Derin Analiz - Rus Delphi Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA2560442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
Dosya uzantisi.Ransomware (MalwareBazaar etiketli)
Boyut379,392 byte (PE32 GUI x86, Delphi)
Entropi7.104 (packed)
TimestampTOO OLD (pre-2000) = timestamp manipulasyon

Plaintext Rus C2 Adresleri

C2 IOC: Sifrelenmemis Rus C2 URL buludu!
http://shopping-na-divane.ru/system/logs/tool/inst.php\nhttp://shoptorgvlg.ru/system/logs/tool/inst.php\n\n-- shopping-na-divane.ru: Rusca "kanepede alisveris" = sosyal muhendislik kamuflaj\n-- shoptorgvlg.ru: "shop" + "torg" (Rusca ticaret) + VLG (Volgograd?)\n-- /system/logs/tool/inst.php: klasik infostealer/ransomware C2 yolu\n-- inst.php: "install" = kurulum kaydı veya payload gönderim noktasi\n-- ||| + tekrar eden sayilar: kimlik belgesi ayirici (bot ID format)

Gelistirici Email IOC

Johnmen.24@aol.com\n\n-- Gelistirici veya operatör email adresi: Johnmen.24 (AOL mail)\n-- ".24" = dogum yili 2024 veya 1924? Muhtemelen 2024 = genc gelistirici\n-- AOL: tarihsel/eski email saglayicisi (anonimlik icin?)

{ENCRYPTSTART} / {ENCRYPTENDED}: Sifreleme Isaretleri

{ENCRYPTSTART}\n}{ENCRYPTENDED}\n{ENCRYPTENDED}\n\n-- Dosya sifreleme baslangic/bitis isaretleri\n-- RSA: FGIntRSA = Delphi RSA kutuphanesi (anahtar sifrelemesi)\n-- InternetOpenUrlA + InternetOpenA: HTTP C2 baglantisi\n-- ShellExecuteA / ShellExecuteExA: payload calistirma

IOC

SHA2560442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
C2 #1http://shopping-na-divane.ru/system/logs/tool/inst.php
C2 #2http://shoptorgvlg.ru/system/logs/tool/inst.php
Email IOCJohnmen.24@aol.com
Sifreleme{ENCRYPTSTART}/{ENCRYPTENDED} + FGIntRSA (RSA)

RussianDelphiRansomware — Malware Profile

Delphi-compiled ransomware targeting Russian-speaking cybercrime. C2: shopping-na-divane.ru and shoptorgvlg.ru (/system/logs/tool/inst.php). Developer/operator email: Johnmen.24@aol.com. Uses FGIntRSA (Delphi RSA library) for key encryption. File encryption markers: {ENCRYPTSTART}/{ENCRYPTENDED}. Pre-2000 timestamp manipulation.

Malware Type
Ransomware
Programming Language
Delphi
C2 Protocol
HTTP
Target Systems
Kuresel

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (6 indicators)

IOC — RussianDelphiRansomware
# SHA256 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab # DOMAIN shopping-na-divane.ru # DOMAIN shoptorgvlg.ru # EMAIL Johnmen.24@aol.com # URL http://shopping-na-divane.ru/system/logs/tool/inst.php # URL http://shoptorgvlg.ru/system/logs/tool/inst.php
TypeValueNote
sha256 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
domain shopping-na-divane.ru
domain shoptorgvlg.ru
email Johnmen.24@aol.com
url http://shopping-na-divane.ru/system/logs/tool/inst.php
url http://shoptorgvlg.ru/system/logs/tool/inst.php
Tags
russian-delphi-ransomwareshopping-na-divane-ru-c2-russian-domainshoptorgvlg-ru-c2-volgograd-russiainst-php-c2-endpointjohnmen-24-aol-com-developer-email-iocfgintRSA-delphi-RSA-libraryencryptstart-encryptended-file-encryption-markersdelphi-ransomware-code-data-bss-sectionspre2000-timestamp-manipulationinternetopenurlA-c2-communication