Overview

overview

10

Static

static

1

Rust LoL A...in.exe

windows7-x64

10

Rust LoL A...in.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Rust LoL Accounts Checker.bin.exe

  • Size

    5.6MB

  • Sample

    230306-yvy15seg29

  • MD5

    bded213b6ad8b501a9a8769498c06858

  • SHA1

    3927ded7ffee7ab8f400d00bcb3b5479ffa3abfb

  • SHA256

    4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b

  • SHA512

    01fae25d7d0865ea0bd3b2f4d8f51d192a3ae9b7af5ab23ea55b34cadc3618ad66f53aec865776a50c98a7fb8076e71335d180ebf6e8ad02cf4a74799d780ee3

  • SSDEEP

    98304:QxD6iw63xsDaup/EMGVxpE581oyzEY6JvRdZjYZPqXEla15YYO:QR6b6+HE25ZyzEX9jaqzv2

Score
10/10
lucastealerevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\RESTORE-MY-FILES.txt

Ransom Note
***SOLIDBIT RANSOMWARE*** All of your files are encrypted by SOLIDBIT ransomware and you cannot decrypt it without our help. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can recover all your files safely and easily with us. Contact Download Tor Browser - https://www.torproject.org/download/ and install it Open the link below in Tor Browser and follow instructions on this page http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion Decryption ID: 5-GA0R40JPX1LD1NXLMEBND8OIZSRTk8
URLs

http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion

Targets

    • Target

      Rust LoL Accounts Checker.bin.exe

    • Size

      5.6MB

    • MD5

      bded213b6ad8b501a9a8769498c06858

    • SHA1

      3927ded7ffee7ab8f400d00bcb3b5479ffa3abfb

    • SHA256

      4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b

    • SHA512

      01fae25d7d0865ea0bd3b2f4d8f51d192a3ae9b7af5ab23ea55b34cadc3618ad66f53aec865776a50c98a7fb8076e71335d180ebf6e8ad02cf4a74799d780ee3

    • SSDEEP

      98304:QxD6iw63xsDaup/EMGVxpE581oyzEY6JvRdZjYZPqXEla15YYO:QR6b6+HE25ZyzEX9jaqzv2

    Score
    10/10
    lucastealerstealerevasionpersistenceransomwarespyware

    • Luca Stealer

      Info stealer written in Rust first seen in July 2022.

      stealerlucastealer

    • Luca Stealer payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks