Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : ba32e4efcf7daee7d8adaa2e62ee013b
 
  • Major Detection Name : Gen:Variant.Ransom.Ouroboros.29 (BitDefender), a variant of Win32/Filecoder.Teslarvng.A (ESET)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension> → .[helper571@protonmail.com].teslarvng
 
  • Malicious File Creation Location :
     - C:\ProgramData\Adobe
     - C:\ProgramData\Adobe\Extension Manager CC
     - C:\ProgramData\Adobe\Extension Manager CC\Logs
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\<Drive Letter>.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\fails.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\How To Recover.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\teslarvngID
     - C:\ProgramData\datakeys
     - C:\ProgramData\datakeys\hds
     - C:\ProgramData\datakeys\How To Recover.txt
     - C:\ProgramData\datakeys\pos.txt
     - C:\ProgramData\datakeys\tempkey.teslarvngkeys
     - C:\ProgramData\datakeys\teslarvngID
     - C:\teslarvng
     - C:\teslarvng\How To Recover.txt
     - C:\teslarvng\tempkey.teslarvngkeys
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How To Recover.txt
     - C:\HELP.txt
 
  • Payment Instruction File : HELP.txt / How To Recover.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Delete the defragsrv services
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, wbadmin.exe delete catalog -quiet, WMIC.exe shadowcopy delete)
     - Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool. ("%Temp%\sdelete.exe" -nobanner -z<Drive Letter>:)

List

위로