Overview

overview

10

Static

static

10

exe.ransom...99.exe

windows7-x64

9

exe.ransom...99.exe

windows10-2004-x64

9

exe.ransom...55.exe

windows7-x64

10

exe.ransom...55.exe

windows10-2004-x64

10

exe.ransom...FA.exe

windows7-x64

10

exe.ransom...FA.exe

windows10-2004-x64

10

exe.ransom...41.exe

windows7-x64

10

exe.ransom...41.exe

windows10-2004-x64

10

exe.ransom...98.exe

windows7-x64

9

exe.ransom...98.exe

windows10-2004-x64

9

exe.ransom...10.exe

windows7-x64

10

exe.ransom...10.exe

windows10-2004-x64

10

exe.ransom...26.exe

windows7-x64

10

exe.ransom...26.exe

windows10-2004-x64

10

exe.ransom...E5.exe

windows7-x64

10

exe.ransom...E5.exe

windows10-2004-x64

10

exe.ransom...DC.exe

windows7-x64

10

exe.ransom...DC.exe

windows10-2004-x64

10

exe.ransom...92.exe

windows7-x64

3

exe.ransom...92.exe

windows10-2004-x64

3

exe.ransom...3A.exe

windows7-x64

10

exe.ransom...3A.exe

windows10-2004-x64

10

exe.ransom...AA.exe

windows7-x64

3

exe.ransom...AA.exe

windows10-2004-x64

3

exe.ransom...5C.exe

windows7-x64

10

exe.ransom...5C.exe

windows10-2004-x64

10

exe.ransom...A6.exe

windows7-x64

9

exe.ransom...A6.exe

windows10-2004-x64

9

exe.ransom...AF.exe

windows7-x64

exe.ransom...AF.exe

windows10-2004-x64

exe.ransom...11.exe

windows7-x64

10

exe.ransom...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    exe.ransomware.lockbit.zip

  • Size

    66.5MB

  • Sample

    221201-gp54tsec7w

  • MD5

    dd96e1a6f74ed2d418ebb5be0198f46b

  • SHA1

    039702613f0fda0e2e67f3720cf47863543a0484

  • SHA256

    5339981168dfcefb874dc7e82563fa7aca047f17b1184ae8db9336a2335473a9

  • SHA512

    2e748d5eb91cd811c872ddb692739273d5497fd9e48353d418e783f5ce154fa5d3bc178c9023037f785c3328340ca3cbd12f396cf7abb18f3a0f2727fa9662dc

  • SSDEEP

    786432:1VHIImoKfuQsMVwtzyyOyqwEqv0Zf3YLcWzr6RBWQ0+Bzfysaq:ZKmQsM9nZf3IcWQ0+BzfKq

Score
10/10
babukmedusalockerransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
----------- [ Hello! ] -------------> ****BY NAME LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- support: [email protected] admin: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Extracted

Path

C:\Restore Your Files.txt

Ransom Note
[+] What has happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ".chernobyl". You can restore everything, but you need to follow our instructions. Otherwise, you can never return your data. And that shouldn't be the only worry on you mind, since we downloaded sensitive information from your network prior to it's encryption. If our demands are not met, we'd be forced to release it publicly. Some highly valuable information will be sold to other cybercriminals who would be commiting financial fraud for the upcoming month with the personal data of your employees [+] Guarantees [+] To restore your network and secure the personal information of your company - you should pay the ransom. We guarantee that we will restore your network, delete all your data from our servers, it will not be leaked nor sold anywhere. That is our promise and business model In addition we will provide you with instructions on patching vulnerabilities in the network so that you would be secure in the future. Consider it a cybersecurity expenditure, and us - consulting/auditing company, albeit illegal but very professional one Now to the main agenda: we demand 60 thousands EUR in bitcoin, it's a very modest price compared to what you'd be asked for network restoration or hiring cybersecurity company to deal with vulnerabilities(and I promise you, they can't recover your data - usually they just receive hefty payment, pay the asked ransom from it and save the cut, they're real crooks :D) Also this sum includes dissuasion to sell your data, which would damage your reputation. If you pay - nothing will be leaked nor sold [+] How to pay/negotiate [+] Our contact details are as follows: [email protected] Btc wallet for payment: 1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2 You can google how to buy bitcoins, it's fairly straightforward and easy nowadays. As soon as the payment done, we will send you the decryption keys along with instructions on how to use it. Additionally we will provide you with guidance on how to fix vulnerabilities or answer any of your questions on the topic, feel free to contact us ----------------------------------------------------------------------------------------- We advise against using any sofware to restore your files. You will certainly not succeed but you might damage them so that further restoration will be impossible. On our part, we guarantee help ----------------------------------------------------------------------------------------- With regards, Valeriy Legasov, CTO of Chernobyl Group
Wallets

1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2

Extracted

Path

C:\Help Restore Your Files.txt

Ransom Note
ATTENTION! Gentlemen! Your business is at serious risk. There is a significant flaw in your company's security system. We easily penetrate your network. You should thank the Lord that you were invaded by serious people, not some stupid students or dangerous punks. They can damage all your important data just for fun. Now your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Nobody can help you restore files without our special decoder. The only file recovery method is to buy a decryption tool and an exclusive key for you Delta Plus 2.4 version. This software will decrypt all your encrypted files. What guarantees do you have? Free decryption as a guarantee You can send us up to 1 file for free decryption. The file size must be less than 1 Mb (not archived). We do not decrypt for testing DATABASE, XLS and other important files. Remember this. decoding cost The cost of decryption is $10,500 USD. We only receive payment in BITCOINS. (Bitcoin is a form of digital currency) 50% discount available if you contact us within the first 72 hours, the price for you is $5250 USD. Each day of delay will cost you an additional $100 nothing personal just business contact emails [email protected] or [email protected] Value First 72 hours: $5250 USD. Bitcoin Address: 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs No system is secure
Wallets

3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note
----------- [ Hello world! ] -------------> ****BY BABUK LOCKER**** Ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. Now that we got your attention, lets make it short... -WHAT HAPPENED? ----------------------------------------------Some bad news... -All the files on your computer/network have been encrypted with SHA-256, ChaCha8 and ECC algorithms-translated, you can't open/decrypt your files on your own. -All your files such as customers info, scans, billing, insurance, passports... are in our hands now and we might decide to sell/make them public if you dont contact us. -Dont forget about GDPR ) ----------------------------------------------Some good news... -Contact us with the information below and you will recover all your data with our universal decryptor and we will permanently delete your info from our servers. WHAT GUARANTEES? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. Just google us, we have the decryption keys and we never leaked information of any paying company. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. Also information on how all this happened and further information to help you increase your network security, so this won't happen again. How to contact us? Good decision) ---------------------------------------------- -Send us an email: [email protected] [email protected] make sure you check your spam folder for our reply. -qTox for instant support, download TOX (https://tox.chat/download.html): our tox ID: 81B2B719AB9BDDCE9116776FA01956C2D4BB8A7CA5464592593F9A25DA1F91174391480C6DC0 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Customer ID: S01E01AMS-DB7
URLs

https://tox.chat/download.html

Targets

    • Target

      exe.ransomware.babuk/00/99/96/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879

    • Size

      79KB

    • MD5

      e3dd1eb73e602ea95ad3e325d846d37c

    • SHA1

      a0a4fb4a58f663d2ff12d6efac1b07b63eb03e28

    • SHA256

      0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879

    • SHA512

      0bac92222143f699a5c01403b6aeefdc8b05fa73928186bee9e8a63d8f9da7486b5e4a5720bade9be17e884f8ef651e3f0bbb0c556b33e330f8788832d22a639

    • SSDEEP

      1536:F6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:RhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    9/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F

    • Size

      79KB

    • MD5

      e9fca248189c7cf66e7b6471713b0f98

    • SHA1

      a17d9d6dbb4fda3aa7bd4600d0fef75cc9a8a405

    • SHA256

      00e559a406f5d78514ada50fe573374d78fcc5c12c6d443d07311131b2542e2f

    • SHA512

      460c32147156d63160a51a7710be9bd4c1bcea944a54c0fe57adc05911377ef922e3d9e2c9a310d664c2c20d683454cc5984395649e47ec6a2033d6d15ab900d

    • SSDEEP

      1536:r6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:vhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      exe.ransomware.babuk/02/8F/AC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC

    • Size

      79KB

    • MD5

      eb9e0b14e2235af24eeee881892fc825

    • SHA1

      3fb00aa10ccfaedfd29f8b01ef6ef4434d260eb9

    • SHA256

      028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc

    • SHA512

      c341517ba090bf530bd1324758644c8d6d2e488912bae19e0b066d508f3e37845ca8b39e5ee86fe75b22126d5d4bcb4957f58e02360c2606f9c0278382238c0a

    • SSDEEP

      1536:m6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:ghZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      exe.ransomware.babuk/02/94/11/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59

    • Size

      79KB

    • MD5

      d3c83232b0e85485724c4029e8b93dc1

    • SHA1

      2cfe3762a2e0c7e9a15bd617e693076f47d84028

    • SHA256

      0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59

    • SHA512

      07d83a9b09452eab085bec3819a1bd5353e2364c134cf87fe0c1a6770ed447d32cb954c98337ca6121fce2db1dff05a5ea5518239f4bb02ca50dabee02cab490

    • SSDEEP

      1536:2PG6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:OAhZ5YesrQLOJgY8Zp8LHD4XWaNH71dc

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

    • Target

      exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3

    • Size

      79KB

    • MD5

      c7ec4e7022f26949ed39033616efe894

    • SHA1

      0e4da1fa8b3bc8b2f410cfd7230b9fc70dc10670

    • SHA256

      02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3

    • SHA512

      04976b2e50e5f7f7a067b0dc07072f22c607d8ae6c33b4ec4e65a851b71bef939725f29fdeaa7a943033a9aa6b5f9a09f1d029860a0dbd6184be768754982aff

    • SSDEEP

      1536:/hkWBeGnwEvWsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:LBevwWsrQLOJgY8Zp8LHD4XWaNH71dLc

    Score
    9/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral9

    • Target

      exe.ransomware.babuk/03/11/0B/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7

    • Size

      79KB

    • MD5

      1dbd0abfdd692d5939f2aa201674d870

    • SHA1

      5a8d3472a642eb62cfde5e4db469c62422b16792

    • SHA256

      03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7

    • SHA512

      ad1398d865cda6c009cfab67901fcb7f2928a5b7dfd8cdc0a892bb6f1ec62f8d492f1f3a59277afac2251ebe2069a243b66d57754629290bbf68791f586c7311

    • SSDEEP

      1536:d6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:5hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11behavioral12

    • Target

      exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3

    • Size

      72KB

    • MD5

      1b1285367305da0324daf76b0d524086

    • SHA1

      61bae11359a57fb4238374da269c05232068a6db

    • SHA256

      04126b30c1c2663cdf2b6386781aedbfce2ef418a0b01de510bd536903f577e3

    • SHA512

      c1f655f665008cf40c1a8222f56b44a9bdf8959d913eb5dc0cff8a9c4ac5db8b35f6ea9828748e344c13337bd618956494c7ff4c4347df6d02525b0e9376909d

    • SSDEEP

      1536:3rM/TWBeGB3yKNQETsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2905:3Be1asrQLOJgY8Zp8LHD4XWaNH71dLdH

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13behavioral14

    • Target

      exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8

    • Size

      79KB

    • MD5

      643c8c25fbe8c3cc7576bc8e7bcd8a68

    • SHA1

      5440796acedc3d0d847c8a812e5e647460ae3a27

    • SHA256

      049e53f72c8afa5ccb850429d55a00e2fbe799e68247fd13f5058146cf0f4cf8

    • SHA512

      d2042c4a908a53b59e52cc3ebf4c13fd7c537761de8fe33a65a664a055b13b6c58fbb482824e68764a09299affe1b592e72b6c846d8a65ddb1ace6a396bc371c

    • SSDEEP

      1536:4dikWBeG/LEq1srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:HBeMJ1srQLOJgY8Zp8LHD4XWaNH71dLT

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral15behavioral16

    • Target

      exe.ransomware.babuk/05/AD/C9/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F

    • Size

      79KB

    • MD5

      71c3b5e49e75e1d593b81bdc9cca7507

    • SHA1

      911bc4790b653276e946a05bce4bb583192c61dd

    • SHA256

      05adc97abe6349c6132aa4ab44006b51945225a1ec764c87b781d5044a4e176f

    • SHA512

      e954e1e30075f378f4c87f1f29b0aadb908b08cec81cf671df552d56a21387abb31a07843c8786f63cb1797f983db7c9b18a8d82cd68051305c972bb81b34736

    • SSDEEP

      1536:R6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:9hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral17behavioral18

    • Target

      exe.ransomware.babuk/08/99/29/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057

    • Size

      68KB

    • MD5

      ca8f16095de5ba8a08b1feb119eac680

    • SHA1

      7644cb98ba41682021727232b547d2712419490e

    • SHA256

      089929f1cde37e9fd14dd09a7844272678ac48e47887ede23b561d156fe50057

    • SHA512

      d4dc713f02f191faab71b9b5122ef5992632e712de1c5c3b2a36ab919cb45048ed8981fc95624aee1be05579ec8e3f18a9ba47b33f8ae31d150efb0930c6f705

    • SSDEEP

      1536:yohF6+Kmq1sAFmDR3zzLssrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2pyqMsi:yQY+KmqOAADR3zcsrQLOJgY8Zp8LHD4G

    Score
    3/10
    behavioral19behavioral20

    • Target

      exe.ransomware.babuk/0B/93/A0/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F

    • Size

      79KB

    • MD5

      2245c35306910a280961d356e4b5ab94

    • SHA1

      0ca5cc08a4f5226332d2ce49a9131216ac32bec2

    • SHA256

      0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f

    • SHA512

      09342308aebf1f5bcf494904b00eba2df9faa75c1d884dd8f2e706e4429905244e269bedc28c71d692348a87a257a4b00b12aa79e9a9b7f7498a441a73344ac4

    • SSDEEP

      1536:m6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:ghZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral21behavioral22

    • Target

      exe.ransomware.babuk/0B/BA/AB/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23

    • Size

      68KB

    • MD5

      4f10d3d19db282da43446544e07e7aab

    • SHA1

      25a558a01a14282d4075490d6ca8beacd7cc4b06

    • SHA256

      0bbaabb3c8603c5c10be282dfd13c776612fde54d18ddd06a96ad42e9b3baf23

    • SHA512

      05eba8c6d07d10198014ca418c800df45dfb62e566ef7c20362773635fedffc083aa1de21b82aac54acfceb6f32ad3f9d627af605373f24b2fd4f2873fb27fd9

    • SSDEEP

      1536:yHjUeTD0DsbEmDx1xhiBsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hyqM8EQ:yDUeTD0gbrDx1xusrQLOJgY8Zp8LHD4D

    Score
    3/10
    behavioral23behavioral24

    • Target

      exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5

    • Size

      79KB

    • MD5

      a55fa9c010416b233a1f8e63b658ecbc

    • SHA1

      75a580aa9cc3f4901e229843411f6e2669256525

    • SHA256

      0c55c4fb23178948e0df495158b290cce676bc93c5927e8ea57d93b3128972f5

    • SHA512

      71889ebe24f6836c08db83f36f54dc53b4ef8d2d3f31a1e42e68e40eb74f6ffaa4456a3876a4dd2f7da9e4783c41c768f964d50c8da0d96748fe06257d07dacf

    • SSDEEP

      1536:n6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:bhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral25behavioral26

    • Target

      exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA

    • Size

      78KB

    • MD5

      754f324349f65108552dab958549739a

    • SHA1

      02b05c57c37e3a1abb4e6f06a0c53af24013cfa0

    • SHA256

      0d3a60c89463ac1e39fa7cff05f7ab365b32096e89f49000f26ecdd1d542d5ea

    • SHA512

      4f03387bd3473dc70854647efb8876ed487e3e8aa0c00729cc25c2cebeb75adf394f7f3cb78b8c7970132bce12c913c4d51d1cd841dfbeeacf968c58ec866c84

    • SSDEEP

      1536:J1kWBeGcADE6fsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2EMfq:5Bek5fsrQLOJgY8Zp8LHD4XWaNH71dLM

    Score
    9/10
    ransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral27behavioral28

    • Target

      exe.ransomware.babuk/10/5A/F5/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B

    • Size

      67KB

    • MD5

      63b475e11b85f91942bcec10cc77bee9

    • SHA1

      450d3c8a613146140d04d2b75de90acee48958eb

    • SHA256

      105af5c40c65f51979308e022c25dd285db3cd20e9656caaba0e9b1fc253898b

    • SHA512

      1e55613646f3aabb692b1aa7fd20545730ba982720d52dd49dc233fba488f70bd0d5a889f26d6a955700ee5ec664d55569d4e927fc1aee4e26cc2e528ccf34d1

    • SSDEEP

      1536:PhkWBeG/LEOSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG27:LBe8dSsrQLOJgY8Zp8LHD4XWaNH71dLr

    Score
    1/10
    behavioral29behavioral30

    • Target

      exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223

    • Size

      78KB

    • MD5

      b43e8b865d3339eeb8b8b11f900f6c89

    • SHA1

      52538e17d4dc85c22f6a01acbbc8caa7447a50b0

    • SHA256

      106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223

    • SHA512

      cc31cbf27ab26bd026c6a92af518ecf5fdaf32c1607813c192fb080de2f8ed54b8f9b360c14f885db5ffd65ea99c013a36109e2e7c5c813f451eb3865f1c9ae0

    • SSDEEP

      1536:8LhkWBeG/LEOSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:UBe8dSsrQLOJgY8Zp8LHD4XWaNH71dLT

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

upxmedusalocker
Score
10/10

behavioral1

ransomware
Score
9/10

behavioral2

ransomware
Score
9/10

behavioral3

babukransomware
Score
10/10

behavioral4

babukransomware
Score
10/10

behavioral5

babukransomware
Score
10/10

behavioral6

babukransomware
Score
10/10

behavioral7

babukransomware
Score
10/10

behavioral8

babukransomware
Score
10/10

behavioral9

ransomware
Score
9/10

behavioral10

ransomware
Score
9/10

behavioral11

babukransomware
Score
10/10

behavioral12

babukransomware
Score
10/10

behavioral13

ransomware
Score
10/10

behavioral14

ransomware
Score
10/10

behavioral15

ransomware
Score
10/10

behavioral16

ransomware
Score
10/10

behavioral17

babukransomware
Score
10/10

behavioral18

babukransomware
Score
10/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

babukransomware
Score
10/10

behavioral22

babukransomware
Score
10/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

babukransomware
Score
10/10

behavioral26

babukransomware
Score
10/10

behavioral27

ransomwarespywarestealer
Score
9/10

behavioral28

ransomwarespywarestealer
Score
9/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

ransomware
Score
10/10

behavioral32

ransomware
Score
10/10