- First seen: June 2021
- Aliases: Mallox,Fargo,Tohnichi
- Samples:
- f366e079116a11c618edcb3e8bf24bcd2ffe3f72a6776981bf1af7381e504d61 | windows | ransom | pe
- 8f0aaff110fe1833cefa00e7bf2af0ebdf2e4c8c58e51f00f89a1281b6a8cbfd | windows | ransom | pe
- dcc9e23fd6ac926eb9ee7e0ee422dacd2059b4a42c8642d32bdf4f5c8eb33f6a | windows | trojan | ps1
- 1e2515efb64200258752d785863fd35df6039441a80cb615dfff4fbdffb484ec | windows | trojan | batch
| Property | Value |
|---|---|
| Size | 152576 bytes |
| CRC32 | 0xa1648cef |
| MD5 | 9fda237668200542b7a524afd59c6b48 |
| SHA1 | 342c3be7cb4bae9c8476e578ac580b5325342941 |
| SHA256 | f366e079116a11c618edcb3e8bf24bcd2ffe3f72a6776981bf1af7381e504d61 |
| SHA512 | 4eea5976ee0afbef4257834f41bebedb98991c296e4c6bb895f1450f87dbcecefd6b971b102f7574043bbc618f9346b1697d1d4fcb76a0b7413883d9e2547f33 |
| Ssdeep | 3072:CudyVkuftDR6PhpKHxf09vLOQcLlB9MJ:CyVzpKHxfkvdGl |
| Magic | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows |
| Packer | PE+(64): compiler: MinGW(GCC: (x86_64-posix-seh-rev0, Built by MinGW-W64 pr)[-] PE+(64): linker: GNU linker ld (GNU Binutils)(2.30)[EXE64,console] |
| TrID | 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13) |
+ Avast: clean
- Avira: TR/AD.Nekark.ipypq
- Bitdefender: Gen:Heur.Ransom.REntS.Gen.1
+ Clamav: clean
+ Comodo: clean
- Drweb: Trojan.Encoder.36572
- Eset: Win64/Filecoder.GH
- Fsecure: Trojan.TR/AD.Nekark.ipypq
- Kaspersky: Trojan-Ransom.Win64.RedAlert.b
- Mcafee: RDN/Ransom
+ Sophos: clean
- Symantec: Trojan.Gen.MBT
+ Trendmicro: clean
- Windefender: Ransom:Win32/Paradise.BC!MTB| Property | Value |
|---|---|
| Size | 729600 bytes |
| CRC32 | 0xb7ef70f9 |
| MD5 | b4fde4fb829dd69940a0368f44fca285 |
| SHA1 | cd40b29abae57e336819bcf36e516acfeb631af2 |
| SHA256 | 8f0aaff110fe1833cefa00e7bf2af0ebdf2e4c8c58e51f00f89a1281b6a8cbfd |
| SHA512 | 6b8beb20bc3fbf7caaaf458139bfd9ab6d604cba8fee5c2877921dc9e58504b5b46c77425e3bdf96cbc9be11c10d6f7b02f19a32bf11c7f3f44ac49b070d785e |
| Ssdeep | 12288:zXagiEb6bbv0UWaMNujBMSqhLlMcs1pI5b9rwSdNHyKCN:aEeUuNjBMBLlHep0Ap |
| Magic | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| Packer | PE: library: .NET(v4.0.30319)[-] PE: linker: Microsoft Linker(48.0)[EXE32] |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
+ Avast: clean
+ Avira: clean
- Bitdefender: IL:Trojan.MSILZilla.23162
+ Clamav: clean
+ Comodo: clean
- Drweb: Trojan.PackedNET.1547
- Eset: MSIL/TrojanDownloader.Agent.NJN.gen
- Fsecure: Heuristic.HEUR/AGEN.1306868
- Kaspersky: HEUR:Trojan-Downloader.MSIL.Seraph.gen
- Mcafee: RDN/Generic Downloader.x
+ Sophos: clean
- Symantec: Trojan.Gen.MBT
+ Trendmicro: clean
- Windefender: TrojanDownloader:MSIL/SnakeKeylogger.I!MTB| Property | Value |
|---|---|
| Size | 157 bytes |
| CRC32 | 0xcd87226f |
| MD5 | 98184e867f9eb64612ce3797c259efb5 |
| SHA1 | d3ec08e07908a271c59d04791ff8dd6cc08af86e |
| SHA256 | dcc9e23fd6ac926eb9ee7e0ee422dacd2059b4a42c8642d32bdf4f5c8eb33f6a |
| SHA512 | 67abc7129ffad6fa95c467a5c5532e57a84f173a31ec42aabb5e792755408fab75738e1b9f6582686ee89cd8a7554b442d34e18e95630d3142878a4dad372280 |
| Ssdeep | |
| Magic | ASCII text, with CRLF line terminators |
| Packer | Text: format: plain text[CRLF] |
| TrID | Warning: file seems to be plain text/ASCII TrID is best suited to analyze binary files! Unknown! |
+ Avast: clean
- Avira: TR/PShell.Runner.MB
- Bitdefender: Heur.BZC.PZQ.Boxter.928.207800EA
+ Clamav: clean
+ Comodo: clean
- Drweb: PowerShell.DownLoader.1738
- Eset: PowerShell/TrojanDownloader.Agent.EQN
- Fsecure: Trojan.TR/PShell.Runner.MB
- Kaspersky: HEUR:Trojan-Downloader.PowerShell.Tiny.gen
- Mcafee: PS/Downloader.hl
+ Sophos: clean
+ Symantec: clean
+ Trendmicro: clean
- Windefender: TrojanDownloader:PowerShell/Tnega!MSR| Property | Value |
|---|---|
| Size | 2768 bytes |
| CRC32 | 0xa4a31699 |
| MD5 | ebf81ebf55d6387f97e5cd7aff1a7f90 |
| SHA1 | e35eba4baf48556ab2124463242d5a3d841ce1a5 |
| SHA256 | 1e2515efb64200258752d785863fd35df6039441a80cb615dfff4fbdffb484ec |
| SHA512 | 3dac2f40d483760b0d33472e97504ac151e6ae551d8391b1680072ccc2fb2bdc2e01ed8c410b94ee2e76074bd7c999ae00ccac3ba3e7fa5131b5277699d2eca0 |
| Ssdeep | |
| Magic | DOS batch file, ASCII text, with CRLF line terminators |
| Packer | Text: format: plain text[CRLF] |
| TrID | Warning: file seems to be plain text/ASCII TrID is best suited to analyze binary files! Unknown! |
+ Avast: clean
- Avira: BAT/Agent.aum
- Bitdefender: Trojan.Generic.31481841
+ Clamav: clean
+ Comodo: clean
+ Drweb: clean
- Eset: BAT/Agent.CH
- Fsecure: Malware.BAT/Agent.aum
- Kaspersky: Trojan.BAT.Zapchast.fp
- Mcafee: BAT/Agent.eb
+ Sophos: clean
- Symantec: Trojan Horse
+ Trendmicro: clean
+ Windefender: clean- https://asec.ahnlab.com/en/39152/
- https://labs.k7computing.com/index.php/mallox-ransomware/
- https://unit42.paloaltonetworks.com/mallox-ransomware/
- https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0
- https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/
- https://www.trendmicro.com/en_au/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html