Derin Analiz - FunkSec Ransomware (Rust) | Tehdit: KRITIK

Dosya Kimligi

SHA25600acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c
Boyut5,484,032 byte (PE32+ console x86-64, 5 sections)
Entropi6.239 (normal Rust binary)
DilRust (tokio-1.42.0, orion-0.17.7, bytes-1.9.0)
GelistiriciC:\Users\Abdellah (PDB: dev.pdb)

Ransom Notu

FUNKSEC: Binary icinde sifrelenmemis ransom notu!
Your organization, device has been successfully infiltrated by funksec ransomware!\nyour files encrypted by funksec ransomware, becarfull to play or try dercrypt the files.\nNo anti-virus will restore it; this is an advanced ransomware.\nyour data will be leaked if you dont pay ransom\n\nRansom Details:\n- Decryptor exe fee: 0.1 BTC\n- Bitcoin wallet: bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq\n- Install session from: https://getsession.org/\n- download tor : https://www.torproject.org/

Tor C2 Adresleri

Onion #1ex53k6m2x3esjwlxrkb3qiztid.onion
Onion #2fa5irwalw2kjem6tvofji7rwid.onion
Onion #3uwkaupik4yrlgtycew3ergraid.onion
Domainself.su (Sovyet TLD)

ChaCha20-Poly1305 Sifreleme

orion-0.17.7/hazardous/stream/chacha20.rs\norion-0.17.7/hazardous/aead/chacha20poly1305.rs\nexpand 32-byte k (ChaCha20 sabiti)\nbcryptprimitives.dll ProcessPrng (anahtar uretimi)\ntokio-1.42.0 async TCP network

AV Kill + VM Detection

Set-MpPreference -DisableRealtimeMonitoring $true\nWinDefend sc stop\ntaskkill /F /IM chrome.exe firefox.exe outlook.exe...\nwevtutil sl Security /e:false (event log temizle)\nVM detected, aborting -- vboxservice qemu hypervv vmware

IOC

SHA25600acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c
BTC Cuzdanbc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq (0.1 BTC)
C2 Onion #1ex53k6m2x3esjwlxrkb3qiztid.onion
C2 Onion #2fa5irwalw2kjem6tvofji7rwid.onion
C2 Onion #3uwkaupik4yrlgtycew3ergraid.onion
Domainself.su
GelistiriciC:\Users\Abdellah

FunkSecRansomware — Malware Profile

FunkSec Rust ransomware. XChaCha20-Poly1305 AEAD encryption via orion crate. Developer C:\Users\Abdellah. 3 Tor .onion C2 + self.su. 0.1 BTC ransom. Kills WinDefend, clears event logs, detects VMs.

Malware Type
Ransomware
Programming Language
Rust
C2 Protocol
Tor/HTTP
Target Systems
Kuresel/Kurumsal

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (6 indicators)

IOC — FunkSecRansomware
# bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq # SHA256 00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c # DOMAIN ex53k6m2x3esjwlxrkb3qiztid.onion # DOMAIN fa5irwalw2kjem6tvofji7rwid.onion # DOMAIN uwkaupik4yrlgtycew3ergraid.onion # DOMAIN self.su
TypeValueNote
bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq
sha256 00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c
domain ex53k6m2x3esjwlxrkb3qiztid.onion
domain fa5irwalw2kjem6tvofji7rwid.onion
domain uwkaupik4yrlgtycew3ergraid.onion
domain self.su

C2 Servers (4 recorded servers for this family)

Address Type Port Protocol Status Country
ex53k6m2x3esjwlxrkb3qiztid.onion domain 80 custom inactive —
fa5irwalw2kjem6tvofji7rwid.onion domain 80 custom inactive —
uwkaupik4yrlgtycew3ergraid.onion domain 80 custom inactive —
self.su domain 80 HTTP inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
funksec-ransomwarerust-ransomwarexchacha20-poly1305-encryptionorion-rust-cryptotor-hidden-service-c2self-su-domainbtc-wallet-bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeqdeveloper-abdellah-pdbwindefend-killevent-log-clearvm-detection-abort