Multi-License Discount Quote

Change Region

English
Threat Database Ransomware Thanos.A Ransomware

Thanos.A Ransomware

By CagedTech in Ransomware

Threat Scorecard

Popularity Rank: 25,632
Threat Level: 100 % (High)
Infected Computers: 2
First Seen: March 2, 2022
Last Seen: February 19, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Thanos.A Ransomware
Signature status: No Signature

Known Samples

MD5: dde53e9a922b2df284a2a98214febffd
SHA1: d93d4a90cc9d13dd53a1e91bf3886fb0d6af2896
SHA256: A5926B96975769653ECE840FB13216E250FC8A0D9A1BCE0D952E9D9DA94FF389
File Size: 146.94 KB, 146944 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Assembly Version 4.5.0.0
Company Name kZ2TLru7E NHR7ECwri
File Description Mozilla Firefox
File Version 4.5.0.0
Internal Name SMocd00tI
Legal Copyright Copyright 2019 62eqN3AjO
Legal Trademarks gYeRbQOXL bPN2N7MnV
Original Filename j4L9TldNi
Product Name KsfPiZpBD
Product Version 4.5.0.0

File Traits

  • .NET
  • ntdll
  • RijndaelManaged
  • SmartAssembly
  • x86

Block Information

Total Blocks: 234
Potentially Malicious Blocks: 143
Whitelisted Blocks: 91
Unknown Blocks: 0

Visual Map

x x x x x x x 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x 0 0 x 0 x x 0 x x x x x x x x x x x 0 0 x x x x x x x x x x x x x 0 x x 0 0 x x x x x x x x x x x x x x x x x x 0 0 0 x x 0 x x 0 x 0 x 0 0 x x 0 0 0 0 0 x x x 0 0 0 x 0 0 0 x x x x x x x x x x x x x x x x 0 0 x 0 0 0 x x 0 0 0 0 0 x x x x x x x x x 0 x x x x 0 0 0 0 x x x 0 x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.VM
  • SABS.A
  • Thanos.A

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
desktop-dlos3m3*\mailslot\net\netlogon Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䋶厃ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쇨呥ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 餄咜ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⃘哤ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 컉哴ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鑿哹ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⺡唵ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 桛問ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 叱啛ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᤠ啠ꉩǜ RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 喖ꉩǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 俵喸ꉩǜ RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess
Network Winsock2
  • WSAStartup

Shell Command Execution

"taskkill" /F /IM RaccineSettings.exe
WriteConsole: ERROR: The proce
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
WriteConsole: ERROR:
WriteConsole: The system was u
Show More
"reg" delete HKCU\Software\Raccine /F
WriteConsole: ERROR:
WriteConsole: The system was u
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
"sc.exe" config Dnscache start= auto
"sc.exe" config SQLTELEMETRY start= disabled
"sc.exe" config FDResPub start= auto
"sc.exe" config SSDPSRV start= auto
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
"sc.exe" config SstpSvc start= disabled
"sc.exe" config upnphost start= auto
"sc.exe" config SQLWriter start= disabled

Trending

Most Viewed

Loading...