General

  • Target

    이력서12.zip

  • Size

    783KB

  • Sample

    230321-bc12fsaa8z

  • MD5

    b84ad67ac5e6bda5b67396ff1ad0a60d

  • SHA1

    ad992ac91210fd828225f4fd133e822aed3207e5

  • SHA256

    9916a835c20ea3eb75657f34eeb0fa152e72b374954bea087445d7e383e68455

  • SHA512

    0e80408a147b3a29a802b97dbab0819bdd509792f3d1a0e91e4c29cf5258820eb9ca7764584757b20ebbc8609881e330af5d0f44c8eb5b3b18d18479f07a6f71

  • SSDEEP

    12288:SuP7bSmQucJGzJUpkc+MKqApglBZfDnBGk3Pbv9NyutE04mbPW:pDckJU/OqBJnLpK0t7W

Malware Config

Extracted

Family

vidar

Version

3

Botnet

889f306780b9cb1c51407e1397fad1d6

C2

https://t.me/zaskullz

https://steamcommunity.com/profiles/76561199486572327

http://135.181.87.234:80

Attributes
  • profile_id_v2

    889f306780b9cb1c51407e1397fad1d6

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: ACF79CA40C29031AF5C1715E8CDE968A
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: ACF79CA40C29031A285E1C88055C840D
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Users\Admin\Desktop\LockBit_Ransomware.hta

Ransom Note
Any attempts to restore your files with the thrid-party software will be fatal for your files! To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us There is only one way to get your files back: Through a standard browser Brave (supports Tor links) FireFox Chrome Edge Opera Open link - https://decoding.at/ Through a Tor Browser - recommended Download Tor Browser - https://www.torproject.org/ and install it. Open one of links in Tor browser and follow instructions on these pages: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or mirrorhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion/These links work only in the Tor browser! Follow the instructions on this page https://decoding.at may be blocked. We recommend using a Tor browser (or Brave) to access the TOR site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about All your stolen important data will be loaded into our blog if you do not pay ransom. Our blog http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion or https://bigblog.at where you can see data of the companies which refused to pay ransom.
URLs

https://decoding.at/

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or

https://decoding.at

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

Targets

    • Target

      이력서12/[[[이력서_230319]]] 경력사항도 같이 기재하였습니다 잘 부탁드립니다.exe

    • Size

      411KB

    • MD5

      fc2f9d2feb5b6b27ea26c52b94a5b13b

    • SHA1

      3782ee4101c30324a1ad34085e77ab5687f2f4f5

    • SHA256

      c3aebf9aaf4344ec8327a9a95490a3f8cc7bcb77f178ef91c17ddb39e486d095

    • SHA512

      f28e11b32ada626d01b975ccc0a0521f1e802ed395c6f42a328637fe5ac7c8d1f54bce8f9c2b3beb33b86bcd033db815dfa353d63d1ea65a655d3e792ca6b7b8

    • SSDEEP

      6144:GtwL4KduKVxtS+5oT2Xt6POVKE6wzcQdzNzjSImZnV0coMdL:GtwEKkuXe2cPOsc7d5zjYZV0BuL

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      이력서12/[[[지원서_230319]]] 경력사항도 같이 기재하였습니다 잘 부탁드립니다.exe

    • Size

      618KB

    • MD5

      1a87ef8545c41b63e977257b9ca28783

    • SHA1

      332ac4f7d6bc9475056c6e10c14354b241294c4e

    • SHA256

      3dd1f4cf287d2ba8351863bdd909e74e5e30248f89c0229e5b4ed3f2dca35728

    • SHA512

      f5c4aa9dd8a7eb3b5ff8d91979dd3f3ca49fd33511949887af36ef0456561039dd494f542e686846b018e2f5f08a3e0cd23eb80c8052fa71641a52bd65e72fd6

    • SSDEEP

      12288:rq5fNDCg6rovkRyuWtVgs37kyRoO5tOt5Uf1gGiJw/Rqthu8EgGL:mbCg6EYy5gS79RoO5tOrGi0sbpG

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks