General

  • Target

    2025-01-19_ffcf249e4350566277bfa3e90f030bf3_virlock

  • Size

    585KB

  • Sample

    250119-mvwegatqft

  • MD5

    ffcf249e4350566277bfa3e90f030bf3

  • SHA1

    1f78a99bf84b9073399dcb0584db6f92c5170e13

  • SHA256

    599753f19721e2dda86a9507ee456feccb8db3497377625e4e7c77d10e414907

  • SHA512

    3691d30fa655ac08644aeb506653cd73fd5d3b9539d7344c10040cc73977dd6b72868bf8122107423fa1fd0c3e41d13710f0f65bca3eed93904a104f8f7287f0

  • SSDEEP

    12288:KFMcpP25BGjZ4oJQF0oYPGluhdl4X7/IxsAPB+S8TbJMcr:aNXZ4oJCDl1zIxsAPBy9

Malware Config

Targets

    • Target

      2025-01-19_ffcf249e4350566277bfa3e90f030bf3_virlock

    • Size

      585KB

    • MD5

      ffcf249e4350566277bfa3e90f030bf3

    • SHA1

      1f78a99bf84b9073399dcb0584db6f92c5170e13

    • SHA256

      599753f19721e2dda86a9507ee456feccb8db3497377625e4e7c77d10e414907

    • SHA512

      3691d30fa655ac08644aeb506653cd73fd5d3b9539d7344c10040cc73977dd6b72868bf8122107423fa1fd0c3e41d13710f0f65bca3eed93904a104f8f7287f0

    • SSDEEP

      12288:KFMcpP25BGjZ4oJQF0oYPGluhdl4X7/IxsAPB+S8TbJMcr:aNXZ4oJCDl1zIxsAPBy9

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (60) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks