General

  • Target

    c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe

  • Size

    308KB

  • Sample

    220410-d9b5psggb3

  • MD5

    75a6690d9a4a89bd0cf6ceebcffd3c41

  • SHA1

    678ddaaaa14fcd7b90bfa2b673221378e032fdbf

  • SHA256

    c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24

  • SHA512

    37273a97459d3624e77c8b586acbed6836a88d9c4975625a654f55eccdabeb9d4dcd55598779ec7bfe3e682e725597468ef59fee9e18263a3a00c86bf962e526

Score
10/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
--------------- Hello --------------- *** By BABUCK LOCKER *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0,006 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to [email protected] 3) Launch decryptor.exe, which our support will send you through email What guarantees? ----------------------------------------------------- We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ----------------------------------------------------- !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Targets

    • Target

      c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe

    • Size

      308KB

    • MD5

      75a6690d9a4a89bd0cf6ceebcffd3c41

    • SHA1

      678ddaaaa14fcd7b90bfa2b673221378e032fdbf

    • SHA256

      c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24

    • SHA512

      37273a97459d3624e77c8b586acbed6836a88d9c4975625a654f55eccdabeb9d4dcd55598779ec7bfe3e682e725597468ef59fee9e18263a3a00c86bf962e526

    Score
    10/10
    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks