Overview

overview

10

Static

static

10

5665f10896...86.exe

windows7_x64

10

5665f10896...86.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5665f108965c55a2d3ebcbbb50b03786

  • Size

    107KB

  • Sample

    210827-yxq8psh4ms

  • MD5

    5665f108965c55a2d3ebcbbb50b03786

  • SHA1

    5f3500c5d5f646383e06033fb0650d9b83da98a8

  • SHA256

    a32770d46ee2ee5b91cc36e5159868ec3ff7f847e7516d7bcb952f7a94e347a2

  • SHA512

    cb6e052712ace47f371efdc93309ecc3bc7e85d897dc64e85c8fac3e436a3a714ffd140d465daf87a3f911f89bfbf4db90fe1bd7f579f5d108de51ace342b0fb

Score
10/10
babukredlinekasldiscoveryransomwarespywarestealer

Malware Config

Extracted

Family

redline

Botnet

Kasl

C2

51.254.68.139:15009

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
Hi, friend. Your files are encrypted. And you can't do anything with them. If you want to restore them, contact us via telegram @username312321 Price - 350 $ You can pay with BTC - bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93
Wallets

bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93

Targets

    • Target

      5665f108965c55a2d3ebcbbb50b03786

    • Size

      107KB

    • MD5

      5665f108965c55a2d3ebcbbb50b03786

    • SHA1

      5f3500c5d5f646383e06033fb0650d9b83da98a8

    • SHA256

      a32770d46ee2ee5b91cc36e5159868ec3ff7f847e7516d7bcb952f7a94e347a2

    • SHA512

      cb6e052712ace47f371efdc93309ecc3bc7e85d897dc64e85c8fac3e436a3a714ffd140d465daf87a3f911f89bfbf4db90fe1bd7f579f5d108de51ace342b0fb

    Score
    10/10
    babukdiscoveryransomwarespywarestealer

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks