Resubmissions

13-04-2024 09:28

240413-lfvc7acf52 10

13-04-2024 09:28

240413-lft3esff2x 10

13-04-2024 09:28

240413-lfemqsff2t 10

13-04-2024 09:27

240413-le61lafe91 10

13-04-2024 09:27

240413-le6ptsfe9z 10

09-04-2024 08:16

240409-j555wadf8x 10

09-04-2024 08:16

240409-j55t4sdf8v 10

09-04-2024 08:16

240409-j54xtaad59 10

09-04-2024 08:15

240409-j52sfsad57 10

04-11-2020 01:00

201104-p65ygpgpnx 9

General

  • Target

    a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.bin

  • Size

    483KB

  • Sample

    240413-lfvc7acf52

  • MD5

    3265b2b0afc6d2ad0bdd55af8edb9b37

  • SHA1

    24272beb676d956ec8a65b95a2615c9075fa9869

  • SHA256

    a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4

  • SHA512

    28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94

  • SSDEEP

    12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT

Malware Config

Targets

    • Target

      a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.bin

    • Size

      483KB

    • MD5

      3265b2b0afc6d2ad0bdd55af8edb9b37

    • SHA1

      24272beb676d956ec8a65b95a2615c9075fa9869

    • SHA256

      a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4

    • SHA512

      28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94

    • SSDEEP

      12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT

    • RegretLocker

      Ransomware first reported on Twitter in October 2020.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (4087) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

MITRE ATT&CK Enterprise v15

Tasks