General

  • Target

    RNSM00435.7z

  • Size

    7.2MB

  • Sample

    241025-z9q5hsslep

  • MD5

    ebfbfabb47ffd00e16ebd8724c63adc5

  • SHA1

    bb9c0edec43860dc1e5610716b5bc7164bde37ba

  • SHA256

    fabdb10b28b5e0bd4c9b38be6292bc5966cb2dd2428486bad8f056fb4696be27

  • SHA512

    1b367064fd2f9fdf8bcaa787b1cdf4ff758fb7be875e466875b956a6d8607692843c7c12316a70671eb58480726513bad2217e0cbd292987143d22777855b101

  • SSDEEP

    196608:2zYGZc71m9mVl5WldX9NUc/g6thkfMLZfqoh4Za:6ZSm9mVl5WldTx2fMFBaZa

Malware Config

Extracted

Family

crimsonrat

C2

64.188.25.232

Extracted

Family

djvu

C2

http://asvb.top/nddddhsspen6/get.php

Attributes
  • extension

    .pcqq

  • offline_id

    3pNdLH1399769YerBBKCxHURRAqLhaXsGw3Fbkt1

  • payload_url

    http://asvb.top/files/penelop/updatewin1.exe

    http://asvb.top/files/penelop/updatewin2.exe

    http://asvb.top/files/penelop/updatewin.exe

    http://asvb.top/files/penelop/3.exe

    http://asvb.top/files/penelop/4.exe

    http://asvb.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-TVrnNufMGq Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0296Sirj

rsa_pubkey.plain

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?9AE2456EE17245AACA2CBD635B5B9B18 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9AE2456EE17245AACA2CBD635B5B9B18 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9AE2456EE17245AACA2CBD635B5B9B18

http://lockbitks2tvnmwk.onion/?9AE2456EE17245AACA2CBD635B5B9B18

Extracted

Family

vidar

Version

38.7

Botnet

904

C2

https://HAL9THapi.faceit.comramilgame

Attributes
  • profile_id

    904

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Targets

    • Target

      RNSM00435.7z

    • Size

      7.2MB

    • MD5

      ebfbfabb47ffd00e16ebd8724c63adc5

    • SHA1

      bb9c0edec43860dc1e5610716b5bc7164bde37ba

    • SHA256

      fabdb10b28b5e0bd4c9b38be6292bc5966cb2dd2428486bad8f056fb4696be27

    • SHA512

      1b367064fd2f9fdf8bcaa787b1cdf4ff758fb7be875e466875b956a6d8607692843c7c12316a70671eb58480726513bad2217e0cbd292987143d22777855b101

    • SSDEEP

      196608:2zYGZc71m9mVl5WldX9NUc/g6thkfMLZfqoh4Za:6ZSm9mVl5WldTx2fMFBaZa

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    • Crimsonrat family

    • Detected Djvu ransomware

    • Disables service(s)

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Djvu family

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • Urelas

      Urelas is a trojan targeting card games.

    • Urelas family

    • VanillaRat

      VanillaRat is an advanced remote administration tool coded in C#.

    • Vanillarat family

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Modifies boot configuration data using bcdedit

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Renames multiple (3303) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Vanilla Rat payload

    • Vidar Stealer

    • XMRig Miner payload

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables use of System Restore points

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks