Overview

overview

10

Static

static

b0a010e5a9...b9.exe

windows7_x64

10

b0a010e5a9...b9.exe

windows10-2004_x64

3

cf3bdf0f8e...f3.exe

windows7_x64

10

cf3bdf0f8e...f3.exe

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7669536131.zip

  • Size

    1.4MB

  • Sample

    220705-lcrg5afgbn

  • MD5

    ffa68ff61e7bbd1f7f007ed198546175

  • SHA1

    38519bbdf82a61b2b011ae62fa31a18f8166bced

  • SHA256

    e1311de1d3979812f422ac4395483864c36adfd8ccaebdfec11fbd3630165111

  • SHA512

    5b1f5690b5b5a9f26802e83c48e62ead3875ea152b4ebcf6841edcee178a39b3f4c558bbed2f41838cdec275395bff1f2aec9f52efa72ae86dae69530cae82a9

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You dont have much time for this. Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: AstraLocker@ or astralocker@ to get the decryptor The best way is contact both. Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You can harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key.

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
..;===+. .:=iiiiii=+= .=i))=;::+)i=+, ,=i);)I)))I):=i=; .=i==))))ii)))I:i++ +)+))iiiiiiii))I=i+:' .,:;;++++++;:,. )iii+:::;iii))+i=' .:;++=iiiiiiiiii=++;. =::,,,:::=i));=+' ,;+==ii)))))))))))ii==+;, ,,,:=i))+=: ,;+=ii))))))IIIIII))))ii===;. ,,:=i)=i+ ;+=ii)))IIIIITIIIIII))))iiii=+, ,:=));=, ,+=i))IIIIIITTTTTITIIIIII)))I)i=+,,:+i)=i+ ,+i))IIIIIITTTTTTTTTTTTI))IIII))i=::i))i=' ,=i))IIIIITLLTTTTTTTTTTIITTTTIII)+;+i)+i` =i))IIITTLTLTTTTTTTTTIITTLLTTTII+:i)ii:' +i))IITTTLLLTTTTTTTTTTTTLLLTTTT+:i)))=, =))ITTTTTTTTTTTLTTTTTTLLLLLLTi:=)IIiii; .i)IIITTTTTTTTLTTTITLLLLLLLT);=)I)))))i; :))# ASTRA LOCKER 2.0 #);=) :i)IIITTTTTTTTTLLLHLLHLL)+=)II)ITTTI)i= .i)IIITTTTITTLLLHHLLLL);=)II)ITTTTII)i+ =i)IIIIIITTLLLLLLHLL=:i)II)TTTTTTIII)i' +i)i)))IITTLLLLLLLLT=:i)II)TTTTLTTIII)i; +ii)i:)IITTLLTLLLLT=;+i)I)ITTTTLTTTII))i; =;)i=:,=)ITTTTLTTI=:i))I)TTTLLLTTTTTII)i; +i)ii::, +)IIITI+:+i)I))TTTTLLTTTTTII))=, :=;)i=:,, ,i++::i))I)ITTTTTTTTTTIIII)=+' .+ii)i=::,, ,,::=i)))iIITTTTTTTTIIIII)=+ ,==)ii=;:,,,,:::=ii)i)iIIIITIIITIIII))i+:' +=:))i==;:::;=iii)+)= `:i)))IIIII)ii+' .+=:))iiiiiiii)))+ii; .+=;))iiiiii)));ii+ .+=i:)))))))=+ii+ .;==i+::::=)i=; ,+==iiiiii+, `+=+++;` What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraLocker 2.0 Can I get My files back? ---------------------------------------------- Sure! But You need special decryptor for that. You will get decryptor after paying. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,0012 (Bitcoin) or Amount of Monero to pay: 0,30 (XMR) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus Contact ---------------------------------------------- After payment contact: astralocker2@tutanota.com Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Do NOT: 1)Change the extension of the files. You will harm it. 2)Move encrypted files 3)Try to recover files by Yourself. It is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key. 4)Report to authoritaries. If You do it, key will be deleted, and Your files will be useless forever.
Emails

astralocker2@tutanota.com

Targets

    • Target

      b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9

    • Size

      811KB

    • MD5

      7d710e304c5d5d1febe8c0e1bf14615a

    • SHA1

      34d813aedb66d14ece1276f8ee61a568546c8dbe

    • SHA256

      b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9

    • SHA512

      6ece233063306b29c3abf1d4449a9cf172a77f44f2f2ceb48ea23161de57aa795c720d263ea9d6964c7ec5756024e21a6464cabd47c6a8ca9e49263b2b339bab

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

    • Size

      875KB

    • MD5

      f1dd01a9e4b959e569250354d74e0423

    • SHA1

      7e2e524fd33261449571f1334868b17ef46e550d

    • SHA256

      cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3

    • SHA512

      d878f63456abdc4a67abd0bd208faf1e77c6baf470f84afa345c6c013f519fc4cff10ae5b3cd700e5fabf11fee3c7e1b357d81e89f7c8c09ce9ef53c99d76202

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

4
T1107

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks