lockbit | 2bad639d0a1f90525ad56b31641b3bd5fe1310079d1e6abd6bc7889cdc1ff3f5

General

Target

VoiceMod-Full-Version-Setup.zip
Size

27.5MB
Sample

240730-kazv2szela
MD5

877eb37ea80f10570de05fb3b9b4b290
SHA1

85559ff8c2a3a346e2da1d53051f213469cb386c
SHA256

2bad639d0a1f90525ad56b31641b3bd5fe1310079d1e6abd6bc7889cdc1ff3f5
SHA512

f2e224d03cf210f228f9ae2f4597653bf82a001a4650b0645c64adfe9df829b9691c1bd393cdecb90bfb681c002138dd098cff0cede1bb0805f625ba9e78407e
SSDEEP

786432:MSmSdoK5sxdV0OrywXGvgW2OHDjRom/pEdiN:bmoVGxdV0O7It2OjjRHxck

Score

10^/10

Malware Config

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note

~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC90BEF8DD0B1639FE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.

URLs

https://t.me/mr_robot_unlock

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note

~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC59CC762BBFD3B285 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.

URLs

https://t.me/mr_robot_unlock

Targets

- Target
  
  VoiceMod-Full-Version-Setup/Voicemod_setup.exe
- Size
  
  146KB
- MD5
  
  3d49478072bf18339ef810c8ea7546b2
- SHA1
  
  c1047d72d4cdce21af4bb989ad1bee437edb7f80
- SHA256
  
  e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d
- SHA512
  
  f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c
- SSDEEP
  
  3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (570) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2