Resubmissions

09-02-2024 18:38

240209-xaftdsdf4v 10

09-02-2024 18:35

240209-w8fevadf3x 10

General

  • Target

    set-up.bin

  • Size

    146KB

  • Sample

    240209-xaftdsdf4v

  • MD5

    3d49478072bf18339ef810c8ea7546b2

  • SHA1

    c1047d72d4cdce21af4bb989ad1bee437edb7f80

  • SHA256

    e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d

  • SHA512

    f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c

  • SSDEEP

    3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw

Malware Config

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note
~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC163FB6623ADAFC9A >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.
URLs

https://t.me/mr_robot_unlock

Targets

    • Target

      set-up.bin

    • Size

      146KB

    • MD5

      3d49478072bf18339ef810c8ea7546b2

    • SHA1

      c1047d72d4cdce21af4bb989ad1bee437edb7f80

    • SHA256

      e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d

    • SHA512

      f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c

    • SSDEEP

      3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw

    • Renames multiple (559) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks