{
	"id": "16faf3c0-b154-476a-ae46-bff2edbaa2e0",
	"created_at": "2026-04-10T03:21:27.074346Z",
	"updated_at": "2026-04-10T13:11:47.281307Z",
	"deleted_at": null,
	"sha1_hash": "10153f23295e7e3f0c1078dd741cff134afeadf6",
	"title": "A",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 661929,
	"plain_text": "A\r\nBy f0wL\r\nPublished: 2019-12-11 · Archived: 2026-04-10 03:07:36 UTC\r\nA \"Project.exe\" that should have stayed in a drawer - MZRevenge / MaMo434376\r\nWed 11 December 2019 in Ransomware\r\nI first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days\r\nI collected over 35 samples :O\r\nSearching for \"Project.exe\" on AnyRun yields more than a healthy list of results all matching this strain.\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 1 of 9\n\nOh would you look at that: Looks like we have a Borland Delphi application here 🧐\r\nYep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land\r\nof the Free but no arguments to back it up (since the rest of the form is empty).\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 2 of 9\n\nThe other strain uses a similar Form Window but actually displays its name in there (but they saved on the\r\nWindow Title).\r\nMZ Revenge and MaMo add these extensions to encrypted files respectively: .MZ173801 and .MaMo434376. It\r\nseems to drop the Ransomnotes into the Library Folders, once into %appdata%\\Microsoft\\Windows\\Recent and\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 3 of 9\n\ninto the root of every (unmounted) storage device.\r\nTIL: The MZP Magic tells you that the PE was built in Pascal. Therefore the error message is different as well,\r\nnormally you would expect to see This program cannot be run in DOS mode here.\r\nBecause loading a Delphi executable into IDA or Ghidra can be very painful to look at I'll try out a tool I haven't\r\nused before. It is called \"Interactive Delphi Reconstructor\" (IDR in short) and the setup is trivial. Just clone the\r\nGit Repository and download the Knowledge Base files linked at the bottom and extract + paste them into the\r\nsource folder.\r\nFor those playing along at home it should look something like this after the auto-analysis finished:\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 4 of 9\n\nLooking at the Strings tab I noticed this weird GUID {43826d1e-e718-42ee-bc55-a1e261c37bfe}. I'll have to\r\ninvestigate further to say for sure, but looking at this Document for the CIA Vault7 Leaks this might be part of an\r\nUAC bypass.\r\nI also grabbed the extension list the ransomware uses. It will target the following extensions:\r\n.txt;.doc;.docx;.intex;.pdf;.zip;.rar;.onetoc;.css;.lnk;.xlsx;.ppt;.pptx;.odt;.jpg;.bmp;.ods;.png;.cs\r\nAs suspected by @Hildakrypt on Twitter the creators of the turkish KesLan Ransomware might also have built\r\nMZ Revenge / MaMo.\r\nThe #KesLan and #MZREVENGE #Ransomware authors are the same person, the canonical name is\r\n#MaMo434376 (as refered in the code) cc @BleepinComputer @demonslay335 @GrujaRS @raby_mr\r\n@Amigo_A_ pic.twitter.com/HQCuTWgJoH\r\n— HILDACRYPT (@HILDAKRYPT) December 11, 2019\r\nUpdate 15.12.2019:\r\nA new Version of this strain was found to be appending .aes to encrypted files. This time there is no ransomnote\r\nthough, so let's see if this is a malfunction or intentional.\r\nThe Any.Run Analysis can be found here.\r\nVisually this sample resembles the look of the \"MZ Revenge 1.0\" strain with an empty Form and the red DX icon.\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 5 of 9\n\nMITRE ATT\u0026CK\r\nT1215 --\u003e Kernel Modules and Extensions --\u003e Persistence\r\nT1045 --\u003e Software Packing --\u003e Defense Evasion\r\nT1056 --\u003e Input Capture --\u003e Credential Access\r\nT1012 --\u003e Query Registry --\u003e Discovery\r\nT1124 --\u003e System Time Discovery --\u003e Discovery\r\nT1083 --\u003e File and Directory Discovery --\u003e Discovery\r\nT1076 --\u003e Remote Desktop Protocol --\u003e Lateral Movement\r\nT1056 --\u003e Input Capture --\u003e Collection\r\nT1115 --\u003e Clipboard Data --\u003e Collection\r\nIOCs\r\nMZRevenge / MaMo434376\r\n\"MZ Revenge 1.0\":\r\n7a92a80e742dbcb0d30948dbf6c4d7a6236a5692c5864a1276cfc84d5c71e375\r\n00c84efdebc555191ec91999a7f85c4ab0a6e7236dc477c7e4eb487152211336\r\na90c73a86a2771f6bff2cfc34d5798b71603da49105342a0a00324b7b6c63018\r\n6907a7689375a06c4f3d5c9d99074c9242342c0e813e669a03a07899740dcfa8\r\nf9cb03dbec628694f81c015b6799e3305f4941dab95d6f67343ef2c2dd2fb891\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 6 of 9\n\n734a6461eed16f83a355d22ecea28c993ef350a9ea925e2a68caea404f1c0a42\r\nbe880ab3f9b4f9cd967fdca899446241e962b3de8c938ed58b69d419b1b6168a\r\n62b129f041cb6b3ebf16f084295f6ffb818db67254eaadeadc906e3d2aecc415\r\n75b6e08e9a0ec989d4936dbbca7dc4ae5cf05ee0f4a7bc4ebccbf5bc81ac9518\r\n32c666ae39cced01978d43a878b4708cb4f4e7051c6d22f9a11c35ce6176151d\r\n184a63ae5c09e4963fc915f9957302ec5b0bd52b2e86049f45a75613f8d9f552\r\n00144748f68a6fe3a7cd98539043698a49fd1e020a6465d5f6e07542712ec014\r\nd8cff0354008b6fd2ea362d33609099eaedc13c5c7c759e2ad9ad998e0b00cda\r\n56ee5c88648365f5269e1ab0d6b00634f7d9fd9f08c91a45c7cb601d5073feb4\r\n3e0c4925102b2b4f1d93193000907c30731163b0e756d37c2a3b4dda1f938794\r\nca15b28914dc22461fbf8f213047673de7a0434d7ca0d8b796c1a6038f169e23\r\n265e0746692b5301156e4bbd19a9aa62961e333f04fc26d71a64f7739705ee7b\r\na90c73a86a2771f6bff2cfc34d5798b71603da49105342a0a00324b7b6c63018\r\n859c4b2306ea6a20fdbc4cdbdb28aa500e9928e57ae2ba13fbfb729cc465b6b0\r\nec70974046fbbd1461ef4b181f8a08270ffaede196c02f1e25e6c7807c29db6a\r\n45d7884b61a6b38356ee18b3814fae0e88715ac004e9df4417d47522203e2a89\r\n648cec145362a52c89c155bf5034eaedee9dd8c90e458dd8c0e1a25ad96e577e\r\n13bcd9a3c09560357b1decc640971f2cc8c1ac58275c317c4266751aefafd29b\r\nd95bd4077537edd5922861977ab3be873532ff2717b0dba916abc9465481cb0e\r\nb02ee036ac32a3b7425a57ff1cf68f2fc46a5f2d7bdea6be78efd574f9761c53\r\n9f28d3d3b8f6078c98d5831a3f1996c28fc14209f2240cc87bf70d20ffac371f\r\n1d5a8d924766f8aba0839ca747b0076b8b3718544c43e9ed32afd33f7fdd3c73\r\n4af2825b70fa4006d56a1faf40062e4a614dfa3de79a197bc268cd708709d4ec\r\n3f35a62f5e2fcb8f74d3aecae7de4bd9834c9400d33a716b74bbe28cf156f142\r\n0b7974582bb4e9c7de0c04618f307e7cbb4bba644c99f165be54117abeb32d43\r\n91d490cabd6776df1bcf26fa17cf9a13663bd79c1b5087ea718248f602d8df0e\r\n\"MaMo434376\":\r\n3276ab52336b9bc944717cfee706301326addf339891092fb0697d7b93960fa4\r\n10e37630cb1d050911f0c6c094d9c8218622887695960e35f98a596a2ed4de8d\r\nbbfa50b69c3ce9274f8c207dc6eb9caee6e55481440dfde23b85e9aa891ae53d\r\n02101d26f1ac2b3a9188489e4d2f4eeef648916c6a346d3318c36c2622754cbc\r\nbbb26303554c109d62b6f340045c04083ce04d5b6d94ac3a221223187a977072\r\nd7d908991970c971bcc0239654e437c22a987160422c70a838a016c5770caa72\r\nVersion 2:\r\n70733389c89b4358f04575226a8ce60c4511018c98731a2ff7f556c29447e4a4\r\nRegistry Keys\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\n--\u003e DisableTaskMgr = 1\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 7 of 9\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\r\n--\u003e UNCAsIntranet = 0\r\nE-Mail Addresses\r\nhelpdesk_mz@aol[.]com\r\nRansomnote V1\r\nATTENTION!\r\nDon*t worry, you can return all your files!\r\nAll your files like photos, databases, documents and other important are encrypted with strongest enc\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nPrice of private key and decrypt software is $300.\r\nDiscount 50% available if you contact us first 72 hours, thats price for you is $150.\r\nPlease note that you*ll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don*t get answer more than 6 hours.\r\ne-mail address to send your file and To get this software you need write on my e-mail:\r\nhelpdesk_mz@aol.com\r\nYour Decryption Key (DO NOT WIPE OR CHANGE THIS SWITCH!) :\r\n[redacted]\r\nRansomnote V2\r\n---\u003e MZ REVENGE 1.0 \u003c---\r\nDont worry, some of your files have extension .MZ173801 and they are encrypted.\r\nIn confirmatiom, that we have private decryption key,\r\nWe can provide test decryption for 1 file (png,jpg,bmp,gif).\r\nIts a business, if we cant provide full decryption, other people wont trust us.\r\nThere is no way to decrypt your files without our help.\r\nDont trust anyone. Even your cat.\r\nMain mail: helpdesk_mz@aol.com\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 8 of 9\n\nDont change decryption key below!!!\r\nMZ DECRYPTION KEY:\r\n[redacted]\r\nSource: https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nhttps://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html"
	],
	"report_names": [
		"a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791287,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10153f23295e7e3f0c1078dd741cff134afeadf6.pdf",
		"text": "https://archive.orkl.eu/10153f23295e7e3f0c1078dd741cff134afeadf6.txt",
		"img": "https://archive.orkl.eu/10153f23295e7e3f0c1078dd741cff134afeadf6.jpg"
	}
}