Overview

overview

10

Static

static

1

RNSM00455.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00455.7z

  • Size

    115.6MB

  • Sample

    241011-n1lmwswbln

  • MD5

    5113b2777400798e5429dc13f8efd1a7

  • SHA1

    42d62e59ba8591948af568a45c81932f1ca52e36

  • SHA256

    58f943a9d654185d8170fa9027aeea648435eeae44848e6495687a73e21cba33

  • SHA512

    a9c64b71594e0a198189311fee6a8408c0e4b42fa8cf0c3059f10ddd0ed891ce7fcf2f72f83547caa17054780aa2b5e38fa0b1daa9d48c92540fc4ae01e66c48

  • SSDEEP

    3145728:ijuQ5KJQMrXnEjLrFwymSPaesQzs6KcYCww/8pBJ0YJECvMnwnFWhH3q:ii0wnrEjLrFCSPaet4SYCLEpB2SECEw1

Score
10/10
legionlockernjratus accountagilenetdefense_evasiondiscoveryevasionexecutionexploitpersistenceransomwarespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

US ACCOUNT

C2

212.7.208.123:6020

Mutex

93f19dda2412c86ad7520ba4198f39a0

Attributes
  • reg_key

    93f19dda2412c86ad7520ba4198f39a0

  • splitter

    |'|'|

Extracted

Path

C:\Users\Admin\Desktop\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Targets

    • Target

      RNSM00455.7z

    • Size

      115.6MB

    • MD5

      5113b2777400798e5429dc13f8efd1a7

    • SHA1

      42d62e59ba8591948af568a45c81932f1ca52e36

    • SHA256

      58f943a9d654185d8170fa9027aeea648435eeae44848e6495687a73e21cba33

    • SHA512

      a9c64b71594e0a198189311fee6a8408c0e4b42fa8cf0c3059f10ddd0ed891ce7fcf2f72f83547caa17054780aa2b5e38fa0b1daa9d48c92540fc4ae01e66c48

    • SSDEEP

      3145728:ijuQ5KJQMrXnEjLrFwymSPaesQzs6KcYCww/8pBJ0YJECvMnwnFWhH3q:ii0wnrEjLrFCSPaet4SYCLEpB2SECEw1

    Score
    10/10
    legionlockernjratus accountagilenetdefense_evasiondiscoveryevasionexecutionexploitpersistenceransomwarespywarestealertrojanupxvmprotect

    • Detected LegionLocker ransomware

      Sample contains strings associated with the LegionLocker family.

      ransomware

    • Disables service(s)

      evasionexecution

    • LegionLocker

      Ransomware family active in 2021.

      ransomwarelegionlocker

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks