Overview

overview

10

Static

static

3

2025-03-18...er.exe

windows7-x64

10

2025-03-18...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe

  • Size

    719KB

  • MD5

    3e063dc0de937df5841cb9c2ff3e4651

  • SHA1

    e683bfaeb1a695ff9ef1759cf1944fa3bb3b6948

  • SHA256

    99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98

  • SHA512

    9a0d0c04b95bbf8c73beb398cc72fa8e9dc87e3149e8c2f43b05fca4ef8e4410c1d65ed11e50b01d24719ce6a8996448944ab56601ef65116614a17f2e10d23f

  • SSDEEP

    12288:aKRHZl7Lup6ySk3QYktDNYlg2317DJtY7wdD30qoifK/Ke5ABa4QP9+NrMke03f9:aKslHY7wdD30qnfsKxB+ZKX55WsSuFrl

Score
10/10
credential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\README.txt

Ransom Note
--= No news is a good news ! =-- Your network has been breached and all your files Personal data, financial reports and important documents has been stolen , encrypted and ready to publish to public, if you willing to continue your bussines and make more money and keep bussines secret safe you need to restore your files first, And to restore all your files you have to pay the ransom in Bitcoin. don't bother your self and wast your time or make it more harder on your bussines , we developed a locker that can't be decrypted using third part decrypters . making your self geek and trying to restore the files with third part decrypter this will leads to lose all your date ! and then the even you pay the ransom can't help you to restore your files even us. to chat with us : 1 - Download tor browser https://www.torproject.org/download/ 2 - go to one of these links above http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion 3 - you will be asked for your ticket id to enter the chat this for you : TICKET ID 6994669932656897989 usefull links : #OUR TOR BLOG : http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion
URLs

http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion

http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion

http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion

http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion

http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion

http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion

http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion

Signatures

  • Renames multiple (8362) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\README.txt
    Filesize

    1KB

    MD5

    fdb3ebd9bc1237354dec30a2de9a78ce

    SHA1

    255ec3c63ee80545d31d302ea348024c522863f5

    SHA256

    794b3bf63d9ced141ba41a710697230da41b7e75c341d549a3b3359955b7fe6f

    SHA512

    ae9600b98a0b1450dc5c0d9a94281104f04770bc758d40270b7a7b4e5b7f5406d36c290676ec59b0d9c43b2d99ab876c8a4fe302e746aa15bf2dd14ade1f6fd7

    Download Submit