Derin Analiz - FunkSec Ransomware (Rust) | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c |
|---|---|
| Boyut | 5,484,032 byte (PE32+ console x86-64, 5 sections) |
| Entropi | 6.239 (normal Rust binary) |
| Dil | Rust (tokio-1.42.0, orion-0.17.7, bytes-1.9.0) |
| Gelistirici | C:\Users\Abdellah (PDB: dev.pdb) |
Ransom Notu
FUNKSEC: Binary icinde sifrelenmemis ransom notu!
Your organization, device has been successfully infiltrated by funksec ransomware!\nyour files encrypted by funksec ransomware, becarfull to play or try dercrypt the files.\nNo anti-virus will restore it; this is an advanced ransomware.\nyour data will be leaked if you dont pay ransom\n\nRansom Details:\n- Decryptor exe fee: 0.1 BTC\n- Bitcoin wallet: bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq\n- Install session from: https://getsession.org/\n- download tor : https://www.torproject.org/
Tor C2 Adresleri
| Onion #1 | ex53k6m2x3esjwlxrkb3qiztid.onion |
|---|---|
| Onion #2 | fa5irwalw2kjem6tvofji7rwid.onion |
| Onion #3 | uwkaupik4yrlgtycew3ergraid.onion |
| Domain | self.su (Sovyet TLD) |
ChaCha20-Poly1305 Sifreleme
orion-0.17.7/hazardous/stream/chacha20.rs\norion-0.17.7/hazardous/aead/chacha20poly1305.rs\nexpand 32-byte k (ChaCha20 sabiti)\nbcryptprimitives.dll ProcessPrng (anahtar uretimi)\ntokio-1.42.0 async TCP network
AV Kill + VM Detection
Set-MpPreference -DisableRealtimeMonitoring $true\nWinDefend sc stop\ntaskkill /F /IM chrome.exe firefox.exe outlook.exe...\nwevtutil sl Security /e:false (event log temizle)\nVM detected, aborting -- vboxservice qemu hypervv vmware
IOC
| SHA256 | 00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c |
|---|---|
| BTC Cuzdan | bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq (0.1 BTC) |
| C2 Onion #1 | ex53k6m2x3esjwlxrkb3qiztid.onion |
| C2 Onion #2 | fa5irwalw2kjem6tvofji7rwid.onion |
| C2 Onion #3 | uwkaupik4yrlgtycew3ergraid.onion |
| Domain | self.su |
| Gelistirici | C:\Users\Abdellah |
FunkSecRansomware — Malware Profile
FunkSec Rust ransomware. XChaCha20-Poly1305 AEAD encryption via orion crate. Developer C:\Users\Abdellah. 3 Tor .onion C2 + self.su. 0.1 BTC ransom. Kills WinDefend, clears event logs, detects VMs.
Malware Type
Ransomware
Programming Language
Rust
C2 Protocol
Tor/HTTP
Target Systems
Kuresel/Kurumsal
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (6 indicators)
IOC — FunkSecRansomware
#
bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq
# SHA256
00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c
# DOMAIN
ex53k6m2x3esjwlxrkb3qiztid.onion
# DOMAIN
fa5irwalw2kjem6tvofji7rwid.onion
# DOMAIN
uwkaupik4yrlgtycew3ergraid.onion
# DOMAIN
self.su
| Type | Value | Note |
|---|---|---|
| bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq | ||
| sha256 | 00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c | |
| domain | ex53k6m2x3esjwlxrkb3qiztid.onion | |
| domain | fa5irwalw2kjem6tvofji7rwid.onion | |
| domain | uwkaupik4yrlgtycew3ergraid.onion | |
| domain | self.su |
C2 Servers (4 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| ex53k6m2x3esjwlxrkb3qiztid.onion | domain | 80 | custom | inactive | — |
| fa5irwalw2kjem6tvofji7rwid.onion | domain | 80 | custom | inactive | — |
| uwkaupik4yrlgtycew3ergraid.onion | domain | 80 | custom | inactive | — |
| self.su | domain | 80 | HTTP | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.