{
	"id": "6930e6fb-8013-4640-833d-11b314f53816",
	"created_at": "2026-04-10T03:21:58.650837Z",
	"updated_at": "2026-04-10T03:22:19.498885Z",
	"deleted_at": null,
	"sha1_hash": "ed1cf7b6a0b71ac6b566a4829b56a860bd9e243e",
	"title": "malware-notes/Ransomware/Maze.md at master · albertzsigovits/malware-notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57904,
	"plain_text": "malware-notes/Ransomware/Maze.md at master ·\r\nalbertzsigovits/malware-notes\r\nBy albertzsigovits\r\nArchived: 2026-04-10 03:03:04 UTC\r\nSHA256 hashes\r\n04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e\r\n067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b\r\n153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57\r\n195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9\r\n19713e7ae529091a995effe4e7271f2c23487c594af0a39cd4335d95e0abc99d\r\n58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806\r\n5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353\r\n6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af\r\n7c03b49d24c948f838b737fb476d57849a1fd6b205f94214bf2a5a3b7a36f17a\r\n806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690ee9ba9403c0627\r\n822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8\r\n91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1\r\n9e88e833d1309fe1417628519851f74cffafa51ea8a65bbd7f0433c9d9be196a\r\na9da834206c24147866c3281c0ba898fb0d162fd9f87453df4c1674aaed45df7\r\nc040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc\r\ne8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684\r\nebbb5ac2be538edff5560ef74b996a3fbc3589b3063074c5037da05acd6374d2\r\nfc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f\r\nReferences\r\nhttps://twitter.com/VK_Intel/status/1189431136398794752\r\nhttps://twitter.com/VK_Intel/status/1186346215388131333\r\nhttps://twitter.com/VK_Intel/status/1185255932474904576\r\nhttps://twitter.com/MalwareTechBlog/status/1184926173861572608\r\nhttp://mazenews.top\r\nNotes\r\nMaze Team maintains a site: mazenews.top\r\nRansom note file: DECRYPT-FILES.txt\r\nChecks AV software: Select * From AntiVirusProduct via root\\SecurityCenter2\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md\r\nPage 1 of 3\n\nCheck shadow copies: select * from Win32_ShadowCopy via ROOT\\cimv2\r\nUsed User-Agent in C2 traffic: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS;\r\nrv:11.0) like Gecko\r\nSeen pdbs:\r\nC:\\random\\fucking\\path\\to\\fucking\\idiotic\\nonexisting\\file\\with\\pdb\\extension.pdb\r\nC:\\vc5\\Release\\Zeroaccess.pdb\r\nC:\\shit\\gavno.pdb\r\nC:\\demonslay335\\emsisoft_work\\ransomware\\hutchins.pdb\r\nMutex is randomly generated: Global\\c35e0a1a78e8cdbc\r\nSame string used as c35e0a1a78e8cdbc.tmp on the file system\r\nShadow copy deletion: wmic \"%s\" shadowcopy delete via Win32_ShadowCopy.ID='%s'\r\nVT searches\r\nimphash:\"4c3d146415a27e5b2b768097598f2851\"\r\nimphash:\"a0667aaff29d40b151e423bcd42d1e15\"\r\nimphash:\"e6c2e529c8b3c790ab91901a5172e552\"\r\nresource:\"0cad26ce9da0bb3e380866e27c5f5ad17bb2f363352105f42b3dc1e9086c9366\"\r\nresource:\"884d4eddb1c544532c4225419e319749700b5503503e707f86b1cae740bc4c18\"\r\nresource:\"a4d658476e4693a873db1a349aa5ca0238c1df1708d5e67ed0f0187784d7336d\"\r\nYara rules\r\nrule maze_caro\r\n{\r\n condition:\r\n new_file and signatures matches /.*Ransom.*Maze.*/\r\n}\r\nRansom note\r\nAttention!\r\n----------------------------\r\n| What happened?\r\n----------------------------\r\nAll your files, documents, photos, databases, and other important data are safely encrypted with reliable algori\r\nYou cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps\r\n----------------------------\r\n| How to get my files back?\r\n----------------------------\r\nThe only method to restore your files is to purchase a unique for you private key which is securely stored on ou\r\nTo contact us and purchase the key you have to visit our website in a hidden TOR network.\r\nThere are general 2 ways to reach us:\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md\r\nPage 2 of 3\n\n1) [Recommended] Using hidden TOR network.\r\n a) Download a special TOR browser: https://www.torproject.org/\r\n b) Install the TOR Browser.\r\n c) Open the TOR Browser.\r\n d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/%USERID%\r\n e) Follow the instructions on this page.\r\n2) If you have any problems connecting or using TOR network\r\n a) Open our website: https://mazedecrypt.top/%USERID%\r\n b) Follow the instructions on this page.\r\nWarning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended\r\nOn this page, you will see instructions on how to make a free decryption test and how to pay.\r\nAlso it has a live chat with our operators and support team.\r\n----------------------------\r\n| What about guarantees?\r\n----------------------------\r\nWe understand your stress and worry.\r\nSo you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer!\r\nIf you have any problems our friendly support team is always here to assist you in a live chat!\r\n-------------------------------------------------------------------------------\r\nTHIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND\r\n---BEGIN MAZE KEY---\r\n%base64key%\r\n---END MAZE KEY---\r\nSource: https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md"
	],
	"report_names": [
		"Maze.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775791318,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed1cf7b6a0b71ac6b566a4829b56a860bd9e243e.pdf",
		"text": "https://archive.orkl.eu/ed1cf7b6a0b71ac6b566a4829b56a860bd9e243e.txt",
		"img": "https://archive.orkl.eu/ed1cf7b6a0b71ac6b566a4829b56a860bd9e243e.jpg"
	}
}