Ok guys, despite now it seems this ransomware is detected by more AVs on VirusTotal report the sample seems difficult to detect in the test against Bitdefender (posted by @Der.Reisende) here: Video - Bitdefender Antivirus Free [v1.0.14.76] vs Project57 ransomware
Project57 seems to no have internet connections (requests, DNS, etc.) With remote servers, that is strange for a ransomware, but it could connect lately and silently to a remote server when the victim pay the ransom to decrypt the encrypted files. It seems it calls WinRar process (maybe to zip possible dropped files to reduce AV detection?)
Project57 ransomware probably uses this Windows vulnerable process: SearchProtocolHost.exe to search in a faster and easier way the files to encrypt, because this permits to the sample to use more advanced algorithm to search files in folders. In the files used by the malware you can see under FileZilla (FTP software) the following string: ti_kozel[at]lashbania.tv, this is probably the email used for the ransomware. The same string (the email) is found also under this Google Chrome path: AppData/Local/Google/Chrome/User Data/Default/Extensions/ the same is for Opera, Skype, Windows Mail, OneNote. So guys I think now this ransomware is detected (mainly with signatures), because without a deep analysis it could seem harmless because of apparent absent internet connection and other aspects that don't highlight malicious and dangerous behaviours. But yes, it is malicious, pay attention to this ransomware!
SHA256: 2f79ccfe3a57fa2157d187925dabc38cb919383c17ff464613c06ea6730cadd4
MD5: D6DA2DBEF3FAF1987502FE81CDDD6976
Project57 seems to no have internet connections (requests, DNS, etc.) With remote servers, that is strange for a ransomware, but it could connect lately and silently to a remote server when the victim pay the ransom to decrypt the encrypted files. It seems it calls WinRar process (maybe to zip possible dropped files to reduce AV detection?)
Project57 ransomware probably uses this Windows vulnerable process: SearchProtocolHost.exe to search in a faster and easier way the files to encrypt, because this permits to the sample to use more advanced algorithm to search files in folders. In the files used by the malware you can see under FileZilla (FTP software) the following string: ti_kozel[at]lashbania.tv, this is probably the email used for the ransomware. The same string (the email) is found also under this Google Chrome path: AppData/Local/Google/Chrome/User Data/Default/Extensions/ the same is for Opera, Skype, Windows Mail, OneNote. So guys I think now this ransomware is detected (mainly with signatures), because without a deep analysis it could seem harmless because of apparent absent internet connection and other aspects that don't highlight malicious and dangerous behaviours. But yes, it is malicious, pay attention to this ransomware!
SHA256: 2f79ccfe3a57fa2157d187925dabc38cb919383c17ff464613c06ea6730cadd4
MD5: D6DA2DBEF3FAF1987502FE81CDDD6976