General

  • Target

    2025-04-21_a0efa7fb6dff1e035510ec1f42e083e4_darkside_elex_lockbit

  • Size

    147KB

  • Sample

    250421-qdv9xsvtft

  • MD5

    a0efa7fb6dff1e035510ec1f42e083e4

  • SHA1

    3be88df02346df3b4e5f5dc962d3ddf8bba2ddbf

  • SHA256

    66160f72ad9521da85a4edd197ce30f12cc38cc2ba53cdfb1017cb99203dba73

  • SHA512

    90e3b27c64b3106b70609fbc1a637b09ac8d4b83c88ce3b79462915e23705905cd0786196d7bd570b943f4b57abc7fe373f2fa36cd2a4c76176062c2afc09565

  • SSDEEP

    3072:h6glyuxE4GsUPnliByocWepwHVbW0zH1dMeq:h6gDBGpvEByocWeKDr3

Malware Config

Extracted

Path

C:\bW9pcESV9.README.txt

Family

braincipher

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! ATTENTION! If you do not contact us within 48 hours, we will post the record on our website: vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion/ This page can take up to 30 minutes to load. 3. Enter your encryption ID: nwVTVzFVZ6v4hSPi5v9Oj3UDyxDG+KXbxaFtavLJIiZ10gv1ogCZIqQ2UA4gauvaqRjIVprlj0wf8fkqO7xFJLZzg2dzVw Email to support: [email protected]
URLs

http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion

http://77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion/

Targets

    • Target

      2025-04-21_a0efa7fb6dff1e035510ec1f42e083e4_darkside_elex_lockbit

    • Size

      147KB

    • MD5

      a0efa7fb6dff1e035510ec1f42e083e4

    • SHA1

      3be88df02346df3b4e5f5dc962d3ddf8bba2ddbf

    • SHA256

      66160f72ad9521da85a4edd197ce30f12cc38cc2ba53cdfb1017cb99203dba73

    • SHA512

      90e3b27c64b3106b70609fbc1a637b09ac8d4b83c88ce3b79462915e23705905cd0786196d7bd570b943f4b57abc7fe373f2fa36cd2a4c76176062c2afc09565

    • SSDEEP

      3072:h6glyuxE4GsUPnliByocWepwHVbW0zH1dMeq:h6gDBGpvEByocWeKDr3

    • Brain Cipher

      Ransomware family based on Lockbit that was first observed in June 2024.

    • Braincipher family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks