Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://185.215.113.1...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://185.215.113.101/file/LB3.exe

  • Sample

    241009-t5zyzatcmg

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Targets

    • Target

      http://185.215.113.101/file/LB3.exe

    Score
    10/10
    lockbitdefense_evasiondiscoveryransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (323) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks