General
-
Target
Dragonforce.zip
-
Size
94KB
-
Sample
250404-bwktkszmw4
-
MD5
7e7b8b35317b1bbf57cd5b39c310da4c
-
SHA1
3966077d545454f8054be4dbdfce646a740b911f
-
SHA256
8656c8bc2d098776803ef6648d5b4d9e4cc444647ac09bb97fcccd54956ddc94
-
SHA512
3288d141c1a25acc3af3e3b38ef67e2d61db55c85ddc7adebed3d41eb30603ea0b5a3d10bed75b491b9c37b94ee3168dd6b95c843c06e392c559144bee9a74b2
-
SSDEEP
1536:+LK9RGjrGYNgNHOagSR/twp48BGn7L/I1RpeavTkH88m/Y+YEROahglRPN7QXN60:LGHTgNugtwG8YnYjpXTN8m/Y+gqWRl8F
Malware Config
Extracted
C:\AoVOpni2N.README.txt
dragonforce
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Targets
-
-
Target
1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
-
Size
147KB
-
MD5
d54bae930b038950c2947f5397c13f84
-
SHA1
e164bbaf848fa5d46fa42f62402a1c55330ef562
-
SHA256
1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b
-
SHA512
81001ae98c5670aaf6c33d5f2ecae1ed20058fa5b1824f0c48fc12d93c5bf7c9cc1ac502e85c9244bdd13682539ff9f343907f2e965e04f910df8144f60fd63d
-
SSDEEP
3072:e6glyuxE4GsUPnliByocWep6v6JMdoKkgwfHweVg2sp+:e6gDBGpvEByocWe+oKT+g2a+
Score10/10-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-