General

  • Target

    LB3.exe

  • Size

    147KB

  • Sample

    241224-1z8ggsypbk

  • MD5

    67008d6538e43ec4ef57359f7ca4f15f

  • SHA1

    65078b6e640146bde300af0a6d70b91f45244343

  • SHA256

    cb43fff6739186bdf2af5d4f34624c020196616cdae86fb755bf3d250bbe9b12

  • SHA512

    9a9e281dcf6a783cb69f6ab9703af716dd304883ad1a92a17bf4498745b563b2560e4624d839cc7577776d31e22f596d821a183c4c4ec350d7fa7a8f0e44db54

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepTN5GqoLVB5FHONF:V6gDBGpvEByocWeX/oZB7u/

Malware Config

Extracted

Path

C:\IoBMyuygl.README.txt

Ransom Note
~~~ RdpLocker Recode the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted >>>> Info Our encryption is undetectable and we can encrypt terabytes of data in minutes. A unique public and private key is generated exclusively for you. No one else can decrypt the files we have encrypted. Our services are cheap and reliable. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can contact us using Tox messenger without registration and SMS to negotiate the price. https://tox.chat/download.html Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. RdpLocker Tox ID: CE93C52BFAFA16570B9821C7D0EE7999C78475AD964ACEEF80767B653210D27E3CE6C88F61A5
URLs

https://tox.chat/download.html

Targets

    • Target

      LB3.exe

    • Size

      147KB

    • MD5

      67008d6538e43ec4ef57359f7ca4f15f

    • SHA1

      65078b6e640146bde300af0a6d70b91f45244343

    • SHA256

      cb43fff6739186bdf2af5d4f34624c020196616cdae86fb755bf3d250bbe9b12

    • SHA512

      9a9e281dcf6a783cb69f6ab9703af716dd304883ad1a92a17bf4498745b563b2560e4624d839cc7577776d31e22f596d821a183c4c4ec350d7fa7a8f0e44db54

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepTN5GqoLVB5FHONF:V6gDBGpvEByocWeX/oZB7u/

    • Renames multiple (361) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks