{ "Event": { "analysis": "2", "date": "2017-07-17", "extends_uuid": "", "info": "OSINT - Reyptson Ransomware Spams Your Friends by Stealing Thunderbird Contacts", "publish_timestamp": "1503930287", "published": true, "threat_level_id": "3", "timestamp": "1503930256", "uuid": "59a3c405-c348-4f7f-be23-4689950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "link", "uuid": "59a3c412-a798-4bac-a9fb-4e78950d210f", "value": "https://www.bleepingcomputer.com/news/security/reyptson-ransomware-spams-your-friends-by-stealing-thunderbird-contacts/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "comment", "uuid": "59a3c425-96e8-4994-8678-4328950d210f", "value": "Over the weekend, Emsisoft security researcher xXToffeeXx discovered a new ransomware called Reyptson that is targeting Spanish victims. Since then, we have seen increased activity in the ransomware's developmen. Today security researcher MalwareHunterTeam took a deeper look and noticed that Reyptson conducts its own spam distribution campaign directly from a victim's configured Thunderbird email account.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "sha256", "uuid": "59a3c47e-c8fc-4e69-a23d-4032950d210f", "value": "e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41" }, { "category": "Network activity", "comment": "Network Communication", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "url", "uuid": "59a3c4ac-96dc-4757-b78e-44c2950d210f", "value": "http://www.melvinmusicals.com/facefiles/" }, { "category": "Network activity", "comment": "Network Communication", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "url", "uuid": "59a3c4ac-86e4-408d-8a01-443f950d210f", "value": "http://37z2akkbd3vqphw5.onion/?usuario=[user_id]&pass=[password]" }, { "category": "Network activity", "comment": "Network Communication", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "url", "uuid": "59a3c4ac-0c14-4663-92ab-4512950d210f", "value": "http://37z2akkbd3vqphw5.onion.link/?usuario=[user_id]&pass=[password]" }, { "category": "Persistence mechanism", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "regkey", "uuid": "59a3c4c9-c7a0-44fe-9e4b-48f4950d210f", "value": "%AppData%\\Spotify\\" }, { "category": "Persistence mechanism", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "regkey", "uuid": "59a3c4c9-367c-490f-8e63-4f95950d210f", "value": "%AppData%\\Spotify\\SpotifyWebHelper\\" }, { "category": "Persistence mechanism", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "regkey", "uuid": "59a3c4c9-57e4-41b4-aa63-4f1c950d210f", "value": "%AppData%\\Spotify\\SpotifyWebHelper\\dat" }, { "category": "Persistence mechanism", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "regkey", "uuid": "59a3c4c9-e1bc-44c1-b7aa-455e950d210f", "value": "%AppData%\\Spotify\\SpotifyWebHelper\\fin" }, { "category": "Payload delivery", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "filename", "uuid": "59a3c4c9-7754-44d9-8771-4374950d210f", "value": "%AppData%\\Spotify\\SpotifyWebHelper\\Reyptson.pdf" }, { "category": "Payload delivery", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "filename", "uuid": "59a3c4c9-3ec8-44b9-ba6c-473a950d210f", "value": "%AppData%\\Spotify\\SpotifyWebHelper\\Spotify.vbs" }, { "category": "Payload delivery", "comment": "Files associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "filename", "uuid": "59a3c4c9-bd8c-401a-a80f-4f45950d210f", "value": "%AppData%\\Spotify\\SpotifyWebHelper\\SpotifyWebHelper.exe" }, { "category": "Persistence mechanism", "comment": "Registry Entries associated with the Reyptson Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "regkey", "uuid": "59a3c4ec-a138-4c6b-9aa9-4f6e950d210f", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify v1.0" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "sha1", "uuid": "59a4278d-37dc-4037-9f6d-8ca302de0b81", "value": "4f1ea82120a614b9162b5daf78ec760beded7108" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": true, "type": "md5", "uuid": "59a4278d-d9fc-4638-8d85-8ca302de0b81", "value": "abc1e16a88953e6dadb040479b1af27e" }, { "category": "External analysis", "comment": "- Xchecked via VT: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41", "deleted": false, "disable_correlation": false, "timestamp": "1503930253", "to_ids": false, "type": "link", "uuid": "59a4278d-5d80-4217-87ec-8ca302de0b81", "value": "https://www.virustotal.com/file/e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41/analysis/1503310178/" } ] } }