Derin Analiz - LAN AES Delphi Ransomware | Tehdit: YUKSEK

Dosya Kimligi

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
Boyut535,040 byte PE32+ x86-64, Delphi, 11 section, TLS found
DilDelphi (System.SysUtils, SimpleStringList, Tobjects_map)

Yetenekler

LAN SIFRELEMESI: Yerel agdaki paylasimlari sifreleme kapasitesi!
folder_reserved_by_lan_encryptor   <- ag paylasimlari sifrelemesi\nfolder_reserved_by_local_encryptor <- yerel sifrelemesi\nAll wiper threads is finished, but network scan still in progress\n  => Network scan: ag uzerindeki hedef aranir ve sifrelenir

Sifreleme Modlari

AES-ECB modu: EncryptECB / DecryptECB\nAES-CTR modu: cmCTR AEScipher\nAESFixed     <- sabit anahtar modu\n\nDosya uzantilari:\n  e.-encrypted  f.-encrypted  fast encrypted\n  -ENCRYPTED    .-encrypted\n\nFidye notu: how_to_decrypt.txt

Komut Satiri Secenekleri

/stealth   <- sifreleme sureci gizli modda calisir\n/p [sifre] <- sifreleme anahtari icin parola (zorunlu: /stealth ile)\n/wipeonly  <- dosya sifrele degil sil (tam yok etme modu!)\n\nCMDListProcessor <- komut listesi isleyici\ncmd_list         <- komut sirasi\nSelfTests        <- dahili test sistemi (profesyonel yazilim kalitesi)

Teknik Detaylar

File already encrypted in stealth mode. Try to rename file.\nWARNING: Can't create or open TXT file.\nWARNING: Can't increase file size. Skip file.\nHINT: how_to_decrypt.txt file, NTUSER.DAT file, wipe file...\n\nWSAStartup socket  <- ag soket erisimi (LAN scan icin)\nAbility to use sockets test (WSAStartup) -\nTMonitor.PW        <- Delphi sinif izleme nesnesi

IOC

SHA25648877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
DilDelphi PE32+ x64, 11 section, TLS
SifrelemesiAES-ECB + AES-CTR
Uzanti.-encrypted, -ENCRYPTED, fast encrypted
Fidye Notuhow_to_decrypt.txt
LANfolder_reserved_by_lan_encryptor (ag tarama)

LANRansomware — Malware Profile

Tanimlanmamis Delphi tabanli LAN ransomware. AES-ECB ve AES-CTR modu sifrelemesi, yerel ag paylasimlari tarama ve sifreleme kapasitesi. /stealth, /wipeonly komut satiri secenekleri. how_to_decrypt.txt fidye notu. 11-section PE32+ TLS.

Malware Type
Ransomware
Programming Language
Delphi
C2 Protocol
TCP/HTTPS
Target Systems
Küresel

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — LANRansomware
# SHA256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96
TypeValueNote
sha256 48877a3a4c72c1daf3a80e3c034b56a04cec7ce3856887fed73e645e53c76b96

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
tmonitor.pw domain 443 HTTPS inactive &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
delphi-lan-ransomware-network-spreaderfolder-reserved-lan-encryptor-network-shareaes-ecb-ctr-mode-encryptiondot-encrypted-extension-file-renamehow-to-decrypt-txt-ransom-notestealth-mode-hidden-encryptionwipeonly-flag-file-destructionwsastartup-lan-network-scancmdlistprocessor-command-queueselftests-professional-ransomware11-sections-tls-anti-analysisdelphi-system-sysutils-tobjects-map