Overview

overview

10

Static

static

10

Dragonforce.zip

windows11-21h2-x64

1

1250ba6f25...4b.exe

windows11-21h2-x64

10

__MACOSX/....4b.exe

windows11-21h2-x64

Resubmissions

06/04/2025, 17:05

250406-vmarsstybt 10

04/04/2025, 13:35

250404-qvrcasznx3 10

04/04/2025, 01:29

250404-bwktkszmw4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Dragonforce.zip

  • Size

    94KB

  • Sample

    250406-vmarsstybt

  • MD5

    7e7b8b35317b1bbf57cd5b39c310da4c

  • SHA1

    3966077d545454f8054be4dbdfce646a740b911f

  • SHA256

    8656c8bc2d098776803ef6648d5b4d9e4cc444647ac09bb97fcccd54956ddc94

  • SHA512

    3288d141c1a25acc3af3e3b38ef67e2d61db55c85ddc7adebed3d41eb30603ea0b5a3d10bed75b491b9c37b94ee3168dd6b95c843c06e392c559144bee9a74b2

  • SSDEEP

    1536:+LK9RGjrGYNgNHOagSR/twp48BGn7L/I1RpeavTkH88m/Y+YEROahglRPN7QXN60:LGHTgNugtwG8YnYjpXTN8m/Y+gqWRl8F

Score
10/10
dragonforcelockbitdefense_evasiondiscoveryransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\AoVOpni2N.README.txt

Family

dragonforce

Ransom Note
Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: A758919A7F3B351CF86BF7B3B17CA0DE to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 02/05/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Targets

    • Target

      Dragonforce.zip

    • Size

      94KB

    • MD5

      7e7b8b35317b1bbf57cd5b39c310da4c

    • SHA1

      3966077d545454f8054be4dbdfce646a740b911f

    • SHA256

      8656c8bc2d098776803ef6648d5b4d9e4cc444647ac09bb97fcccd54956ddc94

    • SHA512

      3288d141c1a25acc3af3e3b38ef67e2d61db55c85ddc7adebed3d41eb30603ea0b5a3d10bed75b491b9c37b94ee3168dd6b95c843c06e392c559144bee9a74b2

    • SSDEEP

      1536:+LK9RGjrGYNgNHOagSR/twp48BGn7L/I1RpeavTkH88m/Y+YEROahglRPN7QXN60:LGHTgNugtwG8YnYjpXTN8m/Y+gqWRl8F

    Score
    1/10
    behavioral1

    • Target

      1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe

    • Size

      147KB

    • MD5

      d54bae930b038950c2947f5397c13f84

    • SHA1

      e164bbaf848fa5d46fa42f62402a1c55330ef562

    • SHA256

      1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b

    • SHA512

      81001ae98c5670aaf6c33d5f2ecae1ed20058fa5b1824f0c48fc12d93c5bf7c9cc1ac502e85c9244bdd13682539ff9f343907f2e965e04f910df8144f60fd63d

    • SSDEEP

      3072:e6glyuxE4GsUPnliByocWep6v6JMdoKkgwfHweVg2sp+:e6gDBGpvEByocWe+oKT+g2a+

    Score
    10/10
    dragonforcedefense_evasiondiscoveryransomwarespywarestealertrojan

    • DragonForce

      Ransomware family based on Lockbit that was first observed in November 2023.

      ransomwaredragonforce

    • Dragonforce family

      dragonforce

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

    • Target

      __MACOSX/._1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe

    • Size

      276B

    • MD5

      5c2f09e0062d7912bcb30c62dcf17d7b

    • SHA1

      2c5208dfd913e48c8d79ff310711b67a4c5eb944

    • SHA256

      d13f88e34917cdcf19489cd3eccf29bcdbc1ca85c4f95fcad80065c8ed09c70b

    • SHA512

      fb1aea1e90d782136d9a7d31de69b61de086314c9af42ae9ca4ed4211566db25343fae313c42726a5232395c906041b668e4798f29f9b8e8153f89cf637b8a3d

    Score
    1/10
    behavioral3

MITRE ATT&CK Enterprise v15

Tasks