General

  • Target

    LB3_ReflectiveDll_DllMain-cyt.dll

  • Size

    1MB

  • Sample

    220925-lf7craebc8

  • MD5

    a0238fac8e650339116bbb380066d949

  • SHA1

    fcd5d98edcc42d320694185c7224a8168b1e8db2

  • SHA256

    5428902b4c844160cb0ee6282a078cbf24d87d46b061ede83ef21682d474cc15

  • SHA512

    5cc4adad36858a340edff775cc46d2b16515a919231cd4a8cb75929fd2ac02e2037a00c7a4c5620af05e5d842ea5f8a04ef7e2597cdddeb35f23465fac36f48d

  • SSDEEP

    24576:As6VSLLsktePr7vfObQywjVhK6at0EO1Z/wMmM6z/OQb2iZIiylxvl6tqbSwbWV:xgSLJmXviQyK/F1x6DBUN6Dq0

Malware Config

Extracted

Path

C:\1GLtau6EZ.README.txt

Ransom Note
GREETINGS FROM BL00DY RANSOMWARE GANG What happened ? Your entire company network is penetrated and encrypted. All files on servers and computers locked and not usable Dont panic All files are decryptable We will recover all your files to normal What Bl00dy Gang take / steal from your company network ? We download your company important files / documents / databases/ mails / accounts We publish it to the public if you dont cooperate . What BL00DY Gang needs from YOU ? We expect nothing except appreciating our work PAY US in this way you appreciate our work How to contact the BL00DY Gang for ransom negotiations ? filedecryptionsupport@msgsafe.io Telegram hall of shame , where all company private data will be PUBLISHED?? https://t.me/bl00dy_Ransomware_Gang What Quarantees ? we are not a politically motivated group and we do not need anything other than your money. If you pay, we provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We will help protect your company from any other attacks ; we will give you tips to secure company network We always keep our promises. !!! BEWARE !!! If you have Backups and try to restore from backups . All entire company files / databases / everything will be posted online DON'T try to rename or modify encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! - Don't try because you will damage all the files Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Do not report to Police or FBI , they dont care about your business .They will tell you not to pay and you will lose all your files. Recovery Company Cannot help You . things will get rather worse . speak for yourself.
Emails

filedecryptionsupport@msgsafe.io

URLs

https://t.me/bl00dy_Ransomware_Gang

Targets

    • Target

      LB3_ReflectiveDll_DllMain-cyt.dll

    • Size

      1MB

    • MD5

      a0238fac8e650339116bbb380066d949

    • SHA1

      fcd5d98edcc42d320694185c7224a8168b1e8db2

    • SHA256

      5428902b4c844160cb0ee6282a078cbf24d87d46b061ede83ef21682d474cc15

    • SHA512

      5cc4adad36858a340edff775cc46d2b16515a919231cd4a8cb75929fd2ac02e2037a00c7a4c5620af05e5d842ea5f8a04ef7e2597cdddeb35f23465fac36f48d

    • SSDEEP

      24576:As6VSLLsktePr7vfObQywjVhK6at0EO1Z/wMmM6z/OQb2iZIiylxvl6tqbSwbWV:xgSLJmXviQyK/F1x6DBUN6Dq0

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Tasks