Overview

overview

10

Static

static

3

01c647838c...7f.exe

windows7-x64

10

01c647838c...7f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.zip

  • Size

    28KB

  • Sample

    250110-lnaczssrdn

  • MD5

    d0a7b7c20e34212ca7ee5dfb5850631d

  • SHA1

    59faa285900b89d7fb3a99e3fdd66a8a4abb5c4f

  • SHA256

    2334559b1d0e613a9b5220a7b5107193e5fbaa2db3b251db3832432a4510feb9

  • SHA512

    7c123611808858013da2616bac875478fef1e29bb1b2d99d03ee4d3fe58b22ac7eead9ef7d53d5620cd84f044d40500d4d7d157971a62bb0de128f87890b5b9c

  • SSDEEP

    384:uTU5pm1dnB4usdMFvGh5JeM/n6cAldAySCJpTFOxuI9QBmk/RjnhpaGr7rYu2c36:uNtsYvoVzIBwkJThQG8/Qcd3h

Score
10/10
babukdarksidedefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Recovery\How To Restore Your Files.txt

Family

darkside

Ransom Note
----------- [ Hello! ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: [email protected] backup address: [email protected] [email protected] TO SEND TO THE EMAIL ONLY PERSONAL ID!!! YOUR PERSONAL ID, ATTACH IT: beRv79st1xwM9NTHA1NluiebVXTdr4FS0eRnD5W9wMjAqbKQctyvdxbYuZ8e !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Targets

    • Target

      01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe

    • Size

      79KB

    • MD5

      f9afb31bc17811e5ab4fa406f105b1fe

    • SHA1

      d1a9449dcc8a3aa0c887bce71f128866175f679a

    • SHA256

      01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f

    • SHA512

      6feca3dfa221b704208754e67bcdce02a2253961da098b3e376d11217cd00b9f77e42f37f242e1a1f4b759b5fd172c29c9f153fce32eace48e07e802aff40b55

    • SSDEEP

      1536:SX6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:uhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukdarksidedefense_evasiondiscoveryexecutionimpactransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Babuk family

      babuk

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Darkside family

      darkside

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (188) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks