March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims
February 14, 2020
Rewterz Informative Update : Ransomware Impacting Pipeline Operations
February 20, 2020Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims
February 14, 2020Rewterz Informative Update : Ransomware Impacting Pipeline Operations
February 20, 2020
Severity
High
Analysis Summary
The cybercrime group that launched the Satan, DBGer and Lucky ransomware and perhaps Iron ransomware recently introduced a new version or rebranding named “5ss5c”. This version of the ransomware adds EternalBlue exploit and new functionalities.
It will download and leverage:
- Spreader (EternalBlue and hardcoded credentials)
- Mimikatz and what appears another password dumper/stealer
- The actual ransomware
Indicators of compromise are given below.
Impact
- Files Encryption
- Credential theft
- Information theft
Indicators of Compromise
From Email
5ss5c@mail[.]ru
MD5
- e56b28203a66d88da2c951c9b47fb2c0
- 8accffa5e7d5b14ee8109a8f99c72661
- 756b6353239874d64291e399584ac9e5
- ba008ae920251f962fdc0f80c27dd975
- dc646bdbe28b453ba190a6356959d028
- f56025565de4f53f5771d4966c2b5555
- dfc0966397adcd590a4fba85d16bccf6
- 0f371453cdab407283e2723b0c99c2f5
- 680d9c8bb70e38d3727753430c655699
- 853358339279b590fb1c40c3dc0cdb72
- 09d45ae26830115fd8d9cdc2aa640ca5
- 01a9b1f9a9db526a54a64e39a605dd30
- ca3c0851c7451fc34dc37c2c53e2f70a
SHA-256
- 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
- 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
- ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
- af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
- a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
- ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
- e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
- 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
- ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
- ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
- cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
- 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
- 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7
Source IP
- 58[.]221[.]158[.]90
- 61[.]186[.]243[.]2
URL
- http[:]//58[.]221[.]158[.]90[:]88/car/cpt[.]dat
- http[:]//58[.]221[.]158[.]90[:]88/car/down[.]txt
- http[:]//58[.]221[.]158[.]90[:]88/car/c[.]dat
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not click on URLs attached in untrusted emails.
- Maintain a backup for all files.