Overview

overview

10

Static

static

galadriel

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a6ybp.zip.zip

  • Size

    78KB

  • Sample

    200911-99ezqla6nn

  • MD5

    d3d855f2b859810cb4b09fdcc4feb3db

  • SHA1

    67962afafcc38f752a944e1162fa9e4eacb89ad4

  • SHA256

    c9779bfb55b855152347b89c2daa6987c5782aab933c0fc98f9aee50e2c53ba6

  • SHA512

    52120aed552cfde60de6bbd45e77d174d6b8b8fc06502b5b80559610421487ada985cd32fe5844f4da8de8795cf2795bffee132011ce3dc37b5a222ce213004b

Score
10/10
dharmalockbitsmokeloadersystembcvidarbackdoordiscoverypersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?96B283EF5B7ACD4CD0D00D70C0834F0A | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CD0D00D70C0834F0A This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?96B283EF5B7ACD4CD0D00D70C0834F0A

http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CD0D00D70C0834F0A

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35x.xyz/statweb955/

http://dexspot2x.xyz/statweb955/

http://atxspot20x.xyz/statweb955/

http://rexspot7x.xyz/statweb955/

http://fdmail85.club/statweb955/

http://servicem977x.xyz/statweb955/

http://advertxman7x.xyz/statweb955/

http://starxpush7x.xyz/statweb955/
rc4.i32
rc4.i32

Targets

    • Target

      a6ybp.exe

    • Size

      133KB

    • MD5

      5052c5edb614bae7449e4fe24466d312

    • SHA1

      ac891f7448c5b5bef1e1b0d66fb6a020245131ab

    • SHA256

      25f38d1847951f8cbf676cd97216c830462bb875c405f781ae053dd8fbfc83f8

    • SHA512

      c67abfee80001aa589cfc823be86a41ce8ca29bcd01baf57ce588c0ace6a918c650699b397a7baf6948b65cc97e899a43eae55cc8478c7057d2696419a2aef38

    Score
    10/10
    dharmalockbitsmokeloadersystembcvidarbackdoordiscoverypersistenceransomwarespywarestealertrojan

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

5
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks