59696 |
| SHA1 | e70d3341a6e2cc8ae0f140075837ceac4453b947 |
| SHA256 | 30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83 |
| SHA512 | 20998be53a994d7adab2b71bafccec1eeb93e356965582161fa1fccea023fbf62b0145adf5e0621118f00a4ea12a71fbb5de2fdd129d92879502a5a3da019a36 |
| Ssdeep | 1536:y7WSmywADwaY6FIsr4XSZ32tcOGwpin2NI2F4cdJ0DLx0DL:y7WgpDwd6+srGi32tcOGwpin2NMcd |
| Magic | Composite Document File V2 Document, Little Endian, Os |
| Packer | Binary: archive: Microsoft Compound(MS Office 97-2003 or MSI etc.) |
| TrID | 81.7% (.MSI) Microsoft Windows Installer (454500/1/170) 10.9% (.MST) Windows SDK Setup Transform script (61000/1/5) 5.8% (.XLS) Microsoft Excel sheet (32500/1/3) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1) |
- Avast: Win32:Trojan-gen
- Avira: TR/FileCoder.vifbl
- Bitdefender: Generic.Ransom.GarrantDecrypt.B.34F712B7
- Clamav: Win.Ransomware.MountLocker-9802291-0
- Comodo: Malware
- Drweb: Trojan.Encoder.32761
- Eset: Win32/Filecoder.MountLocker.B
- Fsecure: Heuristic.HEUR/AGEN.1207470
- Kaspersky: HEUR:Trojan.OLE2.Alien.gen
+ Mcafee: clean
- Sophos: Troj/Ransom-GCM
- Symantec: Downloader
- Trendmicro: Ransom.Win32.MOUNTLOCKER.YPAJV
- Windefender: Ransom:Win32/MountLocker.BM!MSR| Property | Value |
|---|---|
| Size | 47104 bytes |
| CRC32 | 0x369b6d9d |
| MD5 | 75d07587e095647ff8f18479e73831b2 |
| SHA1 | 5da9c3f4b1db7972cf21d1553562660b289a4c59 |
| SHA256 | 2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0 |
| SHA512 | 2e7dc10f3730824029359716b12d29d3b23b19f1d1e0bfd058d1ab05a6c469aae39a13d9c48e602cd262e4ed480d5697b4dc831a68a3f6713b333c643116ef65 |
| Ssdeep | 768:BZu9uClYAXSM6dsQ1Y/4vhx5F5OlLhdh1i:BZuz7vwf1OTs |
| Magic | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| Packer | PE+(64): linker: Microsoft Linker(14.12, Visual Studio 2017 15.5*)[DLL64] |
| TrID | 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 27.6% (.EXE) Win64 Executable (generic) (10523/12/4) 13.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) OS/2 Executable (generic) (2029/13) 5.2% (.EXE) Generic Win/DOS Executable (2002/3) |
- Avast: Win64:TrojanX-gen [Trj]
+ Avira: clean
- Bitdefender: Gen:Heur.Ransom.REntS.Gen.1
- Clamav: Win.Ransomware.MountLocker-9802291-0
- Comodo: Malware
- Drweb: Trojan.Encoder.33960
- Eset: Win64/Filecoder.MountLocker.A
- Fsecure: Heuristic.HEUR/AGEN.1207470
- Kaspersky: Trojan.Win32.DelShad.flm
+ Mcafee: clean
- Sophos: Troj/Ransom-GDE
- Symantec: Trojan.Gen.2
- Trendmicro: Ransom.Win64.MOUNTLOCKER.YAAK1
- Windefender: Ransom:Win64/MountLocker.BM!MSR- https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
- https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks/
- https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates