Overview

overview

10

Static

static

1957c3be12...d6.exe

windows7_x64

10

1957c3be12...d6.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.bin

  • Size

    413KB

  • Sample

    220627-mge6bsadgk

  • MD5

    73ba54e1bf3cef8f2a46bbc2ed73cfb9

  • SHA1

    3c9587ea9dc8039735398548fbc17ee50cf1b8b7

  • SHA256

    1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6

  • SHA512

    e71eb7e2afe93855e448f270c3e8847ac7d46865cbd2d106de9b39567a163af0059c8ff8889a3dfe1b4c717f90f7f483e48fb421c3ea1bc9f6608be8edad950a

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: [email protected]
URLs

https://bisq.network/

https://www.getmonero.org/

Targets

    • Target

      1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.bin

    • Size

      413KB

    • MD5

      73ba54e1bf3cef8f2a46bbc2ed73cfb9

    • SHA1

      3c9587ea9dc8039735398548fbc17ee50cf1b8b7

    • SHA256

      1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6

    • SHA512

      e71eb7e2afe93855e448f270c3e8847ac7d46865cbd2d106de9b39567a163af0059c8ff8889a3dfe1b4c717f90f7f483e48fb421c3ea1bc9f6608be8edad950a

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks