Overview

overview

10

Static

static

3

e1c399c29b...e9.exe

windows7-x64

10

e1c399c29b...e9.exe

windows10-2004-x64

10

Resubmissions

14/12/2023, 08:25

231214-kbc3nsdha2 10

14/12/2023, 07:45

231214-jlfe4sccbr 10

Analysis

  • max time kernel
    519s
  • max time network
    579s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2023, 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe

  • Size

    1.1MB

  • MD5

    4c7d2ec42f5b225982d9e2e96383a2fd

  • SHA1

    6edc8db346032a83402d7104c5783cc1e929e402

  • SHA256

    e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9

  • SHA512

    c83cd4b6394a2629ab7148cf1db73ae040d247809660e34ec895cee37af56e655f99db0eb88711d206407076b949dd5f5e4dad3be9f272bf2b7985575e147861

  • SSDEEP

    12288:TUOEh1CfIQ9wcSEzPXgFSuYxZyJhLA/3lqYV1lYT/S:oOq1cwcnjXgFSuYxZy72kYV1lYT

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Albabat\readme.html

Ransom Note
Home | FAQ | Translator 243 files on your machine have been encrypted! [+] I - ABOUT "Albabat Ransomware" The "Albabat Ransomware" (White Bat - Translated from Latin) is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using military-grade symmetric and asymmetric encryption algorithm. [+] II - THE KEY TO CRYPTOGRAPHY [+] The "Albabat Ransomware" will automatically create a folder named "Albabat" in your user directory on your machine, but precisely in: "C:\Users\Admin\Albabat\" This folder contains the encryption KEY named "Albabat.ekey", and this same "README" file. This KEY Albabat.ekey performed the CRYPTOGRAPHY of your files, however, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), and only I (tH3_CyberXY) have the PRIVATE KEY to decrypt the "Albabat.ekey" KEY, and thus, you use it to decrypt your files. There is no way to decrypt your files without our data decryption service. There is no way to decrypt the files without decrypting the "Albabat.ekey" key. Don't delete, don't rename, don't lose the "Albabat.ekey" key. For security reasons, we even recommend making a BACKUP of the Albabat.ekey key. [+] III - THE ENCRYPTION PROCESS [+] Encrypted files have the extension ".abbt". Don't try to rename it, it won't work. On the contrary, you may corrupt your files. The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB). The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any. The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that. The "Albabat Ransomware" saves a log file named "Albabat.log" in the "C:\Users\Admin\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form. [+] IV - HOW TO CONTACT US [+] These are the only ways to contact us. Any other form found on the internet will be false. Contact by: Our Email: [email protected] [+] V - PAYMENT [+] The decryption process is PAID in Bitcoin, so you need to have Bitcoin balance at a cryptocurrency broker or in a cryptocurrency wallet to make the deposit in our Bitcoin address. You may want to read the FAQ page to know what Bitcoin is. Payment data: Our Bitcoin address: bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj Amount to pay: 0,0015 - To make payment and restore your files, follow these steps - (1) Write down the data to make the transfer through our Bitcoin address and the AMOUNT payable specified. Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment. (2) - As soon as you make the payment to our Bitcoin address, send us an email. An example of an email to send us: Subject: Albabat Ransomware - I did the payment! Message: Hello, I made the payment. My BTC address where I made the payment is "BTC ADDRESS". The version of the "Albabat Ransomware" running on my machine was "0.1.0". Follow the attached KEY "Albabat.ekey". IMPORANT: We will check if the payment was made using YOUR Bitcoin ADDRESS "BTC ADDRESS" in which the transaction was made, so it is IMPORTANT to inform us when sending us this email. It is also IMPORTANT to send us the KEY "Albabat.ekey" as an attachment, regardless of the form of communication you choose to use with us. We will decrypt it for you. You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "Albabat Ransomware Decryptor" attached (zipped). Albabat.key" and the "Albabat Ransomware Decryptor" within 24 hours, but it may vary for longer or less depending on our availability hours, and the number of demands we we received. Be patient. After payment, we will send the decrypted KEY to you and o "Albabat Ransomware Decryptor", we are fair! [+] VI - DECRYPTION [+] > To decrypt your files follow the steps below: (1) Place the "Albabat.key" that you received by email, inside the "C:\Users\Admin\Albabat\" directory, or, if you prefer, keep it in the same directory as "Albabat Ransomware Decryptor". > IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "Albabat Ransomware Decryptor" from crashing. And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process, as disabling it for just a few minutes remains active. (2) Run "Albabat Ransomware Decryptor". An alert message will appear informing you that the decryption started, just click Ok. (3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that. (4) After decryption is complete, all your files will be restored. If you have further questions, such as: "How can I be sure you will decrypt my files?", you can read the FAQ page. Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.

Signatures

  • Renames multiple (167) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
    "C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\system32\taskkill.exe
      "taskkill" /f /im chrome.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-fullscreen C:\Users\Admin\Albabat\readme.html --incognito
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6339758,0x7fef6339768,0x7fef6339778
        3⤵
          PID:2652
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:2
          3⤵
            PID:976
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:8
            3⤵
              PID:2788
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:8
              3⤵
                PID:1088
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:1
                3⤵
                  PID:2728
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:1
                  3⤵
                    PID:896
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:2
                    3⤵
                      PID:572
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 --field-trial-handle=1208,i,1646619152467412265,3240163573986402966,131072 /prefetch:8
                      3⤵
                        PID:1268
                    • C:\Windows\system32\cmd.exe
                      "cmd" /C "del C:\Users\Admin\AppData\Roaming\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
                      2⤵
                        PID:2464
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:940

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\Albabat\Albabat.log
                        Filesize

                        3KB

                        MD5

                        ed2bd96a9b18dcc0d0146f161d8e73c2

                        SHA1

                        148d46c86234f12b9ed5603e017a353b05b0a91b

                        SHA256

                        a4b2fd052fd1e17d80dbdb63b2de38aecb8876121d07da05eb7e86ded543a89e

                        SHA512

                        4190443f0bfb0b77c5178b2d8829f60efd175532761d5079e1ef48cd311509edf3af3eb9b9bbb390586f859511880a114a2d3e33a451afadb6e6390e7f3e3ea3

                        Download Submit

                      • C:\Users\Admin\Albabat\Albabat.log
                        Filesize

                        4KB

                        MD5

                        cf2768e921e8beae5563dc23c7363774

                        SHA1

                        265449449a1442af33800a0e362f4d18cb65355f

                        SHA256

                        7acda8b2a156d7275184e5e610a93bc6ffcf6d999ae0d730e75963df01776be6

                        SHA512

                        a68c820b38ff283c0d73e684555b29e1b153611e23e0d4da04cd1c9b675eee8fab35d6b8433cb2dc22750a0bff363623ee0acbe91690465c41d8984858436631

                        Download Submit

                      • C:\Users\Admin\Albabat\Albabat.log
                        Filesize

                        2KB

                        MD5

                        23ad9c38957f54a5764f715386ac91e9

                        SHA1

                        dc02c14fe869cb8ce4afb6d041de255194ff5fca

                        SHA256

                        ea472b81ca20177be0a5b3e5e391f959d626b4de45aee94eea9ec0d628171d32

                        SHA512

                        57463ed46d6cabec731e86f81cc2e4014fa55d8e6292e91096d2be45f27d36d8db71e77e4e3f29177ce8c85f9773446ff3ff689ec3adce6e0d9b27b5552ee16f

                        Download Submit

                      • C:\Users\Admin\Albabat\readme.html
                        Filesize

                        10KB

                        MD5

                        5c7e16d2fcc6e85e668f92b4f3db8b29

                        SHA1

                        1930e15d1cb0eab10a5b9759ec08ff0a5b8de841

                        SHA256

                        30001ed1d141ea23f1ea63926ba64200ac8e5ce3a4b4d49c4b811de79b5f9b33

                        SHA512

                        f1804c90246089ac1afaddeeabd51f370adf400251d7cb5e37dd7dd41624474809f0862ea4a5cfd9d1f793dbf17157b92fe5a4dbf9d322f1c9ce445d31b99898

                        Download Submit

                      • C:\Users\Admin\Albabat\www\banner.jpg
                        Filesize

                        34KB

                        MD5

                        cdd21e46a5979655fe9debcf8d59cd4b

                        SHA1

                        94f8ce57c0507b88952fadc3f6f244fce64d2085

                        SHA256

                        de25a55ff7e70c900c5e49e32aad2a0704ab074af5fee3eac230dc9bab373f04

                        SHA512

                        bd0ce1c5098ffcfb52e3e183ba025ef1be4d0dd4a3fe8a90b60bb139d4717263e427339f1028aeec6aa8d32ff31181ebff8d306d2c34b57015b2a3049c21f45e

                        Download Submit

                      • C:\Users\Admin\Albabat\www\script.js
                        Filesize

                        1KB

                        MD5

                        12cc88e90926ee7f39908fde78191942

                        SHA1

                        e868d0f2c71c21232758183fa5d0523e68218d9f

                        SHA256

                        42031a79c0c671b46e8e932c6259cbdc46f9a016afee4017d3867bfad600ae65

                        SHA512

                        2a659cf4586abaee898cdfb46b48f2e8e381653bd0f98c49f6b240b77d4086a8577034c29b6bb3ae0d733900064dc6ed1efffe05ee64645f9a604a8d8b539c0d

                        Download Submit

                      • C:\Users\Admin\Albabat\www\style.css
                        Filesize

                        2KB

                        MD5

                        004cc273978cefcf34495c5f4db1beac

                        SHA1

                        2d220b4b833fbca58f62d1441e9b62e9447af708

                        SHA256

                        9729ced9f3d6f006b45294e7d8c8c1f8ebdfe66f31e4777a14ab8c88be594f92

                        SHA512

                        47f9cda00d7dc9ff6393233c5cf6101f3e4bcd8fb283adc144627eec3443f13d2b4862cf3c24b7433529a892eacf272549fc2db2d6e294793a722926eaaf5057

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        4KB

                        MD5

                        10138f19115cba6d1acd4d52dc0ac959

                        SHA1

                        d73676328f9ff3fd87d8f5933695ea5bb709364d

                        SHA256

                        50ffc08061cd3bfeeeb98a77b5e001ff97b6585dc3a091acb8afed25fef86922

                        SHA512

                        37eebd7e9de3e8c5c0f64e41e00010a9b9d356fe7826daac073acda08b5ab528b64e4acff1b7a99a5642e9edceef32041dc39c747ebefa59f186a42fe9ca50ef

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        4KB

                        MD5

                        323ea9c645149a9408273e4ca60fc0e2

                        SHA1

                        12af6c97f13e3f300d6e34626d74cd5bbbcffd48

                        SHA256

                        737724cb498d4dbf5f4919041b346e4ea3df62bd405513306802ecf17db5ed0c

                        SHA512

                        beb8657caaa9e0b04f64b48002cbad74f8a75b52fe959f4dd9833fc39e6abdce489be26a0da7c472ba04c382c185e10e425683a15e878c7dd7775d73cc1a74f0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
                        Filesize

                        16B

                        MD5

                        18e723571b00fb1694a3bad6c78e4054

                        SHA1

                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                        SHA256

                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                        SHA512

                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                        Download Submit