General

  • Target

    Sam.zip

  • Size

    71.0MB

  • Sample

    240112-rnw5msacg6

  • MD5

    aeca1da0def416e2bade2fce8fb795c2

  • SHA1

    1a3b59b99f90280eea93d964ba36b15f2fbce772

  • SHA256

    3ca0bf28baacf269c3f6a7215516ae6c2181487f006f192ecac3537595a792c2

  • SHA512

    ce4fb3b30f4246ecfaea97d653a9cbe5193869e05980168f2ae972715fc9ba8f0f47d592e2d7ed75d4cef998f728c31335f01fb036f7b20b6e29218225f8eaf9

  • SSDEEP

    1572864:KSppUOHAPdPLq90QO7q52M8x47QzCLJwg4Opy+DMRNrID9:PppUxY2TOkM8xytLJ0OpSJy9

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/twizt/

http://185.215.113.66/

Wallets

12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc

1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD

3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg

3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz

qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8

DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG

0xb899fC445a1b61Cdd62266795193203aa72351fE

LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7

r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1

TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5

t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy

AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX

bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY

bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky

bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v

Extracted

Family

blackcat

Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    true

  • enable_set_wallpaper

    true

  • extension

    kh1ftzx

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\Program Files (x86)\!!!-Restore-My-Files-!!!.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Links: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion Links for normal browser: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us and decrypt one file for free on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. If you need a unique ID for correspondence with us that no one will know about, tell it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link available only to you (available during a ddos attack): http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion Tor Browser Links for chat (sometimes unavailable due to ddos attacks): http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Your personal ID: 7EA2888CCFA697547EA2888CCFA69754 <<<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They won't help and will only make things worse for you. In 3 years not a single member of our group has been caught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt your files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and are not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone on the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR and other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee donuts and get fatter and fatter. The police and the FBI don't care what losses you suffer as a result of our attack, and we will help you get rid of all your problems for a modest sum of money. Along with this you should know that it is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can be done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk, so the police will not do anything to you if someone pays the ransom for you. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. >>>>> What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Read more about the GDRP legislation:: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr.eu/what-is-gdpr/ https://gdpr-info.eu/ >>>>> Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars. >>>> Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction. >>>>> If you do not pay the ransom, we will attack your company again in the future
URLs

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion

http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion

http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly

http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly

http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion

Targets

    • Target

      075F9A8B9A5A3F3C221CFA69BA8B3590CFB873946970B7F3DBD333A580D24AC5

    • Size

      190KB

    • MD5

      a3a2816c2a4e8c7374c0d973a0fc4c8e

    • SHA1

      ead016fe4e5d9bc24cc186e8fec28c9b07606966

    • SHA256

      075f9a8b9a5a3f3c221cfa69ba8b3590cfb873946970b7f3dbd333a580d24ac5

    • SHA512

      b9eb4bfbf8dd4320fffd98e92d46e55882544f4fda5cfd5586e48b4da4fd919bf575afa0443732c88be5aaed2fff756342d4c33b0bcceb4474bee69af0d9d3ab

    • SSDEEP

      3072:aVOMzfEpDHKNBW6Q/THGVp3DqGxgkjCXLCz0fugKkqEjBD:a4M4FMgXCTTdL0fuLfe

    Score
    1/10
    • Target

      145F7ABE9ABFFD0422F1C1F4CF429E89FD9D3BE93E6C3A0DD852DB708992C4EA

    • Size

      5.8MB

    • MD5

      f6cf3e7a47b6210ef89855787c9625c6

    • SHA1

      f5f4b1e38bad2f9aca8617c04cf04c62330b401b

    • SHA256

      145f7abe9abffd0422f1c1f4cf429e89fd9d3be93e6c3a0dd852db708992c4ea

    • SHA512

      1f60a2ffc01141a0937065eaa34c6fb87cab93b53689d6911cc2e3e98e5eb7d602ddf6460ed3f8a119feec1e73fe6ea0922c724849a192a48f2d6efbd8e8a443

    • SSDEEP

      98304:XbQoWTf1qlsg6Ni7suYi8i+9GWYjE0t5mKBw64zqaasQQBUrlS0TGxQ33z44i4qQ:r071g57mpi+9kIk5mK74zBIQSrE0rz4a

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Drops file in System32 directory

    • Target

      1A99AC759FCD881729B76C2904476B4201E794DF2D0547C954EA37BE7C153131

    • Size

      3.0MB

    • MD5

      f1c9c05e648e58b6bef8dada7654a88e

    • SHA1

      51e14be2940ae38c6428bf33bb8a9a08ae36ec69

    • SHA256

      1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131

    • SHA512

      fb21745b64fa2168103a26e1c36f64147d4a7c0a0a9480cdda3d0a01406f2032e928451157f77f46840071fb30de51e0119dc434a2ac6ff39f99ed3a5af976ce

    • SSDEEP

      49152:JVHFXSFEmqiDqCbS1gickV9/Txt17kLz5P3mucJZCliSAbFXHrZy0HCxgdjmyZ3H:JVHFXSCmqsSgfkV99jkLlP2bClDC9Fjd

    Score
    3/10
    • Target

      1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D

    • Size

      1.8MB

    • MD5

      7b7f4f390ecafc124ac298f5f58f46ae

    • SHA1

      ed19d12269c86117897865ebc3e6e79d11d485a6

    • SHA256

      1be33e42910515d58685e4cee83c4c9b7de4e6a155a6fd936922682a9922d42d

    • SHA512

      fc37474112152bc9ea1d3671b445fc59995e868bac2203147854824ea94e5d171a5b1e29474403377b504ac778f04b3290628383758ec428f6838e0271eb7545

    • SSDEEP

      49152:VEVUcg1LD3L+nIrBQfLdKiDRB1X8wcWynn:VE3g1RkAiDrmwchnn

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      2188BAE387FD2665D807D0B67B916973478CBE417D2042A146C8EADF77AF600C

    • Size

      1.2MB

    • MD5

      d7d48b65d6607c280abdd9813cdda41c

    • SHA1

      54093d0e9bfcb71c6f9121edba127605ea0a9134

    • SHA256

      2188bae387fd2665d807d0b67b916973478cbe417d2042a146c8eadf77af600c

    • SHA512

      6bfc0fd05825144847b4f039ef2d1bf21aa61b2b68c96f772dc094d47d7091635ebc2f83c7648955aef954f160a8ce8fb743eddad521943b8dce6039df973945

    • SSDEEP

      24576:EtrcFS3D0x4f8FJbA8dE/D3A6y2smW8ZWTgHSbK6SjcpEtWL+ol9FS+EIZmNQZ:q4S3q08FlA8cD3ZFsR8UTgHThjULT7ma

    Score
    3/10
    • Target

      22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092

    • Size

      75KB

    • MD5

      ed2d7b25bb360cccb4f0f6a4f8732d7a

    • SHA1

      6ffcc083956c5ac19826bdd87e12f87817ee837c

    • SHA256

      22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

    • SHA512

      6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

    • SSDEEP

      1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr

    • Phorphiex

      Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Windows security bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Target

      33381793BD156716647F2C2E14047AA5559E940FF584D3FF6110B96EB701115E

    • Size

      34.3MB

    • MD5

      6d173d9c4fc114e68d7a51752e856e32

    • SHA1

      92ffb844a740b5c5162172a13b60616a165ef9b9

    • SHA256

      33381793bd156716647f2c2e14047aa5559e940ff584d3ff6110b96eb701115e

    • SHA512

      595f7b9dcfd2e9be53297fc10779983596f775cd8d7b1e2b19187b1f1b7597a3499ef1b44e764b9443b595f260944df4daaba8765823aa26b9d915f1ca9d7506

    • SSDEEP

      786432:MiKg5zkgag4FAKYtNHIW3DTp6LFAcik5g:7KAag4FAVp3gisg

    Score
    1/10
    • Target

      61C0810A23580CF492A6BA4F7654566108331E7A4134C968C2D6A05261B2D8A1

    • Size

      1.3MB

    • MD5

      29efd64dd3c7fe1e2b022b7ad73a1ba5

    • SHA1

      e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69

    • SHA256

      61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

    • SHA512

      f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3

    • SSDEEP

      24576:0CgjBAeu8iuUHGzkuBhzy2F+yVICFPC27rIlve3NuacODvsG:0CI7XBE2IuF64rIlmdii

    Score
    1/10
    • Target

      676A2A0D88A79012300A63092DA090F5B0D0BDFC105541732254E0AE1FEB2FCB

    • Size

      1.7MB

    • MD5

      7687cbe6769001af75b61c8e053221f2

    • SHA1

      5723b7d6c6dbd2a3d1a7671ab95a28921525f5fd

    • SHA256

      676a2a0d88a79012300a63092da090f5b0d0bdfc105541732254e0ae1feb2fcb

    • SHA512

      d52da2ef2a8d4f671b2b69aeb90d85a1627252c6090cc77569bf5a38407f1adb8158c5caf9572c13fecd57bef5bfe50558eca62b744cae699ea8778c251903dc

    • SSDEEP

      24576:eNcBtkdOdTNpGu522pL8cX2QrOtUUqi8BQLvYOHgDD/bcNuh+S1hKlMLkhWgvoNT:51bGCfL8cX2N2UhLAX/+uh+S14sBZ

    Score
    7/10
    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      73D29DEAC41E022CE77730F74D5EFB0828F56D1F2BEB91FD24ABC867F851FE09

    • Size

      991KB

    • MD5

      83367170e99b11d213568416aafa64fd

    • SHA1

      bfdcc7c922913592c6210f996f7c4bda2a3bc04d

    • SHA256

      73d29deac41e022ce77730f74d5efb0828f56d1f2beb91fd24abc867f851fe09

    • SHA512

      03c04bf58e8624673b77dc3530186a09cd2f522ee0ffac1b236f8d67145401a7efb8373c55786f546fb1e8b134ba94c68c5fd4c757185712c1ad3cbebbd788fd

    • SSDEEP

      24576:ZY2PtNcL4S9thpA+7zuc/tP5ANmU8P5Y+cMw5nse5CHe:ZYCNclVTzucVZyMw5nsk0e

    Score
    1/10
    • Target

      81EFD50EB374AD2176E2655AF10276079F733C0592E83E3A044253DCBE06F329

    • Size

      1.6MB

    • MD5

      27f7cc0f212d12a99ebd814e96022066

    • SHA1

      61ae24f0521bbc077d08c135a853fae3c1725fcf

    • SHA256

      81efd50eb374ad2176e2655af10276079f733c0592e83e3a044253dcbe06f329

    • SHA512

      06eb43a37672f7619d2b8f49e96d6b117e537b72839fe12a5b671bba1094e88e047c0f8c46587519fce2d35fdfaedbb664e4549aa88fca789fc6a099b7ec7903

    • SSDEEP

      49152:CyvgQPDvX0nYFZIzgofMkF8UTG+wAeeBuGAt21ghQ:CyvZ7PmYUgojF9wAhBuGAc1ghQ

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      8E83C0F6566169AF1CF6C28670DCEE6EDEB15D0913AA24AD3831C9F97EB42307

    • Size

      6.2MB

    • MD5

      35b12aa59cb3816e264afda86eeb9c6e

    • SHA1

      5b7099d771a8bc73d6ba04539f8c4914ebddc553

    • SHA256

      8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307

    • SHA512

      b72b500ba7f600615b5877ef0318605177b49e6a9a0cbc84321e9fa5ebfbd3e57061ca131b40dbde2736df10350b6f1f19491171ae0d55c0281960f8573f58ad

    • SSDEEP

      98304:LNDHuQj/uHg7lHz19DIbDzvDPsKjptRf7PGX58U+3x8dXQKlsT1KO:L0Qj/d11903ptZqtsOA2sTkO

    Score
    10/10
    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Drops file in System32 directory

    • Target

      99CA9F3245265C2F9D395B4B3A8554056E481C6FEE98B839C9C5ADB5B79E0DE2

    • Size

      9.1MB

    • MD5

      e3e42b4482a18666a45e39bef73fcb8f

    • SHA1

      05014d6b033ad098e164a8f3ae9f18568db92135

    • SHA256

      99ca9f3245265c2f9d395b4b3a8554056e481c6fee98b839c9c5adb5b79e0de2

    • SHA512

      f391bc5fe9e7b549796d1ed6c080ea8558e55d04d78073e7a18c74a91dbd990cd11af3f0fb3d5e2db0b8dff49f0d7e5666c347c4df49ca7d0e6161e82122537c

    • SSDEEP

      196608:/wldEYTmZUQz5qfy1OKCCRmLojXFcvvukPRPdRJ/6bt2jPlt:/whmia5qASumkhcv2qXv7

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      B1E12D0216A946329FE549E09BF481D7DF9E8E3BC3F99BC24D9940CBB8F76F06

    • Size

      231KB

    • MD5

      5e3ec333a0b2ccf85fcc8ef31c1c8caa

    • SHA1

      e6d9b00dd20426fb3d3a2c9a77b86553c144986a

    • SHA256

      b1e12d0216a946329fe549e09bf481d7df9e8e3bc3f99bc24d9940cbb8f76f06

    • SHA512

      116737b153810a7b2f91e52a03e97fa0601735919ec219aebff5e74321c730d14bbb46f5bcff457587daafd5c8c9341964d1ac91bc171b96f8289e02b0f370f7

    • SSDEEP

      3072:ge9f4GwJqzPG927z6r7JGSxS0S4/J2cux2Ut8q7frsFmm0xUMZByH:z9fkgzP4HQSxSuJ2c/AnUmxxUGByH

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Renames multiple (7894) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      C6185A23C51B8AC77E6C1BDF2CD4A8D39B02AF8B8027D4162CF9766D19CF87C8

    • Size

      4.8MB

    • MD5

      d9ce98a0b0029d26876ac86409bac27e

    • SHA1

      7dc9f3ac41b40b5ed78a42273f3f5f95d2d367c3

    • SHA256

      c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8

    • SHA512

      29c81caa093ddf7344e3a647bc6fb76e341de923699111e190e94df9ae1660737237f541c7474157ababc5f33aca8eadf00b54180c6820e1173a399b9ed54eb7

    • SSDEEP

      98304:T/kRk50qK5N7jdM2gOpqufwX9h+3dcWUWZJziS1hZUZyeYOth3fOCQb9GK1/49s:bokO9jdMxOUUwWdiWmS+JuZGKJ49

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Target

      CDCFEDDB0ACA42E65E6A4822C1F23DF7C4AE92775EBCC0B45D4160B732B0983E

    • Size

      79KB

    • MD5

      c41fe8e266c0ee1ff4d563b158f285d4

    • SHA1

      627107a8b664043e563c10ee1566a49ad3823483

    • SHA256

      cdcfeddb0aca42e65e6a4822c1f23df7c4ae92775ebcc0b45d4160b732b0983e

    • SHA512

      ed11b61188ebc99655d5c0cbdc84a58ea3ea1f6f6c2f440de245e8a453ccf45b07d1ffc3d4e2f55eb0f2bc0657069019d93beca86b31debaf8dabfcd15946448

    • SSDEEP

      1536:H3Mz8Egxge1V1ljohznpCzSzGcmRfFFAEfeeeeeeeeWeeeee:8wE/ebzjoppjzGcmRfFiE

    • Phorphiex

      Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Windows security bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

upxaspackv2vmprotectmimikatzphorphiexblackcat
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

privateloaderloader
Score
10/10

behavioral4

privateloaderriseproloaderstealer
Score
10/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

xmrigevasionminerpersistenceupx
Score
10/10

behavioral8

xmrigevasionminerpersistenceupx
Score
10/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

phorphiexevasionloaderpersistencetrojanworm
Score
10/10

behavioral12

evasionpersistencetrojan
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

upx
Score
7/10

behavioral18

upx
Score
7/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

upx
Score
7/10

behavioral22

upx
Score
7/10

behavioral23

privateloaderloader
Score
10/10

behavioral24

privateloaderloader
Score
10/10

behavioral25

Score
5/10

behavioral26

Score
5/10

behavioral27

lockbitransomwarespywarestealer
Score
10/10

behavioral28

lockbitransomware
Score
10/10

behavioral29

privateloaderloadervmprotect
Score
10/10

behavioral30

privateloaderloadervmprotect
Score
10/10

behavioral31

phorphiexevasionloaderpersistencetrojanworm
Score
10/10

behavioral32

phorphiexevasionloaderpersistencetrojanworm
Score
10/10