www.sangfor.com
Open in
urlscan Pro
2a04:4e42:200::645
Public Scan
URL:
https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/new-rcru64-ransomware-variant
Submission: On October 14 via api from IN — Scanned from US
Submission: On October 14 via api from IN — Scanned from US
Form analysis 17 forms found in the DOM
<form>
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Necessary</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Preferences</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistics</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonPreferences"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonStatistics"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked"
tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>https://www.sangfor.com/search-result
<form class="mobile__header__nav-items--search" action="https://www.sangfor.com/search-result">
<input type="text" name="s" class="form-control" placeholder="Search ..." value="" id="searchQueryMobile">
<button class="search" type="submit"> search <span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form><form class="mobile__header__nav--sub-menu--search" action="">
<input type="text">
<button class="search" type="submit">
<span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form><form class="mobile__header__nav--sub-menu--search" action="">
<input type="text">
<button class="search" type="submit">
<span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form><form class="mobile__header__nav--sub-menu--search" action="">
<input type="text">
<button class="search" type="submit">
<span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form><form class="mobile__header__nav--sub-menu--search" action="">
<input type="text">
<button class="search" type="submit">
<span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form><form class="mobile__header__nav--sub-menu--search" action="">
<input type="text">
<button class="search" type="submit">
<span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form><form class="mobile__header__nav--sub-menu--search" action="">
<input type="text">
<button class="search" type="submit">
<span>
<i class="flaticon-loupe"></i>
</span>
</button>
</form>GET https://www.sangfor.com/search-result
<form autocomplete="off" method="get" action="https://www.sangfor.com/search-result" id="searchform">
<fieldset>
<input type="text" name="s" placeholder="Search ..." value="" id="searchQuery">
<button class="close" type="button" id="desktop__header__navbar-secondary-search__close"> Close <span>
<i class="flaticon-close"></i>
</span>
</button>
</fieldset>
</form>GET https://www.sangfor.com//search-result
<form autocomplete="off" method="get" action="https://www.sangfor.com//search-result">
<div class="input-group position-relative">
<input x-model="search" @input="validationSearch();" type="text" id="inputSearch" name="s" placeholder="Search Here">
<span x-show="search.length > 0" x-transition.duration.500ms="" class="bg-transparent icon-close" @click="removeText" style="display: none;">
<i class="flaticon-close"></i>
</span>
</div>
<button id="btnSearch" class="search" type="submit" :disabled="invalidSearch === true">
<span>
<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<path
d="M14.6781 12.929C15.8884 11.2772 16.4305 9.22925 16.1959 7.19486C15.9613 5.16048 14.9673 3.2897 13.4128 1.9568C11.8583 0.6239 9.85794 -0.0728188 7.81187 0.00603073C5.76581 0.0848803 3.82496 0.933483 2.37762 2.38206C0.930277 3.83065 0.0831823 5.77238 0.00580795 7.81878C-0.0715664 9.86519 0.626485 11.8654 1.96031 13.4191C3.29413 14.9729 5.16536 15.9657 7.19963 16.1988C9.23389 16.432 11.2812 15.8884 12.9319 14.6767H12.9306C12.9681 14.7267 13.0081 14.7742 13.0531 14.8205L17.8654 19.6335C18.0998 19.868 18.4178 19.9999 18.7493 20C19.0809 20.0001 19.399 19.8685 19.6335 19.6341C19.8681 19.3997 19.9999 19.0817 20 18.7501C20.0001 18.4184 19.8685 18.1004 19.6341 17.8658L14.8218 13.0528C14.7771 13.0075 14.7291 12.9657 14.6781 12.9278V12.929ZM15.0006 8.12352C15.0006 9.02645 14.8227 9.92054 14.4773 10.7547C14.1318 11.5889 13.6254 12.3469 12.987 12.9854C12.3486 13.6239 11.5907 14.1303 10.7567 14.4759C9.92258 14.8214 9.02862 14.9992 8.12582 14.9992C7.22301 14.9992 6.32905 14.8214 5.49497 14.4759C4.66089 14.1303 3.90302 13.6239 3.26464 12.9854C2.62626 12.3469 2.11987 11.5889 1.77438 10.7547C1.4289 9.92054 1.25108 9.02645 1.25108 8.12352C1.25108 6.29997 1.97538 4.55111 3.26464 3.26166C4.55391 1.97222 6.30252 1.24781 8.12582 1.24781C9.94911 1.24781 11.6977 1.97222 12.987 3.26166C14.2763 4.55111 15.0006 6.29997 15.0006 8.12352Z"
fill="#04BE02"></path>
</svg>
</span>
</button>
</form>Name: website-get-in-touch — POST https://s757079.t.eloqua.com/e/f2
<form method="post" name="website-get-in-touch" action="https://s757079.t.eloqua.com/e/f2" onsubmit="return handleFormSubmit(this)" id="form24" class="elq-form">
<input value="website-get-in-touch" type="hidden" name="elqFormName">
<input value="757079" type="hidden" name="elqSiteId">
<input
value="eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidHlwIjoiSldUIn0.hx0rKpYZp8XmvCDNtu0FcbowjfJYADkZEDTdwFCvEjNmTzW0XmGK3Q.Gl_Xzpcx9xiF1KRzf1iQwA.tS50KJw4BvI6bFPM_8TYvPVKoiaPgrBMjGMJh_FLKmUc2CeTGJFmfNrSPS_2tPRZKwxAMJ9erDyGYm8ysh2KOJLmLO2R7mmI_Lt0-n89lhF_XZWtD0lcqNsnBwV-hbSTu4x7gJmT57fX5kdItxLDhcWh-Oc13bxwZv35R9hQjkf2npEoWFWlQ0mhDNHNaPnPbWuLxFWertlP6qbEYVx1hnJloeCt8U4RAEejwTzxjwAhwat_66vxsBSPxGnrPvAUIOQXQslrVw23T9oKJXpaebcGh06iVRfBbeayJCRNYidCJelNDJnOur770_0twhqQaE48fneDyL8fkNuEcu8nhYqz5tDbnqr-Fw0HGawqPR4416ctVehcosg74F9HMfh2hs17i17frQX3jcqllcCGI3FUfwRfqTsWNtgKREzufBzXA8KB398wDuF5QrdkdCACksI0x4MtE9b80rwJnc2PzNDOlf-7k_atRc1duDl0BYuGnMyqrxiXgk-Y2eV5XFRpaiAUB-Wi2vM80oHfh21v9A.G3Jsyy6WIv4ET_sHykzPVQ"
type="hidden" id="elqFormSubmissionToken" name="elqFormSubmissionToken">
<input name="elqCampaignId" type="hidden">
<div class="layout container-fluid">
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement0" class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label " for="fe238">Name <span class="elq-required">* </span>
</label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<input type="text" class="elq-item-input" placeholder="Name" name="firstName" id="fe238" value="" style="width:100%;">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement1" class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label " for="fe239">Email Address <span class="elq-required">* </span>
</label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<input type="text" class="elq-item-input" placeholder="Email address" name="emailAddress" id="fe239" value="" style="width:100%;">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement2" class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label " for="fe240">Business Phone Number <span class="elq-required">* </span>
</label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<input type="text" class="elq-item-input" placeholder="Business Phone Number" name="busPhone" id="fe240" value="" style="width:100%;">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement3" class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label " for="fe241">Tell us about your project requirements <span class="elq-required">* </span>
</label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<textarea class="elq-item-textarea" placeholder="Message" style="width:100%;" name="Message" id="fe241"></textarea>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement4" class="elq-field-style form-element-layout row">
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div>
<div class="single-checkbox-row row">
<input type="checkbox" name="subscribe" id="fe806" checked="">
<label class="checkbox-aligned elq-item-label" for="fe806">I want to receive updates on Sangfor's latest products and solutions. I can unsubscribe at any time. </label>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="elq-FormLastRow" class="row" style="display: none;">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label">address1 </label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<input type="text" value="" tabindex="-1" autocomplete="off" style="width:100%;" class="elq-item-input" name="address1" id="fe882">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement5" class="elq-field-style form-element-layout row">
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div>
<input onclick="urlupdate()" type="Submit" class="submit-button-style " value="Submit" id="fe242">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<input type="hidden" name="LeadSource" id="fe243" value="Website Inquiry">
<input type="hidden" name="MarketingCampaign" id="fe244" value="Website Get in Touch">
<input type="hidden" name="pageURL" id="pageURL">
</div>
</form>Name: website-newsletter-signup-footer — POST https://s757079.t.eloqua.com/e/f2
<form method="post" name="website-newsletter-signup-footer" action="https://s757079.t.eloqua.com/e/f2" onsubmit="return handleFormSubmit(this)" id="form23" class="elq-form">
<input value="website-newsletter-signup-footer" type="hidden" name="elqFormName">
<input value="757079" type="hidden" name="elqSiteId">
<input
value="eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidHlwIjoiSldUIn0.tRkAMO1xDbjAPcXqm4jmqZSpfXj5IXdfnJ79-D4TAGO1V_YDHZMITg.SRgSR-NTNk1okpc56uuDhA.pYzo4c5cvFOTQXFPnfDGDtaitLqKVw55isEUAWv1lyqmqOQcmehAbdCNXNbGgRcEEhZ79zYYB9jSlTB0X2XQ-N0Znii9pAGwx7DcV5a7oEqhhMVSUKeAR9dbofiBpTkrl7jyLwUAQaGEtMoTQxsO1NJ5Yco__dGX89v1gGBycuTpyzlqFHK8hIFL7l-xemYatjnUKACY2toigBfmDuVhO7jpjJYoRug10Wp4St5zGbSflfZdyrUD_JF6ai-Za2n8UArcFOfYDNWu0GXBmBqud7E6JcgttOlVi5QMrtOwjwYZS39BWV5CUW1rbDu0PninL28a4hyCyTEH8qPrimdDDySYuHMPpIn3G6cLPqyVhK0dIC_tczZzorQ7yoYdPD4kCoBmj9qoFZ3odn9qlFX6HYlyEm-CLJfVdqxk9aJHjBYX-iTEB8F9JeukT1hRdc_I9oj0CgOUxat-5Fun1lwh5Q7XuR4UVwz9oyKE9axATtaivvcPs2eznlOH16PdKwt8_sGMjf6hope0aM1B05lRvw.h4-G3LnBtWs6KKASSUwzMA"
type="hidden" id="elqFormSubmissionToken" name="elqFormSubmissionToken">
<input name="elqCampaignId" type="hidden">
<div class="layout container-fluid">
<div class="row row-wrapper">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement0" class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label " for="fe833">Email Address <span class="elq-required">* </span>
</label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<input type="text" class="elq-item-input footer-signup" placeholder="Eg. abc.xyz@sangfor.com" name="emailAddress" id="fe833" value="" style="width:100%;">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="elq-FormLastRow" class="row" style="display: none;">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div class="elq-field-style form-element-layout row">
<div style="text-align:left;" class="col-sm-12 col-xs-12">
<label class="elq-label">address1 </label>
</div>
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div class="field-control-wrapper">
<input type="text" value="" tabindex="-1" autocomplete="off" style="width:100%;" class="elq-item-input" name="address1" id="fe885">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="grid-layout-col">
<div class="layout-col col-sm-12 col-xs-12">
<div id="formElement1" class="elq-field-style form-element-layout row">
<div class="col-sm-12 col-xs-12">
<div class="row">
<div class="col-xs-12">
<div>
<button type="Submit" class="submit-button-style " value="Submit" id="fe235">
<i style="font-size: 18px; display: flex;" class="flaticon-next"></i>
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<input type="hidden" name="LeadSource" id="fe236" value="Website Inquiry">
<input type="hidden" name="MarketingCampaign" id="fe237" value="Eloqua Website Newsletter Sign up Footer">
<input type="hidden" name="pageURL" id="pageURL">
</div>
</form>Text Content
* Consent
* Details
* [#IABV2SETTINGS#]
* About
THIS WEBSITE USES COOKIES
We use cookies to improve your experience on our site and to show you relevant
advertising and content. We also use 3rd party cookies for analytical and
marketing purposes only.
Consent Selection
Necessary
Preferences
Statistics
Marketing
Show details
* Necessary 19
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
* Cookiebot
2
Learn more about this provider
1.gifUsed to count the number of sessions to the website, necessary for
optimizing CMP product delivery.
Maximum Storage Duration: SessionType: Pixel Tracker
CookieConsentStores the user's cookie consent state for the current domain
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Gartner
2
Learn more about this provider
cf_clearanceThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: 1 yearType: HTTP Cookie
connect.sidThe cookie is necessary for secure log-in and the detection of
any spam or abuse of the website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* Google
3
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
test_cookieUsed to check if the user's browser supports cookies.
Maximum Storage Duration: 1 dayType: HTTP Cookie
rc::aThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of
their website.
Maximum Storage Duration: PersistentType: HTML Local Storage
rc::cThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
* LinkedIn
1
Learn more about this provider
li_gcStores the user's cookie consent state for the current domain
Maximum Storage Duration: 180 daysType: HTTP Cookie
* Spreaker
1
Learn more about this provider
object(#-#-##:#:#.#)Holds the users timezone.
Maximum Storage Duration: SessionType: HTML Local Storage
* Statista
2
Learn more about this provider
AWSALBTGRegisters which server-cluster is serving the visitor. This is
used in context with load balancing, in order to optimize user experience.
Maximum Storage Duration: 7 daysType: HTTP Cookie
AWSALBTGCORSRegisters which server-cluster is serving the visitor. This is
used in context with load balancing, in order to optimize user experience.
Maximum Storage Duration: 7 daysType: HTTP Cookie
* SurveyMonkey
1
Learn more about this provider
authRegisters whether the user is logged in. This allows the website owner
to make parts of the website inaccessible, based on the user's log-in
status.
Maximum Storage Duration: SessionType: HTTP Cookie
* cdn.signalfx.com
1
_splunk_rum_sidDetects and logs potential errors on third-party provided
functions on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
* gartner.com
pexels.com
4
__cf_bm [x2]This cookie is used to distinguish between humans and bots.
This is beneficial for the website, in order to make valid reports on the
use of their website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_cfuvid [x2]This cookie is a part of the services provided by Cloudflare -
Including load-balancing, deliverance of website content and serving DNS
connection for website operators.
Maximum Storage Duration: SessionType: HTTP Cookie
* smassets.net
1
ep203This cookie is necessary for the login function on the website.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* www.sangfor.com
1
SSESS#Pending
Maximum Storage Duration: 24 daysType: HTTP Cookie
* Preferences 1
Preference cookies enable a website to remember information that changes the
way the website behaves or looks, like your preferred language or the region
that you are in.
* Google
1
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
maps/gen_204Used in context with the website's map integration. The cookie
stores user interaction with the map in order to optimize its
functionality.
Maximum Storage Duration: SessionType: Pixel Tracker
* Statistics 22
Statistic cookies help website owners to understand how visitors interact
with websites by collecting and reporting information anonymously.
* Gartner
7
Learn more about this provider
dtCookiePending
Maximum Storage Duration: SessionType: HTTP Cookie
dtPCPending
Maximum Storage Duration: SessionType: HTTP Cookie
rxVisitorPending
Maximum Storage Duration: SessionType: HTTP Cookie
rxvtSets a timestamp for when the visitor entered the website. This is
used for analytical purposes on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
rxvisitidSets a unique ID for the session. This allows the website to
obtain data on visitor behaviour for statistical purposes.
Maximum Storage Duration: SessionType: HTML Local Storage
rxVisitorPending
Maximum Storage Duration: SessionType: HTML Local Storage
rxvtDetermines when the visitor last visited the different subpages on the
website, as well as sets a timestamp for when the session started.
Maximum Storage Duration: SessionType: HTML Local Storage
* Google
5
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
collectUsed to send data to Google Analytics about the visitor's device
and behavior. Tracks the visitor across devices and marketing channels.
Maximum Storage Duration: SessionType: Pixel Tracker
_gaRegisters a unique ID that is used to generate statistical data on how
the visitor uses the website.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
_ga_#Used by Google Analytics to collect data on the number of times a
user has visited the website as well as dates for the first and most
recent visit.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
_gatUsed by Google Analytics to throttle request rate
Maximum Storage Duration: 1 dayType: HTTP Cookie
_gidRegisters a unique ID that is used to generate statistical data on how
the visitor uses the website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* Hotjar
5
Learn more about this provider
hjActiveViewportIdsThis cookie contains an ID string on the current
session. This contains non-personal information on what subpages the
visitor enters – this information is used to optimize the visitor's
experience.
Maximum Storage Duration: PersistentType: HTML Local Storage
hjViewportIdSaves the user's screen size in order to adjust the size of
images on the website.
Maximum Storage Duration: SessionType: HTML Local Storage
_hjSession_#Collects statistics on the visitor's visits to the website,
such as the number of visits, average time spent on the website and what
pages have been read.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_hjSessionUser_#Collects statistics on the visitor's visits to the
website, such as the number of visits, average time spent on the website
and what pages have been read.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_hjTLDTestRegisters statistical data on users' behaviour on the website.
Used for internal analytics by the website operator.
Maximum Storage Duration: SessionType: HTTP Cookie
* New Relic
1
Learn more about this provider
NRBA_SESSIONCollects data on the user’s navigation and behavior on the
website. This is used to compile statistical reports and heatmaps for the
website owner.
Maximum Storage Duration: PersistentType: HTML Local Storage
* Statista
1
Learn more about this provider
STATSESSIDSets a unique ID for the session. This allows the website to
obtain data on visitor behaviour for statistical purposes.
Maximum Storage Duration: 180 daysType: HTTP Cookie
* SurveyMonkey
2
Learn more about this provider
apex__smGathers information on the user’s interaction with the
SurveyMonkey-Widget on the website, for statistical analysis and website
optimization.
Maximum Storage Duration: SessionType: HTTP Cookie
sm_recGathers information on the user’s interaction with the
SurveyMonkey-Widget on the website, for statistical analysis and website
optimization.
Maximum Storage Duration: SessionType: HTTP Cookie
* smassets.net
1
ep201Gathers information on the user’s interaction with the
SurveyMonkey-Widget on the website, for statistical analysis and website
optimization.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* Marketing 54
Marketing cookies are used to track visitors across websites. The intention
is to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
* Meta Platforms, Inc.
4
Learn more about this provider
lastExternalReferrerDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
lastExternalReferrerTimeDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
_fbcThis cookie is used by Facebook to target advertisement based on user
behavior and preferences across multiple websites. The cookie contains an
encrypted ID which allows Facebook to identify the user across websites.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
_fbpUsed by Facebook to deliver a series of advertisement products such as
real time bidding from third party advertisers.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* Google
6
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
IDEUsed by Google DoubleClick to register and report the website user's
actions after viewing or clicking one of the advertiser's ads with the
purpose of measuring the efficacy of an ad and to present targeted ads to
the user.
Maximum Storage Duration: 400 daysType: HTTP Cookie
pagead/landingCollects data on visitor behaviour from multiple websites,
in order to present more relevant advertisement - This also allows the
website to limit the number of times that they are shown the same
advertisement.
Maximum Storage Duration: SessionType: Pixel Tracker
NIDPending
Maximum Storage Duration: 6 monthsType: HTTP Cookie
pagead/1p-conversion/#/Pending
Maximum Storage Duration: SessionType: Pixel Tracker
pagead/1p-user-list/#Tracks if the user has shown interest in specific
products or events across multiple websites and detects how the user
navigates between sites. This is used for measurement of advertisement
efforts and facilitates payment of referral-fees between websites.
Maximum Storage Duration: SessionType: Pixel Tracker
_gcl_auUsed by Google AdSense for experimenting with advertisement
efficiency across websites using their services.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* LinkedIn
2
Learn more about this provider
bcookieUsed by the social networking service, LinkedIn, for tracking the
use of embedded services.
Maximum Storage Duration: 1 yearType: HTTP Cookie
lidcUsed by the social networking service, LinkedIn, for tracking the use
of embedded services.
Maximum Storage Duration: 180 daysType: HTTP Cookie
* Oracle
2
Learn more about this provider
ELOQUARegisters a unique ID that identifies the user's device upon return
visits. Used for auto-populating forms and to validate if a certain
contact is registered to an email group.
Maximum Storage Duration: 13 monthsType: HTTP Cookie
ELQSTATUSUsed to auto-populate forms and validate if a given contact has
subscribed to an email group. The cookie is only set if the user allows
tracking.
Maximum Storage Duration: 13 monthsType: HTTP Cookie
* SurveyMonkey
1
Learn more about this provider
ep#Saves user states across page requests when completing a web-based
survey.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* YouTube
38
Learn more about this provider
#-# [x2]Used to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTML Local Storage
iU5q-!O9@[#COOKIETABLE_ADVERTISING#]nbsp;[x2]Registers a unique ID to keep
statistics of what videos from YouTube the user has seen.
Maximum Storage Duration: SessionType: HTML Local Storage
LAST_RESULT_ENTRY_KEY [x2]Used to track user’s interaction with embedded
content.
Maximum Storage Duration: SessionType: HTTP Cookie
nextId [x2]Used to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
requests [x2]Used to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
yt.innertube::nextId [x2]Registers a unique ID to keep statistics of what
videos from YouTube the user has seen.
Maximum Storage Duration: PersistentType: HTML Local Storage
yt.innertube::requestsRegisters a unique ID to keep statistics of what
videos from YouTube the user has seen.
Maximum Storage Duration: PersistentType: HTML Local Storage
ytidb::LAST_RESULT_ENTRY_KEY [x2]Used to track user’s interaction with
embedded content.
Maximum Storage Duration: PersistentType: HTML Local Storage
YtIdbMeta#databases [x2]Used to track user’s interaction with embedded
content.
Maximum Storage Duration: PersistentType: IndexedDB
yt-remote-cast-available [x2]Stores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-cast-installed [x2]Stores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-connected-devices [x2]Stores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-device-id [x2]Stores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-fast-check-period [x2]Stores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-app [x2]Stores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-name [x2]Stores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
3ae6baf55cb6bPending
Maximum Storage Duration: SessionType: HTML Local Storage
LogsDatabaseV2:V#||LogsRequestsStoreUsed to track user’s interaction with
embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
remote_sidNecessary for the implementation and functionality of YouTube
video-content on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
ServiceWorkerLogsDatabase#SWHealthLogNecessary for the implementation and
functionality of YouTube video-content on the website.
Maximum Storage Duration: PersistentType: IndexedDB
TESTCOOKIESENABLEDUsed to track user’s interaction with embedded content.
Maximum Storage Duration: 1 dayType: HTTP Cookie
VISITOR_INFO1_LIVETries to estimate the users' bandwidth on pages with
integrated YouTube videos.
Maximum Storage Duration: 180 daysType: HTTP Cookie
YSCRegisters a unique ID to keep statistics of what videos from YouTube
the user has seen.
Maximum Storage Duration: SessionType: HTTP Cookie
* www.sangfor.com
1
smcx_#_last_shown_atPending
Maximum Storage Duration: SessionType: HTTP Cookie
* Unclassified 7
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
* SurveyMonkey
2
Learn more about this provider
CX_420997245Pending
Maximum Storage Duration: 1 yearType: HTTP Cookie
sm_dcPending
Maximum Storage Duration: SessionType: HTTP Cookie
* www.sangfor.com
5
_scsPending
Maximum Storage Duration: PersistentType: HTML Local Storage
compatibilityDataPending
Maximum Storage Duration: PersistentType: HTML Local Storage
fieldCheckedPending
Maximum Storage Duration: PersistentType: HTML Local Storage
filteredItemPending
Maximum Storage Duration: PersistentType: HTML Local Storage
hasScrolledPending
Maximum Storage Duration: SessionType: HTML Local Storage
Cross-domain consent[#BULK_CONSENT_DOMAINS_COUNT#] [#BULK_CONSENT_TITLE#]
List of domains your consent applies to: [#BULK_CONSENT_DOMAINS#]
Cookie declaration last updated on 9/23/24 by Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Please state your consent ID and date when you contact us regarding your
consent.
Do not sell or share my personal information
Deny Allow selection Customize
Allow all
English (US)
● English (US)
● Chinese (中文)
● Korean (한국어)
● Spanish (Español)
● Italy (Italiano)
● Thai (ไทย)
● Indonesian (Bahasa ID)
● Turkish (Türkiye)
search
* Cyber Security
Back
Cyber Security
* Products
Sangfor Network Secure - Next Generation Firewall
Sangfor Omni-Command - XDR
Sangfor Cyber Command - NDR Platform
Sangfor Endpoint Secure
Sangfor Internet Access Gateway (IAG)
Sangfor Access Secure (SASE)
Solutions
Simplified Security Operations
Anti-Ransomware
Secure SD-WAN
Zero Trust Guard
Continuous Threat Detection
Secure Internet Access
Application Containment
Services
MDR Services
Incident Response
TIARA
Innovations
Competitors Research
* Cloud & Infrastructure
Back
Cloud & Infrastructure
* Products
Sangfor HCI - Hyper Converged Infrastructure
Cloud Platform
Sangfor Kubernetes Engine (SKE)
Database Management Platform (DMP)
aDesk Virtual Desktop Infrastructure (VDI)
aStor
Solutions
Hybrid Cloud
Disaster Recovery Management
Nano Cloud
Enterprise Application Platform
NG-CDI
aDesk VDI Workspace Solution for Call Centers
Services
Managed Cloud Services
Innovations
Industries
Competitors Research
* Support
Back
Support
* Service Overview
Sangfor Care Services
Support Cases
Support Plans
Hardware Issues
Backup Equipment Service
Sangfor Technical Account Manager (TAM) Service
Sangfor Professional Services
Service Policy
Sangfor Privacy Policy
Support Life Cycle Policy
Sangfor Warranty Policy
Technical Support
Support Resources
Sangfor Support Community
Sangfor Beta Test Program
Open a Support Ticket
Sangfor Technical Documents
Sangfor Live Chat
Sangfor's Answer to COVID-19
* Partners
Back
Partners
* Sangfor Partner Portal
Partner Application Form
Training & Certification
Partner e-Learning
Sangfor Alliance Program
* Resources
Back
Resources
* News and Press Release
Success Stories
Threat Intelligence
Events & Webinars
Glossary
Cyber Security
Cloud and Infrastructure
Videos
Blog
Cyber Security
Cloud and Infrastructure
Downloads
Analyst & Research Reports
* About Us
Back
About Us
* Company Profile
Awards & Achievements
Investor Relations
Press & Media
Careers
Find Job Openings
Career in Sangfor
Corporate Social Responsibility
Contact Us
Submit a Feedback
Global Offices
* Need support?
* Contact Us
Sangfor Recommended Again in CyberRatings.org 2024 Enterprise Firewall Test⠀⠀|
DOWNLOAD THE REPORT
Need support?
Contact Us
Close
English (US)
English (US)
● Chinese (中文)
● Korean (한국어)
● Spanish (Español)
● Italy (Italiano)
● Thai (ไทย)
● Indonesian (Bahasa ID)
● Turkish (Türkiye)
* Cyber Security
Products
Sangfor Network Secure - Next Generation Firewall
Smarter AI-Powered Perimeter Defence
Sangfor Omni-Command - XDR
Revolutionize Your Cyber Defense with Intelligent XDR
Sangfor Cyber Command - NDR Platform
Smart Efficient Detection and Response
Sangfor Endpoint Secure
The Future of Endpoint Security
Sangfor Internet Access Gateway (IAG)
Secure User Internet Access Behaviour
Sangfor Access Secure (SASE)
Secure, Agile, and Everywhere
Solutions
Simplified Security Operations
Enhancing SecOps Effectiveness & Efficiency with 'SynergAI'
Anti-Ransomware
Kill Ransomware in 3 Seconds
Secure SD-WAN
Making HQ and Branch Connectivity More Efficient and Secure
Zero Trust Guard
Provides secure and adaptive access to anywhere based on zero trust
architecture
Continuous Threat Detection
Find Out the Root Cause and Avoid Reinfection
Secure Internet Access
Safeguard user internet access behavior
Application Containment
Take Control Back from Rogue Applications
Services
MDR Services
Threat detection and response through Human / AI collaboration
Incident Response
Investigate security compromises
TIARA
Network Threats Assessments
Innovations
Competitors Research
* Cloud & Infrastructure
Products
Sangfor HCI - Hyper Converged Infrastructure
Fully Converge Your Data Center
Cloud Platform
Enterprise Cloud Computing Platform Built on Business-Centric HCI
Sangfor Kubernetes Engine (SKE)
Making Kubernetes Simple, Secure, and Reliable to Elevate Your Digital
Transformation
Database Management Platform (DMP)
Your One-Stop Companion for Effortless and Reliable Database Management
aDesk Virtual Desktop Infrastructure (VDI)
Seamless Experience, Secure, and Efficient
aStor
Your Next Enterprise-Grade Storage Solution
Solutions
Hybrid Cloud
Simplify and Secure Your Cloud Journey
Disaster Recovery Management
Safeguard Your Business with Disaster Recovery
Nano Cloud
A Simple and Exclusive Solution to Start Your Hybrid Cloud Journey
Enterprise Application Platform
A Tailor-Made Solution Developed to Run Enterprise Apps with Optimized
Performance and Built-In Availability
NG-CDI
The Next Generation Converged Digital Infrastructure That Powers The Future
of Your Business
aDesk VDI Workspace Solution for Call Centers
Enhance Your Call Center's Efficiency, Security, and Productivity
Services
Managed Cloud Services
Your Exclusive Digital Infrastructure
Innovations
Industries
Competitors Research
* Support
Service Overview
Sangfor Care Services
Services including hardware & software maintenance, technical support,
troubleshooting, and more.
Support Cases
Read how to open a support case.
Support Plans
Get access to technical support, software support, and hardware maintenance.
Hardware Issues
Get in touch with us and we will assist you with any hardware problems you
may be facing.
Backup Equipment Service
Sangfor Technical Account Manager (TAM) Service
Sangfor Professional Services
Service Policy
Sangfor Privacy Policy
SANGFOR will ensure that any personal data we collect about you will be held
and processed strictly in accordance with the European GDPR.
Support Life Cycle Policy
View terms and conditions across our extensive product and service offerings.
Sangfor Warranty Policy
At Sangfor, we care about your experience with our products. View our
policies for more details.
Technical Support
Support Resources
Sangfor Support Community
Technical support platform committed to provide quality service for Sangfor
customers & partners.
Sangfor Beta Test Program
Be among the first people to get access to our new and upcoming products and
services.
Open a Support Ticket
We encourage you to submit a support ticket if you have any technical issues.
Sangfor Technical Documents
Get access to a range of our in-depth technical documentation & manuals.
Sangfor Live Chat
Our dedicated customer service professionals are waiting to hear from you.
Sangfor's Answer to COVID-19
We help organizations to cope with the effects of the COVID-19 pandemic.
Learn more.
* Partners
Sangfor Partner Portal
Partner Application Form
Training & Certification
Partner e-Learning
Sangfor Alliance Program
* Resources
News and Press Release
Success Stories
Threat Intelligence
Events & Webinars
Glossary
Cyber Security
Cloud and Infrastructure
Videos
Blog
Cyber Security
Cloud and Infrastructure
Downloads
Analyst & Research Reports
* About Us
Company Profile
Awards & Achievements
Investor Relations
Press & Media
Careers
Find Job Openings
Career in Sangfor
Corporate Social Responsibility
Contact Us
Submit a Feedback
Global Offices
NEW RCRU64 RANSOMWARE VARIANT DISCOVERED BY SANGFOR FARSIGHT LABS
* Author : Sangfor Technologies
* Published Date : 14 Apr 2023
* Last Modified Date : 09 Apr 2024
1. Home
2. FarSight Labs Threat Intelligence
3. Cyber Security
4. New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs
Tag :
Cyber Security
1. OVERVIEW OF RCRU64
Malware Family RCRU64 Threat Type Ransomware Virus
Description
The RCRU64 ransomware is mainly spread through email attachments in phishing
attacks, malicious software downloads, and vulnerability exploitation. It
encrypts files on infected computers and demands a ransom from victims in return
for the decryption key.
2. ANALYSIS OF RCRU64
2.1 INTRODUCTION
Sangfor FarSight Labs discovered a new variant of the RCRU64 ransomware family
after capturing a sample during its recent operations. After our investigation,
we discovered that the affected host had abnormal login activity and a weak RDP
password. Therefore, we speculate that the attacker exploited RDP to gain access
and execute the ransomware. Information about the sample is summarized in the
table below:
File Name Hash Function 5-NS new.exe 6bffc6c7caa2eb2fa90fac0317f63338 Netscan
closeapps.bat 9b0d6df42f879ba969f82c7a0ab48bc6 Terminate Process
RESTDB@my.com.exe af967e2c4e72b4c279561757fe06e834 Ransomware shadows all.cmd
b1d9eea40a08eeb5d3ee646ff61e41ba Delete shadow copies
2.2 ANALYSIS
2.2.1 MITRE ATT&CK
Tactic Technique Sub-technique Operation Execution
TA0002 System Services T1569 Service Execution T1569.002 Uses sc.exe to modify
service status. Command and Scripting Interpreter
T1059 Windows Command Shell T1059.003 Uses a series of Windows commands such as
tasklist, taskkill, and systeminfo. Windows Management Instrumentation T1047 N/A
Uses WMIC to delete shadow copies. Native API T1106 N/A Uses native Windows
system calls to make analysis more difficult. Scheduled Task/Job T1053
Scheduled Task T1053.005 Uses schtasks.exe and at.exe to add and modify
scheduled tasks. Persistence
TA0003 Create or Modify System Process T1543 Windows Service T1543.003 Creates a
service for self-startup. Boot or Logon Autostart Execution T1547 Registry Run
Keys / Startup Folder T1547.001 Releases a PE file in the startup directory.
Defense Evasion
TA0005 Impair Defenses T1562 Disable or Modify System Firewall T1562.004
Modifies Windows Firewall configurations. Deobfuscate/Decode Files or
Information T1140 N/A Uses base64 encoding. Indicator Removal T1070 File
Deletion T1070.004 Deleting the ransomware files after the ransomware program is
executed. Virtualization/Sandbox Evasion T1497 System Checks T1497.001 Queries
disk information and operating system information to determine whether it is in
a virtualized environment and uses the sleep function to evade dynamic analysis.
Discovery
TA0007 File and Directory Discovery T1083 N/A Queries specified files, folders,
and file extensions. System Information Discovery T1082 N/A Queries the
operating system version. Process Discovery T1057 N/A Uses the
NtQuerySystemInformation API to enumerate all currently running processes.
System Time Discovery T1124 N/A Queries the local system time. Account Discovery
T1087 Local Account T1087.001 Enumerates files in the directory \Users\All
Users\Microsoft\Windows\Caches, which stores Windows user credentials such as
usernames and passwords for automatic filling when the user logs in. Impact
TA0040 Inhibit System Recovery T1490 N/A Deletes shadow copies and disables
Windows system recovery. Data Encrypted for Impact T1486 N/A Encrypts files on
the computer.
2.2.2 TECHNICAL ANALYSIS
Upon execution, the sample encrypts files on the system and releases a ransom
note. The ransom note window pops up and instructs the victim to communicate
with the attacker and pay the ransom. Encrypted files are appended with the
extension "_[ID-ALK8Z_Mail-RESTDB@my.com].TGH". For example, a file named
"hello.docx" was renamed to "hello.docx_[ID-ALK8Z_Mail-RESTDB@my.com].TGH".
There are two ransom note files, a TXT file named "Restore_Your_Files.txt" and
an HTA file named ReadMe.hta. The ransom notes show that victims can contact the
attacker via email and pay in Bitcoin. The ransom amount is not specified in the
note.
The content of the Restore_Your_Files.txt ransom note is shown below:
The content of the ReadMe.hta ransom note is shown below:
Encrypted files appear as follows:
2.2.2.1 DETERMINING FILE TYPE
The ransomware released multiple files, which are executed based on the file
extension. The "sub_48B6A0" function is used to obtain file handles and
determine whether to open files in a specific way based on their attributes. If
the file name ends with ".exe", ".EXE", ".com", ".COM", ".bat", ".BAT", ".cmd",
or ".CMD", the file needs to be opened in a specific way.
2.2.2.2 CLEARING WINDOWS EVENT LOGS
The following code executes the "wevtutil.exe el" command to list all available
event logs in the system and then executes "wevtutil.exe cl" to clear all the
event logs that were queried.
2.2.2.3 CREATING NEW FILES
The ransomware samples dropped the following files:
The functions of each file are described below:
S-2153.bat: The content of the "S-2153.bat" file is shown in the image below.
This file determines if the "S-8459.vbs" file exists and executes it.
S-8459.vbs: The content of the "S-8459.vbs" file is shown in the image below.
This script checks if there is a batch file named "S-6748.bat" in the AppData
folder and executes it.
S-6748.bat: The content of the "S-6748.bat" file is shown in the image below.
This file checks if a process named "dcdcf" is running in the system. If not, it
deletes all shadow copies, starts the process named "RESTDB@my.com.exe", and
checks if the process is running. If the process is running, it waits for 15
seconds; otherwise, it will continue with the subsequent operations.
SysMain.sys: The content of the SysMain.sys file is shown in the image below.
The content of this file is base64 encoded and, when decoded, contains an X.509
certificate. An X.509 certificate is a digital certificate used to verify the
identity and integrity of public keys, which can increase its deception and
trustworthiness.
This file deletes the scheduled task named "Microsoft_Auto_Scheduler",
"S-8459.vbs", and "S-2153.bat" before deleting itself.
The ransomware sample copies itself to the
"C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
directory and renames it to "Xinfecter.exe". The hash of this file is identical
to "RESTDB@my.com.exe", indicating that they are the same file.
2.2.2.4 CREATING A SCHEDULED TASK
The following command creates a scheduled task named "Microsoft_Auto_Scheduler",
which runs the "S-2153.bat" file every 6 minutes.
The batch command contains multiple commands, whose functions are as follows:
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v
"DisableAntiSpyware" /t REG_DWORD /d "1" /f Adds a DWORD value named
"DisableAntiSpyware" in the registry and sets its value to 1 to disable the
anti-spyware feature of Windows Defender. reg.exe ADD
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t
REG_DWORD /d 0 /f Adds a DWORD value named "EnableLUA" in the registry and sets
its value to 0 to disable User Account Control (UAC).
vssadmin.exe Delete Shadows /All /Quiet Deletes all shadow copies in quiet mode
wmic shadowcopy delete Deletes shadow copies netsh advfirewall set
currentprofile state off Turns off the Windows Firewall
netsh firewall set opmode mode=disable Disables the Windows Firewall
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
Enables the Network Discovery rule wbadmin delete catalog -quiet Deletes all
backups in the Windows backup catalog quietly
2.2.2.5 TERMINATING SERVICES
The following commands terminate processes and services that are occupying
files. Specifically, it uses the Windows "taskkill" command to terminate
processes and services related to databases, text editors, browsers, email
clients, and so on.
2.2.2.6 QUERYING HOST INFORMATION
The sample executes the following commands to obtain host information to
determine if it is running in a virtualized environment.
The executed commands are as follows:
echo %date%-%time% Obtains the current date and time systeminfo|find /i "os
name" Checks the name of the OS systeminfo|find /i "original" Queries the
original installation date and time of the computer's Windows OS ver Displays
the OS version
2.2.2.7 SELECTING FILE EXTENSIONS, FILENAMES, AND DIRECTORIES FOR ENCRYPTION
The following file extensions are encrypted:
The following files are not encrypted:
S-inf.sys / S-2153.bat / S-8459.vbs / S-6748.bat / N-Save.sys / ReadMe.hta /
io.sys / ntdetect.com/ ntldr / thumbs.db/ autorun.inf / ntuser.dat/ bootfont.bin
/ Restore_Your_Files.txt/ Xinfecter.exe / bootmgr / SysMain.sys / desktop.ini /
BOOTSECT.BAK / boot.ini / R_cfg.ini
The following code is used to traverse directories and process the filenames of
each file. Specifically, the code uses Windows API functions such as
"FindFirstFileW", "FindNextFileW", and "FindClose" to traverse directories.
During the traversal, each filename is processed to determine if it ends with
".msi", ".scr", "_Eg", or contains specific strings. If the filename meets these
criteria, some operations are executed, otherwise, the file is skipped. Finally,
some memory is released.
.exe / .dll / .msi / .log / .lnk / .ini / .ico / .cmd / .bat / .scr / .cpl
/ .icl / ._Enc / ._Eg
The following directories are not encrypted:
\\Local Settings\\Application Data\\Microsoft\\Credentials
\\Application Data\\Microsoft\\Credential
\\Users\\All Users\\Microsoft\\Windows\\Caches
\\Recovery
\\Windows
\\Documents and Settings\\
\\Local Settings\\Temporary Internet Files
\\Start Menu
\\Documents and Settings\\All Users\\Start Menu
\\WINDOWS
\\Boot
\\$RECYCLE.BIN
\\System Volume Information
\\Users\\Default\\ntuser.dat
2.2.2.8 WRITING THE RANSOM NOTE
The following image shows the ransom note in HTA format:
The following image shows the ransom note in text format:
2.2.2.9 OPENING THE RANSOM NOTE WINDOW
The following command is used to open the ransom note window:
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\John\Desktop\ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2.2.2.10 ENCRYPTION ALGORITHM
1. Traverse files and folders: First, determine whether a file is encrypted by
checking whether the file name contains "_[ID-" and "_Mail-", and then
determine whether the file extension to be encrypted is in the list of
encrypted extensions. If so, encrypt the file.
2. Generate AES key and IV: The ransomware generates a random AES key and a
random IV (Initialization Vector) as parameters for encrypting files. These
parameters are hard coded into the ransomware's code.
3. Use AES to encrypt the file: The ransomware uses the generated AES key and
IV to encrypt targeted files.
4. Use RSA to encrypt the AES key and IV: The ransomware uses the RSA public
key to encrypt the generated AES key and IV. The encrypted AES key is then
appended to the encrypted file for use during decryption.
5. Add the extension "_[ID-ALK8Z_Mail-RESTDB@my.com].TGH" to the encrypted
file.
6. Generate ransom note: Create a ransom note in each folder after the
encryption process is complete.
2.3 IOCS
Sha256
5c428f3ab071e48f70bf4e7ef1d8c377fd954c92dcac08f37eb9a42ce499442d
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08
67f0f6bfd582388917adcbfb294901f37e3979455880065220dcda03c7dd8f1a
6a180ebb123cc8970249ff9cc4496cd811b4d5d6a7356709c65cac188e3f742b
a2bb1178b6d17512f2606ad01cdc245ea52e91d17f6740d7dfdbef3a76e19c77
c3d7188add8892823fa6169f4ba3523b43e4cba6c9fff6931b3c482d077137c9
e928295cc90b8a0aac825a86f21e99b92f1c8665085c6e4cc3fc88cc63958e68
fe0383f9fa9df8b28729104c896eebc79dad0e9fc6f68612868385467e18fbc8
2.4 SANGFOR SOLUTION
Sangfor Endpoint Secure supports the detection and removal of the RCRU64
ransomware. Please update Endpoint Secure and the signature database to the
latest version and configure the relevant security policies for protection to
take effect.
Sangfor Endpoint Secure is a powerful Endpoint Detection and Response (EDR)
solution that goes beyond traditional anti-malware and antivirus software.
Sangfor Endpoint Secure leverages Sangfor’s proprietary Engine Zero AI malware
detection engine and Neural-X threat intelligence platform to deliver robust
malware protection for endpoints.
Endpoint Secure is built with innovative anti-ransomware tools, including the
world’s first and only endpoint ransomware honeypot, which quickly detects and
kills the ransomware encryption process, minimizing any damage to the system.
The encryption controlling application is also identified and then located on
other infected systems allowing “One-Click Kill” to eradicate the detected
ransomware throughout the organization with just a single mouse click. In the
Advanced Threat Detection Test conducted by AV-Test, Endpoint Secure achieved
100% protection in ten ransomware scenarios.
Sangfor NGAF, Sangfor IAG, Sangfor Cyber Command, and Endpoint Secure integrate
together as part of Sangfor’s Anti-Ransomware solution. With security deployed
at the perimeter, endpoint, and network, Sangfor’s Anti-Ransomware is a holistic
solution that breaks every step of the ransomware kill chain. Sangfor
Anti-Ransomware is a modular solution that can be tailored to meet the
ransomware protection requirements of any organization.
ABOUT SANGFOR FARSIGHT LABS
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day
vulnerabilities, alerting customers to potential dangers to their organizations,
and providing real-time solutions with actionable intelligence. Sangfor FarSight
Labs works with other security vendors and the security community at large to
identify and verify global cyberthreats, providing fast and easy protection for
customers.
Copy to clipboard
TABLE OF CONTENT
1. Overview of RCRU64 2. Analysis of RCRU64 2.1 Introduction 2.2 Analysis 2.2.1
MITRE ATT&CK 2.2.2 Technical Analysis 2.2.2.8 Writing The Ransom Note 2.2.2.9
Opening The Ransom Note Window 2.2.2.10 Encryption Algorithm 2.3 IOCs 2.4
Sangfor Solution About Sangfor FarSight Labs
LISTEN TO THIS POST
SEARCH
Keyword maximum 256 character
GET IN TOUCH
Get in Touch with Sangfor Team for Business Inquiry
Name *
Email Address *
Business Phone Number *
Tell us about your project requirements *
I want to receive updates on Sangfor's latest products and solutions. I can
unsubscribe at any time.
address1
RELATED ARTICLES
WHAT IS BRAIN CIPHER? THE RANSOMWARE THAT TOOK DOWN THE INDONESIAN NATIONAL DATA
CENTER
Date : 01 Jul 2024
Read Now
XZ UTILS SUPPLY CHAIN COMPROMISE
Date : 15 Apr 2024
Read Now
NEW TELLYOUTHEPASS RANSOMWARE VARIANT DISCOVERED IN THE WILD
Date : 25 Mar 2024
Read Now
See More
SEE OTHER PRODUCT
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
MEET THE AUTHOR
SANGFOR TECHNOLOGIES
Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing
solutions. The majority of the blogs that you are seeing here are written by
professionals working at Sangfor. We have a team of content writers, product
managers and marketing experts who are taking care of writing articles on
various topics that are relevant to our audience. Our team ensures that the
articles published are factually correct and helpful to our customers and
partners to know more about the recent trends on Cyber Security and Cloud, and
how it can help their organizations.
*
*
*
*
*
See Author's Detail
Cyber Security
* NGFW
* NDR
* IAG
* Endpoint Secure
* MDR
Cloud & Infra
* HCI
* - HCI Compatibility
* VDI
* - VDI Compatibility
* Hybrid Cloud
* Managed Cloud Services
Resource Center
* News and Press Release
* Success Stories
* Threat Intelligence
* Blogs
* Glossary
* Events & Webinars
* Videos
* Downloads
Partners
* Sangfor Partner Portal
* Become a Partner
* Partner Application Form
* Training & Certification
* Partner e-Learning
Support
* Privacy Policy
* Services Overview
* Services Policy
* Support Resources
* Technical Support
* Support Community
About Us
* Company Profile
* Awards & Achievements
* Investor Relations
* Press & Media Relations
* Careers
* CSR
* Submit a Feedback
* Global Offices
* Contact Us
Follow Us
Newsletter
Email Address *
address1
By submitting this form, you agree to our Terms of Use and acknowledge
our Privacy Statement.
Language
English
● English
● Indonesian (Bahasa ID)
● Thai
● Spanish
● Turkish
● Korean
● Italian
● Vietnamese
● Chinese (中文)
Cyber Security
* NGFW
* NDR
* IAG
* Endpoint Secure
* MDR
Cloud & Infra
* HCI
* - HCI Compatibility
* VDI
* - VDI Compatibility
* Hybrid Cloud
* Managed Cloud Services
Resource Center
* News and Press Release
* Success Stories
* Threat Intelligence
* Blogs
* Glossary
* Events & Webinars
* Videos
* Downloads
Partners
* Sangfor Partner Portal
* Become a Partner
* Partner Application Form
* Training & Certification
* Partner e-Learning
Support
* Privacy Policy
* Services Overview
* Services Policy
* Support Resources
* Technical Support
* Support Community
About Us
* Company Profile
* Awards & Achievements
* Investor Relations
* Press & Media Relations
* Careers
* CSR
* Submit a Feedback
* Global Offices
* Contact Us
©2024 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.
* Sales Channel Statement
* Legal Statement
* Integrity and Reporting Policy