Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/h...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://github.com/helloworld0000red/Ipgrabber/tags

  • Sample

    240213-z74mtshd4v

Score
10/10
lockbitumbralransomwarestealer

Malware Config

Extracted

Path

C:\I6xwb3fYM.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom pay 30$ in monero to 42LH7PpivEvh7sxTWdHqiHWppsC3sQNkA8bsbCxM8RuUC3RrFpYABaWaPs73WMWuccLiVhgLuizKh4h25LHaYpZNTLVzC1i >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement

Targets

    • Target

      https://github.com/helloworld0000red/Ipgrabber/tags

    Score
    10/10
    lockbitumbralransomwarestealer

    • Detect Umbral payload

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Renames multiple (643) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks