Rapture, a Ransomware Family With Similarities to Paradise ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Hashes ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SHA256 SHA1 Detection Name Notes ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- c417a89cdc86ea6d674d2dc629ae1872b4054ac43e948e8ed60d3f3f47178598 76beb70b06cfe714c4fa250b6b2d1e5025fe3c50 Trojan.PS1.COBEACON.YEDDDT Downloader PowerShell script from first stage attack a6cd727a18e5e2a80fbd8a51c299a2030bd5e68e4bbf136e07eb9d0b3f3bb8ce 30d49ced95cb9a0fb6526b30131501b28cbbc388 Backdoor.Win64.COBEACON.YEDDDT Cobalt Strike beacon downloader 619614cda94a4b6b185c0c122d11ef2b8b0b3e7fc94a1a5c2ff1ac49233df54b 24e7848dab0b82b200781630e617d6ed7e6016e7 Backdoor.Win64.COBEACON.YEDDDT Cobalt Strike beacon downloader 4222681314f5ffd69fe17ab2ae4b9aaa60866571fe2b53afc10f87e3738cedda f2e6853050f76517a9a7d472f3a994d0ae8411cf N/A Response from beacon downloader containing the Encrypted CobaltStrike Beacon b44b4e162de1decc9a5d3c61a045eb4776c55fccd33c9eced5b9f622faee19fa 5e6d77960065df450e0533f9a8409c7463292243 N/A Decrypted Cobalt Strike beacon (No PE Header) 367e13f234a46822aa9655690f18000319123ad07a62e56bcf8bebbfbb0de7b9 688d67eb4ff993963c86297ab8345962334ead27 N/A Sample response from Cobalt Strike beacon for backdoor commands 99331170be7aa48d572728f68e52ac8d3eb3c8307cb8050ce504ef9f4624a4ba bdb3fa0c50db18f7ada02b2060b4c5110016e859 Trojan.MSIL.SHELLLOADR.YEDDDT Shellcode loader from victim loads N/A 843f3ad221a9da48d82df672bd8806cc090430b5 N/A Ransomware payload d793aaaba1b4b34a20432b86505b851d838def0cd722b8cbdd1d08e19a08b6ee 9a14a69eb279513cde2de0be538cc8d275fd34e9 Ransom.Win32.RAPTURE.YEDDDT Ransomware payload ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- URL and C&C servers ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- URL/IP Address Notes ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 195.123.234.101 Primary C&C server 172.82.86.148 N/A Primary C&C server ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Others ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Cobalt Strike Configuration Data Notes ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Watermark 391144938 Watermark from related Cobalt Strike beacon.