Overview

overview

10

Static

static

cf3bdf0f8e...f3.exe

windows7_x64

10

cf3bdf0f8e...f3.exe

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7625526185.zip

  • Size

    721KB

  • Sample

    220629-r9bqtsadcn

  • MD5

    42af59f047b6cfc2bbbf814b19749326

  • SHA1

    9cb91c4848ecbf71341364ba4303787479c99b93

  • SHA256

    757a5f325f85b93bd7aaaf286ed25105a357fd867bd13648005fdfce60e10ef2

  • SHA512

    6bbdb6019c9c37189cb173af6bff253084ec02f8f16ceef92475caa85bd43fda5d26bc4967ceb55ce71a9852b7af5bd30ad7b3802e21fbe267d05dbf62adda68

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You need special decryptor for that. You will get decryptor after paying. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: astralocker2@tutanota.com Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You will harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key. 4)Report to authoritaries. If You do it, key will be deleted, and Your files will be useless forever.
Emails

astralocker2@tutanota.com

Targets

    • Target

      cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

    • Size

      875KB

    • MD5

      f1dd01a9e4b959e569250354d74e0423

    • SHA1

      7e2e524fd33261449571f1334868b17ef46e550d

    • SHA256

      cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

    • SHA512

      d878f63456abdc4a67abd0bd208faf1e77c6baf470f84afa345c6c013f519fc4cff10ae5b3cd700e5fabf11fee3c7e1b357d81e89f7c8c09ce9ef53c99d76202

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks