lockbit | 616c3a855e903eee9aeeaa793dd07c3c8212ca2e06d25406788112a427a439d6

General

Target

21482936146.zip
Size

97KB
Sample

250219-m3g7tazjgw
MD5

5f80a4b666fa83f69743446c1d46e397
SHA1

f480eff43489fe5fbdfd2efb1f0583268a429747
SHA256

616c3a855e903eee9aeeaa793dd07c3c8212ca2e06d25406788112a427a439d6
SHA512

ef032a32bea88272ba6b6cdc14f28fab74fdb474665427db258401e86652243fc1141723d3495b22516bb98862e429e5195b75dc3733ae698fedb1ecee5d4f8d
SSDEEP

1536:6KgxqpdtAoThB0iV+Z0ZIovTdMYusNLv1Wv5fF+pEvTDvP+W82+/m3HrLp90:6ydtDThBYULvCYuGv4RApATDuE+u3HE

Score

10^/10

Malware Config

Extracted

Path

C:\WZBIlSNPn.README.txt

Ransom Note

-------------YOUR DATA IS ENCRYPTED -------------------- If you want to recover files, contact the operator in the TOX application, enter YOUR ID SANGYO Add the ID D430C63774B01013C66864363661887C4EBE6B5A12370CB7C24C0A1795D0650D476FEAD8C4B2 of your personal operator as a friend so that you can start chatting or send an email to our support [email protected] Your personal DECRYPTION ID: SANGYO Unlocking your data is possible only with our software. All your files were encrypted and important data was copied to our storage Contact Mail: [email protected] In the header of the letter, indicate your ID and if you want attach 2-3 infected files to generate a private key and compile the decryptor Files should not have important information and should not exceed the size of more than 5 MB After receiving the ransom, we will send a recovery tool with detailed instructions within an hour and delete your files from our storages --------- Attention --------- Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. If you refuse to pay the ransom, Important Data that contains personal confidential information or trade secrets will be sold to third parties interested in them. In any case, we will receive a payment, and your company will face problems in law enforcement and judicial areas. Don't be afraid to contact us. Remember, this is the only way to recover your data.

Emails

[email protected]

Targets

- Target
  
  59037088830d5b220be4d5f95b0bd19a88415318b10957907b3b49f41371a9c5
- Size
  
  147KB
- MD5
  
  3ae57223b24366ece408d64396fd2b90
- SHA1
  
  1d8a520fdb33fe94c131c56015f1e6799115210b
- SHA256
  
  59037088830d5b220be4d5f95b0bd19a88415318b10957907b3b49f41371a9c5
- SHA512
  
  0d088480156d784c7b0bf0e851f6140bd1e51a1c6cf1f3bfabc8fbcbed4bddca8545299810e65fa3bb05f4e7b0dcbe19dd90b252c66841cf38bf786005239711
- SSDEEP
  
  3072:vqJogYkcSNm9V7Dk961CuNtH3nx3wHIT:vq2kc4m9tDk9YNtXx3wH
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (363) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2