Overview

overview

10

Static

static

08565f3458...b6.exe

windows7_x64

10

08565f3458...b6.exe

windows10-2004_x64

3

17ea24ce88...65.exe

windows7_x64

5

17ea24ce88...65.exe

windows10-2004_x64

3

5c061e1889...21.exe

windows7_x64

10

5c061e1889...21.exe

windows10-2004_x64

3

b0a010e5a9...b9.exe

windows7_x64

10

b0a010e5a9...b9.exe

windows10-2004_x64

3

cf3bdf0f8e...f3.exe

windows7_x64

10

cf3bdf0f8e...f3.exe

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7676416129.zip

  • Size

    3.6MB

  • Sample

    220704-lp3e6aacd8

  • MD5

    6290574ee33a9cdd966d96db1cdad010

  • SHA1

    27f6efe3ff47fa40071d95bfd915739690291cc8

  • SHA256

    a9ce03985ab87b07c8481da5d59db8608b2fc946df99d0ff19dc0d34d66945ee

  • SHA512

    a07b23af9599ae8ffc7c4bbae41a6408df9aa701e455c35aa9b7a3a07a129a775db41f0297a9103815eddaeb207e1a454fa7daec430782508f6f993fa5146e8d

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You dont have much time for this. Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: AstraLocker@ or astralocker@ to get the decryptor The best way is contact both. Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You can harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key.

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You need special decryptor for that. You will get decryptor after paying. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: [email protected] Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You will harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key. 4)Report to authoritaries. If You do it, key will be deleted, and Your files will be useless forever.

Targets

    • Target

      08565f345878369fdbbcf4a064d9f4762f4549f67d1e2aa3907a112a5e5322b6

    • Size

      873KB

    • MD5

      827ce17c53de507c34b000e73c103de7

    • SHA1

      c15011e565af3b2845eb9707132d3187fb93a54e

    • SHA256

      08565f345878369fdbbcf4a064d9f4762f4549f67d1e2aa3907a112a5e5322b6

    • SHA512

      e2f54c654a86718e456c18151653626fcb3a361c7717281a6eff47fb68ac0df673926edc4f459b5b7e2e4aaab9e0f644250d48475838b74c488e34e2bbeed766

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      17ea24ce8866da7ef4a842cba16961eafba89d526d3efe5d783bb7a30c5d1565

    • Size

      875KB

    • MD5

      4a4521edbd840696964c15c3375975ff

    • SHA1

      03234ca564f81757dd2334cbe60d8f5933024d09

    • SHA256

      17ea24ce8866da7ef4a842cba16961eafba89d526d3efe5d783bb7a30c5d1565

    • SHA512

      bc740c63b7db2bc426c18569a532b30fb4ac7393d51d4cf449c22bf97fe5f76f2790b9cf1d3b2714fc55b578ad5cae438a53431e3899fb71cfa8af9448db4a1b

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      5c061e188979d3b744a102d5d855e845a3b51453488530ea5dca6b098add2821

    • Size

      923KB

    • MD5

      f61231237bbe45009996a9576eddde09

    • SHA1

      e73bda17b68f3b6f2995f4af10b4350f8050e2c8

    • SHA256

      5c061e188979d3b744a102d5d855e845a3b51453488530ea5dca6b098add2821

    • SHA512

      3e18d118a7c8969202b243676ba768bf0f4e8d4dfae17ae9d25e624aea79634905771b20e933fb74571b1cf037eab8f3a85f85ff6e88d24778453a03662a3161

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9

    • Size

      811KB

    • MD5

      7d710e304c5d5d1febe8c0e1bf14615a

    • SHA1

      34d813aedb66d14ece1276f8ee61a568546c8dbe

    • SHA256

      b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9

    • SHA512

      6ece233063306b29c3abf1d4449a9cf172a77f44f2f2ceb48ea23161de57aa795c720d263ea9d6964c7ec5756024e21a6464cabd47c6a8ca9e49263b2b339bab

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

    • Size

      875KB

    • MD5

      f1dd01a9e4b959e569250354d74e0423

    • SHA1

      7e2e524fd33261449571f1334868b17ef46e550d

    • SHA256

      cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

    • SHA512

      d878f63456abdc4a67abd0bd208faf1e77c6baf470f84afa345c6c013f519fc4cff10ae5b3cd700e5fabf11fee3c7e1b357d81e89f7c8c09ce9ef53c99d76202

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

MITRE ATT&CK Enterprise v6

Tasks