lockbit | 0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31

General

Target

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Size

146KB
Sample

240525-be7a9ahc84
MD5

668e75099ba454fa1cca10da33a9684a
SHA1

0adeef58c872f8fd1143070cff8fb2415a258189
SHA256

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31
SHA512

bbc5a1e3bb0b64b4ae646e0d6dd1651ffa7258db87fe07e365a4cbff09a54cbbf9ee21ea4cf05b9f8e34ea122af85f4fb4b434da38705bee8b8ec9afd0f1b323
SSDEEP

1536:rzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRM8o9cH789xVqw9sdFoEAUyz:UqJogYkcSNm9V7D/oSHQ9xVqw9sdjAT

Score

10^/10

Malware Config

Extracted

Path

C:\QFXlqRR7Y.README.txt

Ransom Note

>>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: 39919F8926ED7E7CCE0E4EBB39158AED >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free with your personal DECRYPTION ID message us for decrypt https://getsession.org/ 05b8d7bdf4c2b1a832b2256eb562f51ad69f2f9d8d274c6dc269cb9be5449fa84c

URLs

https://getsession.org/

Extracted

Path

C:\QFXlqRR7Y.README.txt

Ransom Note

>>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: 39919F8926ED7E7C8A1D9E7EBBA44998 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free with your personal DECRYPTION ID message us for decrypt https://getsession.org/ 05b8d7bdf4c2b1a832b2256eb562f51ad69f2f9d8d274c6dc269cb9be5449fa84c

URLs

https://getsession.org/

Targets

- Target
  
  0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
- Size
  
  146KB
- MD5
  
  668e75099ba454fa1cca10da33a9684a
- SHA1
  
  0adeef58c872f8fd1143070cff8fb2415a258189
- SHA256
  
  0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31
- SHA512
  
  bbc5a1e3bb0b64b4ae646e0d6dd1651ffa7258db87fe07e365a4cbff09a54cbbf9ee21ea4cf05b9f8e34ea122af85f4fb4b434da38705bee8b8ec9afd0f1b323
- SSDEEP
  
  1536:rzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRM8o9cH789xVqw9sdFoEAUyz:UqJogYkcSNm9V7D/oSHQ9xVqw9sdjAT
Score

10^/10

ransomware spyware stealer
- Renames multiple (361) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2