bitrat

General

Target

RNSM00458.7z
Size

118.3MB
Sample

241011-nnjmrsveqq
MD5

aba1e47a960ba23d22d235f4aec6501f
SHA1

05cb11ff2ed576f5822662e0d1a50bfb0b5cb191
SHA256

af2a46b92d79251d328392ce1241fffc25acd6e797ff1e64859938e03c1e593b
SHA512

f2d400dc63f50bb20b2cc07252ad21ce0254975a5daf26141806d6b60c75760051defda62e7d1f29986af891904b4eb4a2c7088c0ae756aee4b11354eb61bae0
SSDEEP

3145728:US89S8h9S3iAuu9bPUMp2h0ylFEG/0QhiOb8k9C:Cl03iAB9rUv0ylFHW

Malware Config

Extracted

Family

crimsonrat

C2

191.101.172.44

215.240.250.102

167.160.166.80

Extracted

Path

C:\Program Files\Crashpad\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: B76B8F95C312A7FE54AC11108A36CD1B

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Family

bitrat

Version

1.38

C2

eewe.ddns.net:2880

Attributes

communication_password
b18aba2f7c3bf981f4caba4a41e6b205
tor_process
tor

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- Tif628Qw8RPLQWBUdvKeIRrv9T1rYYGdtwoL7VRxcpMFw0k6B4Cw0Ycf59iDr84c ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note

###### ####### # ###### # # ####### # # # # # # # ## ## # # # # # # # # # # # # # ###### ##### # # # # # # # ##### # # # ####### # # # # # # # # # # # # # # # # # ####### # # ###### # # ####### --------------------------------------------------------------- !!! ALL YOUR FILES ARE ENCRYPTED !!! Your important files, photos, videos and documents are encrypted and locked. They are no longer accessible. We understand how important your files are, so that is why we have written instructions below in order to restore your files: 1. | To access your files again, you will need a custom decryption key which is only generated and provided by us. Your files cannot be recovered without this. If you seek help from a computer technician, they will not be able to access your files without this decryption key. 2. | If you attempt to delete or remove the process it will result in permanent deletion of your files and these cannot be recovered. A custom decryptor key (that is generated by us) is the only way to access your files again. Furthermore, a portion of your files will eventually be deleted if you do not comply with our instructions. --------------------------------------------------------------- Payments are only accepted in Bitcoin: Payment information can be found below ・✼ | Step 1: Go to https://www.coinbase.com/ or another Bitcoin partner(https://bitcoin.org/en/exchanges). If you already have a Bitcoin wallet, go to step 3. ・✼ | Step 2: Create an account. ・✼ | Step 3: Buy Bitcoins for $150 ・✼ | Step 4: Send $150USD worth of Bitcoin to the Bitcoin address below. Make sure you transfer enough to cover the fee. For further information on how to send Bitcoin, please watch the following: https://www.youtube.com/watch?v=pRdUbNBsVgc ・✼ | Step 5: Send proof of payment to [email protected] with the Unique Identifier Key (found at the bottom of document). --------------------------------------------------------------- Bitcoin address (send $150USD worth of Bitcoin to:) --------------------------------------------------------------- further information: *Do not rename encrypted files. *Do not try to decrypt your data using third party software, it may cause permanent data loss *if you try to remove the process manually (by yourself or computer technician), this will result in permanent damage and data loss. We do not want that to happen to you, so please do not take this threat lightly as we understand how important your files are. We guarantee that your files will be safely restored upon payment with no further threat or harm to your computer. --------------------------------------------------------------- Unique Identifier Key (must be sent within email to [email protected]) 1BQjNiPUVA3RoEBypNtehvDCfqKDeo5zwK Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ o4idY0AZGVYUAjvfRZ1rCdc0dYEdsOKD1YwWV+Zym+MQnZteNv8MwoZCOL9FVdxLgmaZte2w43kDaIxscXvMKGVm33oPngAPUZZ0766XE8KP726lbIz+eNAQQcEG3CD4ioxJ2CfuPI71NRZLybcip3HY6sRX+UvbkfLQ+yJPwV7XvDS5HiY/6P0t/SRU20Kil4C0MO2jg49S1lzNzrDwAB/VX95LLPSEOc0rbal0CHVhk1BLDNJEJ5TcrAb42npvQpmYpQDukjZ5ucHRaWnJzN9+W1gkLM4/BvkSiTdQ8AWmrWSrupYFwoyStUhqMFharxhG/bxV2ZJCX2BFBJhMFw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 160

Emails

[email protected]

Wallets

1BQjNiPUVA3RoEBypNtehvDCfqKDeo5zwK

Targets

- Target
  
  RNSM00458.7z
- Size
  
  118.3MB
- MD5
  
  aba1e47a960ba23d22d235f4aec6501f
- SHA1
  
  05cb11ff2ed576f5822662e0d1a50bfb0b5cb191
- SHA256
  
  af2a46b92d79251d328392ce1241fffc25acd6e797ff1e64859938e03c1e593b
- SHA512
  
  f2d400dc63f50bb20b2cc07252ad21ce0254975a5daf26141806d6b60c75760051defda62e7d1f29986af891904b4eb4a2c7088c0ae756aee4b11354eb61bae0
- SSDEEP
  
  3145728:US89S8h9S3iAuu9bPUMp2h0ylFEG/0QhiOb8k9C:Cl03iAB9rUv0ylFHW
Score

10^/10

bitrat conti crimsonrat lockbit makop vanillarat agilenet credential_access defense_evasion discovery evasion execution impact persistence ransomware rat spyware stealer trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Disables service(s)
  evasion execution
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- MAKOP ransomware payload
- Makop
  Ransomware family discovered by @VK_Intel in early 2020.
  ransomware makop
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (1994) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Vanilla Rat payload
  rat
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1