regretlocker

General

Target

6519161656475648.zip
Size

269KB
Sample

201102-qebnyska7j
MD5

aa3ab34486bf3e25975f25d26939cbd7
SHA1

59bc02c88e67307176e11872144fbaf66642d68e
SHA256

dc7c8616f018d61814286b93d64d66b4ee0121884fa09b9d14ff2bc243ace913
SHA512

298243a6c6f9062a8ce14f2a0cb4bdaf2d616c00717584cf1b6fc8f0b6f7e411a1c0ecef33a185b4199e74d9b3702a23ed36df345aad7ee939bdf2ca58c44921

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW TO RESTORE FILES.TXT

Ransom Note

Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com

Emails

petro@ctemplar.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HOW TO RESTORE FILES.TXT

Ransom Note

Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com Your hash: 593235305054517A4F44556D5A57356B5054456D615751394D535A706344307 84E5451754E6A45754E7A45754E54456D61325635505441314D55557A4D5468 42517A51794D6B4647526A5642515446444E446B794D6A67304E5546464F546 C424D4545324D3055774E444178517A6B314E6A457A4D4545794D6A4A464F44 4242526A497A51546377526A633352546B7A4D6A6777526A4642516A59774E5 559774E7A41334E6B49304E6B4E4452455531526B4A45515449304D7A6B304D 4545324E5451774F544E444E304A434D54597A4D7A684552446842517A4A434 E6A59314F4451334E6A4E454E7A45794D6A4A474D7A4E434D6A677952545243 52554931516B55354E7A46424D454D34515445304E7A51334E6B45334D544A4 34D7A52424E6B56444D5451784D545A454E6A5A4652546734524467304F5556 424E6B4E434D6A6847516A6C434E6A424652455243516A5245516A457952444 1344E6A633251305A4452444D32525552464E3045354E455245524455304E7A 6846517A4E424F4467324F554E444D44676D64476C745A543077534334674D5 53075494455785579346D64584E7950575A6B59546B324F5749304A6E5A7662 4431444F6C77674D5463754D7A6448596938794E5455754E7A464859676F41

Emails

petro@ctemplar.com

Targets

- Target
  
  a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
- Size
  
  483KB
- MD5
  
  3265b2b0afc6d2ad0bdd55af8edb9b37
- SHA1
  
  24272beb676d956ec8a65b95a2615c9075fa9869
- SHA256
  
  a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
- SHA512
  
  28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94
Score

10^/10

regretlocker persistence ransomware spyware
- RegretLocker
  Ransomware first reported on Twitter in October 2020.
  ransomware regretlocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies service
  persistence
behavioral1 behavioral2