lockbit | 2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299

General

Target

2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside
Size

148KB
Sample

240228-1fnyqsee54
MD5

90b13c5448b62ddb92a1d0f8262ed7b7
SHA1

0b27b077d437da27091dd626e5958f0674e86a1c
SHA256

2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299
SHA512

bf16a6106f2afebb094949fb64dcd25832e02284d5ee06634254910336489a502947c8bc0629abcadb13d7cddcead28d2cbc1a470ab53e6d51671f2e67d81ffd
SSDEEP

3072:06glyuxE4GsUPnliByocWepEjCwDS6bo2VY9:06gDBGpvEByocWeCeS1Y9

Score

10^/10

Malware Config

Extracted

Path

C:\mstH2C7Dr.README.txt

Ransom Note

~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> How to pay to get the decryptor? You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: A79A3EC67EEF60C01C57CF243F9DFEC7 Our Bitcoin payment address: bc1qlj7ep820lmg48tvh7mahwjd5y4d4tx4nqactsp The amount to pay: 200.00$ Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information? Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!

Emails

[email protected]

URLs

https://twitter.com/hashtag/lockbit?f=live

Extracted

Path

C:\mstH2C7Dr.README.txt

Ransom Note

~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> How to pay to get the decryptor? You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: A79A3EC67EEF60C0D7BC3290AE8D7104 Our Bitcoin payment address: bc1qlj7ep820lmg48tvh7mahwjd5y4d4tx4nqactsp The amount to pay: 200.00$ Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information? Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!

Emails

[email protected]

URLs

https://twitter.com/hashtag/lockbit?f=live

Targets

- Target
  
  2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside
- Size
  
  148KB
- MD5
  
  90b13c5448b62ddb92a1d0f8262ed7b7
- SHA1
  
  0b27b077d437da27091dd626e5958f0674e86a1c
- SHA256
  
  2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299
- SHA512
  
  bf16a6106f2afebb094949fb64dcd25832e02284d5ee06634254910336489a502947c8bc0629abcadb13d7cddcead28d2cbc1a470ab53e6d51671f2e67d81ffd
- SSDEEP
  
  3072:06glyuxE4GsUPnliByocWepEjCwDS6bo2VY9:06gDBGpvEByocWeCeS1Y9
Score

10^/10

ransomware spyware stealer
- Renames multiple (315) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2