General
Target

7676416129.zip

Size

3MB

Sample

220704-lp3e6aacd8

Score
10/10
MD5

6290574ee33a9cdd966d96db1cdad010

SHA1

27f6efe3ff47fa40071d95bfd915739690291cc8

SHA256

a9ce03985ab87b07c8481da5d59db8608b2fc946df99d0ff19dc0d34d66945ee

SHA512

a07b23af9599ae8ffc7c4bbae41a6408df9aa701e455c35aa9b7a3a07a129a775db41f0297a9103815eddaeb207e1a454fa7daec430782508f6f993fa5146e8d

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You dont have much time for this. Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: AstraLocker@ or astralocker@ to get the decryptor The best way is contact both. Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You can harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key.

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You need special decryptor for that. You will get decryptor after paying. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: astralocker2@tutanota.com Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You will harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key. 4)Report to authoritaries. If You do it, key will be deleted, and Your files will be useless forever.
Emails

astralocker2@tutanota.com

Targets
Target

08565f345878369fdbbcf4a064d9f4762f4549f67d1e2aa3907a112a5e5322b6

MD5

827ce17c53de507c34b000e73c103de7

Filesize

873KB

Score
10/10
SHA1

c15011e565af3b2845eb9707132d3187fb93a54e

SHA256

08565f345878369fdbbcf4a064d9f4762f4549f67d1e2aa3907a112a5e5322b6

SHA512

e2f54c654a86718e456c18151653626fcb3a361c7717281a6eff47fb68ac0df673926edc4f459b5b7e2e4aaab9e0f644250d48475838b74c488e34e2bbeed766

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

17ea24ce8866da7ef4a842cba16961eafba89d526d3efe5d783bb7a30c5d1565

MD5

4a4521edbd840696964c15c3375975ff

Filesize

875KB

Score
5/10
SHA1

03234ca564f81757dd2334cbe60d8f5933024d09

SHA256

17ea24ce8866da7ef4a842cba16961eafba89d526d3efe5d783bb7a30c5d1565

SHA512

bc740c63b7db2bc426c18569a532b30fb4ac7393d51d4cf449c22bf97fe5f76f2790b9cf1d3b2714fc55b578ad5cae438a53431e3899fb71cfa8af9448db4a1b

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

5c061e188979d3b744a102d5d855e845a3b51453488530ea5dca6b098add2821

MD5

f61231237bbe45009996a9576eddde09

Filesize

923KB

Score
10/10
SHA1

e73bda17b68f3b6f2995f4af10b4350f8050e2c8

SHA256

5c061e188979d3b744a102d5d855e845a3b51453488530ea5dca6b098add2821

SHA512

3e18d118a7c8969202b243676ba768bf0f4e8d4dfae17ae9d25e624aea79634905771b20e933fb74571b1cf037eab8f3a85f85ff6e88d24778453a03662a3161

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9

MD5

7d710e304c5d5d1febe8c0e1bf14615a

Filesize

811KB

Score
10/10
SHA1

34d813aedb66d14ece1276f8ee61a568546c8dbe

SHA256

b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9

SHA512

6ece233063306b29c3abf1d4449a9cf172a77f44f2f2ceb48ea23161de57aa795c720d263ea9d6964c7ec5756024e21a6464cabd47c6a8ca9e49263b2b339bab

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

MD5

f1dd01a9e4b959e569250354d74e0423

Filesize

875KB

Score
10/10
SHA1

7e2e524fd33261449571f1334868b17ef46e550d

SHA256

cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

SHA512

d878f63456abdc4a67abd0bd208faf1e77c6baf470f84afa345c6c013f519fc4cff10ae5b3cd700e5fabf11fee3c7e1b357d81e89f7c8c09ce9ef53c99d76202

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    3/10

                    behavioral3

                    Score
                    5/10

                    behavioral4

                    Score
                    3/10

                    behavioral5

                    Score
                    10/10

                    behavioral6

                    Score
                    3/10

                    behavioral7

                    Score
                    10/10

                    behavioral8

                    Score
                    3/10

                    behavioral9

                    Score
                    10/10

                    behavioral10

                    Score
                    3/10