General
-
Target
DarkDDos.exe
-
Size
1.9MB
-
Sample
240525-q1p2eseh86
-
MD5
b2ff2c84396125dafbfd74007e03eb0a
-
SHA1
6e27cb62bfd1a534a2e65ea76835fb4e661a3d55
-
SHA256
ba72876bf978152d115b5c92d65708a56f0158dba13874e07aa15f81f0550801
-
SHA512
39248ba9670e124d3d0b7cf0fba13bd09de82a7ed323c8072f7684c726c4eaf155d1f5dc3307eb913df3a8cdf347a93c71928a10e432d55b8a56e8eb8a2e46bb
-
SSDEEP
24576:ZS/HjpXQIeK/taIHjPDbAwFEBCp3JnR9DURFL4zHmse+4AYTW+V7EJu:ErtxFwA9Fr3JAFEXP4AYTz7
Static task
static1
Behavioral task
behavioral1
Sample
DarkDDos.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\jTzbWjxcI.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Targets
-
-
Target
DarkDDos.exe
-
Size
1.9MB
-
MD5
b2ff2c84396125dafbfd74007e03eb0a
-
SHA1
6e27cb62bfd1a534a2e65ea76835fb4e661a3d55
-
SHA256
ba72876bf978152d115b5c92d65708a56f0158dba13874e07aa15f81f0550801
-
SHA512
39248ba9670e124d3d0b7cf0fba13bd09de82a7ed323c8072f7684c726c4eaf155d1f5dc3307eb913df3a8cdf347a93c71928a10e432d55b8a56e8eb8a2e46bb
-
SSDEEP
24576:ZS/HjpXQIeK/taIHjPDbAwFEBCp3JnR9DURFL4zHmse+4AYTW+V7EJu:ErtxFwA9Fr3JAFEXP4AYTz7
Score10/10-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (595) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-