821d57d8c4f9d1f10c3ac8a8a095b0b2d7fcb463991904f2012265ca6592e24c

General

Target

821d57d8c4f9d1f10c3ac8a8a095b0b2d7fcb463991904f2012265ca6592e24c.sample
Size

250KB
Sample

240227-wcehnsfd44
MD5

34b6a2858b32f25433101d72705f1421
SHA1

55e31f9c1ca8dd03cb924631d371d0fb5a08bf6a
SHA256

821d57d8c4f9d1f10c3ac8a8a095b0b2d7fcb463991904f2012265ca6592e24c
SHA512

18fa6de0d483036f52e7997494ee5da3a5a79f7f27be3e40fec630297f7be702a048a30caa3ddb0a0f8a026f49beceb94218243753f0599b862b9cf1ac94adce
SSDEEP

6144:qa0Y9MHhZhPMgjlBmXn1DxttmQIWqgYfI5CeDo:qoeNjrUn1tt/pqio

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Common Files\LAMBDA_README.txt

Ransom Note

[[=== Lambda Ransomware ===]] [+] What's happened? All your files are encrypted and stolen, but you need to follow our instructions. otherwise, you cant return your data (NEVER). [+] What guarantees? Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. time is much more valuable than money. [+] Instructions: a) Download and install Tor Browser from this site: https://www.torproject.org/ b) Open our website: http://nn5ua7gc7jkllpoztymtfcu64yjm7znlsriq3a6v5kw7l6jvirnczyyd.onion c) Enter this UID in the input: 537BF5BCA42BA715 !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus/edr solutions - its may entail damage of the private key and, as result, The Loss all data. SPEAK for yourself. Since no one else has the private key, any interfere of third party companies/individuals is tantamount to scamming you. ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://nn5ua7gc7jkllpoztymtfcu64yjm7znlsriq3a6v5kw7l6jvirnczyyd.onion

Targets

- Target
  
  821d57d8c4f9d1f10c3ac8a8a095b0b2d7fcb463991904f2012265ca6592e24c.sample
- Size
  
  250KB
- MD5
  
  34b6a2858b32f25433101d72705f1421
- SHA1
  
  55e31f9c1ca8dd03cb924631d371d0fb5a08bf6a
- SHA256
  
  821d57d8c4f9d1f10c3ac8a8a095b0b2d7fcb463991904f2012265ca6592e24c
- SHA512
  
  18fa6de0d483036f52e7997494ee5da3a5a79f7f27be3e40fec630297f7be702a048a30caa3ddb0a0f8a026f49beceb94218243753f0599b862b9cf1ac94adce
- SSDEEP
  
  6144:qa0Y9MHhZhPMgjlBmXn1DxttmQIWqgYfI5CeDo:qoeNjrUn1tt/pqio
Score

10^/10

discovery persistence ransomware spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2