General
Target

c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe

Size

308KB

Sample

220410-d9b5psggb3

Score
10/10
MD5

75a6690d9a4a89bd0cf6ceebcffd3c41

SHA1

678ddaaaa14fcd7b90bfa2b673221378e032fdbf

SHA256

c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24

SHA512

37273a97459d3624e77c8b586acbed6836a88d9c4975625a654f55eccdabeb9d4dcd55598779ec7bfe3e682e725597468ef59fee9e18263a3a00c86bf962e526

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
--------------- Hello --------------- *** By BABUCK LOCKER *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0,006 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to babuckransom@tutanota.com 3) Launch decryptor.exe, which our support will send you through email What guarantees? ----------------------------------------------------- We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ----------------------------------------------------- !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

babuckransom@tutanota.com

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Targets
Target

c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe

MD5

75a6690d9a4a89bd0cf6ceebcffd3c41

Filesize

308KB

Score
10/10
SHA1

678ddaaaa14fcd7b90bfa2b673221378e032fdbf

SHA256

c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24

SHA512

37273a97459d3624e77c8b586acbed6836a88d9c4975625a654f55eccdabeb9d4dcd55598779ec7bfe3e682e725597468ef59fee9e18263a3a00c86bf962e526

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    10/10