Overview

overview

10

Static

static

10

2025-01-31...de.exe

windows7-x64

10

2025-01-31...de.exe

windows10-2004-x64

10

Resubmissions

31-01-2025 10:07

250131-l5mpmsvldj 10

31-01-2025 09:38

250131-lmgexasjfw 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-01-31_ab877999ca6168fd099040f98a64edc6_darkside

  • Size

    147KB

  • Sample

    250131-l5mpmsvldj

  • MD5

    ab877999ca6168fd099040f98a64edc6

  • SHA1

    c530d7246fb5a00d09ed53c84e6ed1513af929ad

  • SHA256

    e5aca3c506667dc2b0a0f35c8597fd6f80c3ee852a88400f0f7f727ae8666295

  • SHA512

    a5431e6519c46d451c5224c289978da04e3c84ffdbc79203fe8f70850629a55b3a493dfec493c1588d73963944cb42bacb05780bafc41a08383b5fe5bf9d6e88

  • SSDEEP

    3072:Z6glyuxE4GsUPnliByocWepajomS/nF4pxmI:Z6gDBGpvEByocWe+dOF

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\RDYzae88l.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 459BD77854ECFD7281D4372FEA64DC13 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2025 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Extracted

Path

C:\RDYzae88l.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 459BD77854ECFD72DD91EA00AAEB04E5 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2025 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Targets

    • Target

      2025-01-31_ab877999ca6168fd099040f98a64edc6_darkside

    • Size

      147KB

    • MD5

      ab877999ca6168fd099040f98a64edc6

    • SHA1

      c530d7246fb5a00d09ed53c84e6ed1513af929ad

    • SHA256

      e5aca3c506667dc2b0a0f35c8597fd6f80c3ee852a88400f0f7f727ae8666295

    • SHA512

      a5431e6519c46d451c5224c289978da04e3c84ffdbc79203fe8f70850629a55b3a493dfec493c1588d73963944cb42bacb05780bafc41a08383b5fe5bf9d6e88

    • SSDEEP

      3072:Z6glyuxE4GsUPnliByocWepajomS/nF4pxmI:Z6gDBGpvEByocWe+dOF

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (327) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks