Resubmissions

03/05/2023, 06:56

230503-hqll9adh35 10

02/05/2023, 10:00

230502-l1wfzsae76 10

28/01/2023, 20:32

230128-zbct8sgc59 10

28/01/2023, 20:31

230128-za2rzahf8x 3

23/01/2023, 21:24

230123-z9hhdafe87 10

23/01/2023, 21:19

230123-z6jw2afe75 10

23/01/2023, 21:08

230123-zy4apsfe37 10

23/01/2023, 20:56

230123-zrhenafd86 10

23/01/2023, 16:41

230123-t7eqtafg6t 10

23/01/2023, 16:29

230123-tzremseb62 10

General

  • Target

    lawsuit.zip

  • Size

    8.5MB

  • Sample

    230123-twbj1sfg2v

  • MD5

    01ccead2e9497ce04ab0c2531320224d

  • SHA1

    9b7ebc4d8f97b0e7463a382f3b748a4be48a06a1

  • SHA256

    c898a07ac3e02231a48bf55bd8828d4c77c7ea3c5cfe80e9eec44c81cb476cbb

  • SHA512

    25a07ce5f211dfef00939eb61084675991b72d859ddd39db0d1e5af591811675cec30cc9a6ce397ad2d2abbcc60faff02e556bf8ff6c86045b8d23e6843c04cb

  • SSDEEP

    98304:w9D8TiRYDS2JAVvOhwGw7Kn7iL/ji7BmdAMdT+a3bRQXR5s6PX2STjwmZ0nZSmAL:M+K2JgmwwOL7cLy+aW5puAjgtp5YVr

Malware Config

Extracted

Path

C:\wKTiyscK2.README.txt

Ransom Note
To recover your encrypted data, you must purchase a decryptor from us. We accept XMR (Monero) or BTC (Bitcoins) cryptocurrencies. XMR payment must be sent to: 8AP3aG4nxR3gka11FEDnJGftEyJkQLTVEQjPgrzkh2JU9u6KZYtLdn9eQynn1ogJgUhPBHVp6UoWANgETHK9wHUtQHLcSAa BTC payment must be sent to: 14hsKjR7L2KNmPpzeoXtNB8C2AuBL5Ch88 If you pay within 3 hours, then you only have to pay either 5 XMR or 0.1 BTC. If you pay within 6 hours, then you only have to pay either 15 XMR or 0.3 BTC. If you pay within 12 hours, then you only have to pay either 45 XMR or 0.9 BTC. If you pay within 24 hours, then you only have to pay either 135 XMR or 2.7 BTC. If you pay within 48 hours, then you must pay either 405 XMR or 8.1 BTC. If you pay within 96 hours, then you must pay either 1215 XMR or 24.3 BTC. After 96 hours you cannot recover your data. If you cooperate with us, then you will recover your data. If you delete or alter your files, or if you attempt to recover the data yourself, then your data will be lost forever. The decryptor won't work if you modify anything. To receive the decryptor to recover your data, carefully follow these instructions: 1. Send XMR to 8AP3aG4nxR3gka11FEDnJGftEyJkQLTVEQjPgrzkh2JU9u6KZYtLdn9eQynn1ogJgUhPBHVp6UoWANgETHK9wHUtQHLcSAa 2. Pay in full. Any lesser amount will be ignored. Copy and paste the XMR address. Do not type it by hand. 3. Email us at [email protected] 4. Include the TXID and TXKEY of your payment at the beginning of your email. So we know it is from you. Emails without this info will be ignored. 5. Plain text only. Any attachments, links, javascript, or other fingerprinting will be blocked and ignored, and we will not send the decryptor. 6. Please be patient. We check email often but not every second. Using your normal email will expedite your recovery. 7. If our email is broken, bounces back, or is compromised, then you may instead email us at: [email protected] 8. After 1 confirmation on the blockchain, of the correct amount according to the timetable, only then will we reply with the decryptor. 9. You may need to check your spam folder for our reply. The decryptor will include instructions how to fully recover your data. If you are too stupid to use XMR, then you may instead pay with Bitcoins. Bitcoins may be sent to: 14hsKjR7L2KNmPpzeoXtNB8C2AuBL5Ch88 Please include your BTC TxID in your email and a very brief explanation why you're stupid. If you are too stupid to understand that your data are gone forever, unless you pay, then not even a decryptor can help you. If you are smart enough to understand why you're racing and whom you're racing against, then tell us in your email. If correct, then we will fully refund your XMR or BTC when we send the decryptor. We don't think you're smart enough to understand why you're racing, but we hope to be surprised. WE WILL NOT REPLY UNTIL PAYMENT IS RECEIVED. WE WILL NOT SEND THE DECRYPTOR IF YOU ATTEMPT TO IDENTIFY US OR STOP US IN ANY WAY. IF YOU COMPLY AND PAY, YOUR DATA CAN BE RECOVERED IN LESS THAN A DAY. IF YOU HAVE BACKUPS AND ARE UNAFFECTED BY THIS RACE, THEN YOU ALREADY WON.
Wallets

14hsKjR7L2KNmPpzeoXtNB8C2AuBL5Ch88

Targets

    • Target

      lawsuit/cohen_al‮‮‮lme.exe

    • Size

      6.6MB

    • MD5

      85c334bcbc345885521e123ebd3772d1

    • SHA1

      59f5c305e1953b724a58522ee727f024c74005da

    • SHA256

      0149fd43bdf3d18369d8993505dd719631eec255eab97a0ad1dbc28ed38d5a54

    • SHA512

      aea3f467c4a450de44e4c2355c30f2de11a98d77fcad465675eec0fcba35709ef23b5df9f0cbc06363c43009384d8a529567cd05c43d94fc3385f53bb95c517a

    • SSDEEP

      196608:LuoqdQmRrdA6lsuErSEEJwdF65tYPXki:S9dQOls+9J5t6

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      lawsuit/disclaimer_.jpg

    • Size

      4.4MB

    • MD5

      b5fcc0c469b26f237a98ff942c36d16a

    • SHA1

      10069dd89fec1caeb0e789b78cdd7da08718ddd6

    • SHA256

      5ac97df082e0ab86e429c128ce033bd1bf1a23274cf156ab2063dcbb9c582229

    • SHA512

      fc5fc46fcd5cf9d33ba1b65bcebc3a63d2782c3ed5821c844f8e7b6dd085352f6a48c69ba6705ae542712084cc9b60f18c20680c66e5944aece094b70e9b0d0f

    • SSDEEP

      49152:vQkQOzbBX1WtLOHeJAJmIY74HpGlTmnpzWbYhXNotM+uzwALWorx1+:v3W1OKAmF4MdmAYhoMyorx1+

    Score
    3/10

MITRE ATT&CK Enterprise v6

Tasks