Request a Demo
Rewterz
Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims
February 14, 2020
Rewterz Informative Update : Ransomware Impacting Pipeline Operations
February 20, 2020

Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware

Severity

High

Analysis Summary

The cybercrime group that launched the Satan, DBGer and Lucky ransomware and perhaps Iron ransomware recently introduced a new version or rebranding named “5ss5c”. This version of the ransomware adds EternalBlue exploit and new functionalities.

It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials)
  • Mimikatz and what appears another password dumper/stealer
  • The actual ransomware

Indicators of compromise are given below.

Impact

  • Files Encryption
  • Credential theft
  • Information theft

Indicators of Compromise

From Email

5ss5c@mail[.]ru

MD5

  • e56b28203a66d88da2c951c9b47fb2c0
  • 8accffa5e7d5b14ee8109a8f99c72661
  • 756b6353239874d64291e399584ac9e5
  • ba008ae920251f962fdc0f80c27dd975
  • dc646bdbe28b453ba190a6356959d028
  • f56025565de4f53f5771d4966c2b5555
  • dfc0966397adcd590a4fba85d16bccf6
  • 0f371453cdab407283e2723b0c99c2f5
  • 680d9c8bb70e38d3727753430c655699
  • 853358339279b590fb1c40c3dc0cdb72
  • 09d45ae26830115fd8d9cdc2aa640ca5
  • 01a9b1f9a9db526a54a64e39a605dd30
  • ca3c0851c7451fc34dc37c2c53e2f70a

SHA-256

  • 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
  • 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
  • e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
  • 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
  • ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
  • ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
  • 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7

Source IP

  • 58[.]221[.]158[.]90
  • 61[.]186[.]243[.]2

URL

  • http[:]//58[.]221[.]158[.]90[:]88/car/cpt[.]dat
  • http[:]//58[.]221[.]158[.]90[:]88/car/down[.]txt
  • http[:]//58[.]221[.]158[.]90[:]88/car/c[.]dat

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not click on URLs attached in untrusted emails.
  • Maintain a backup for all files.