Resubmissions
13-04-2024 09:28
240413-lfvc7acf52 1013-04-2024 09:28
240413-lft3esff2x 1013-04-2024 09:28
240413-lfemqsff2t 1013-04-2024 09:27
240413-le61lafe91 1013-04-2024 09:27
240413-le6ptsfe9z 1009-04-2024 08:16
240409-j555wadf8x 1009-04-2024 08:16
240409-j55t4sdf8v 1009-04-2024 08:16
240409-j54xtaad59 1009-04-2024 08:15
240409-j52sfsad57 1004-11-2020 01:00
201104-p65ygpgpnx 9General
-
Target
a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.bin
-
Size
483KB
-
Sample
240409-j55t4sdf8v
-
MD5
3265b2b0afc6d2ad0bdd55af8edb9b37
-
SHA1
24272beb676d956ec8a65b95a2615c9075fa9869
-
SHA256
a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
-
SHA512
28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94
-
SSDEEP
12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT
Malware Config
Targets
-
-
Target
a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.bin
-
Size
483KB
-
MD5
3265b2b0afc6d2ad0bdd55af8edb9b37
-
SHA1
24272beb676d956ec8a65b95a2615c9075fa9869
-
SHA256
a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
-
SHA512
28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94
-
SSDEEP
12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT
Score10/10-
RegretLocker
Ransomware first reported on Twitter in October 2020.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (4964) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications
Malware can proxy its traffic through Tor for more anonymity.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1