General

  • Target

    NitroRansomware.exe

  • Size

    61KB

  • Sample

    241025-hxx9maxdpq

  • MD5

    c4b8324b5144e4c5aaf54fd2edf7ff35

  • SHA1

    a5ea5afe5c05408a7f9f3a06ab318048194f978e

  • SHA256

    e854a9a2a3055687b6b404c41a548e56747d58318725db61618852ecea0a1e6c

  • SHA512

    06244aee8ac78ca77f0185490054e5b19cbb0e50cb093e0cfcb940440d69d57951b5f981a1042aa8ea81e9dc48f8b8c71b58cd5441fbcb37a68ee8fc932528cd

  • SSDEEP

    768:tKsMqCXfVcWlzM9ZkiANIUsLYLDwUzc80gmq3oP/oD7:tKse1M9ZkiAPPr/0O8/oP

Malware Config

Targets

    • Target

      NitroRansomware.exe

    • Size

      61KB

    • MD5

      c4b8324b5144e4c5aaf54fd2edf7ff35

    • SHA1

      a5ea5afe5c05408a7f9f3a06ab318048194f978e

    • SHA256

      e854a9a2a3055687b6b404c41a548e56747d58318725db61618852ecea0a1e6c

    • SHA512

      06244aee8ac78ca77f0185490054e5b19cbb0e50cb093e0cfcb940440d69d57951b5f981a1042aa8ea81e9dc48f8b8c71b58cd5441fbcb37a68ee8fc932528cd

    • SSDEEP

      768:tKsMqCXfVcWlzM9ZkiANIUsLYLDwUzc80gmq3oP/oD7:tKse1M9ZkiAPPr/0O8/oP

    • Nitro

      A ransomware that demands Discord nitro gift codes to decrypt files.

    • Renames multiple (100) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks