General
-
Target
2025-04-21_f94d17b5f232e9cfd2255ca9823cb18a_darkside_elex_lockbit
-
Size
147KB
-
Sample
250421-qt5hjaymw6
-
MD5
f94d17b5f232e9cfd2255ca9823cb18a
-
SHA1
633e11c6b1829076318478e41658fdcd432f6230
-
SHA256
ec089cdd699fafbeb3cfd7dc68ac16f556c3456c7f7a57984030ae8975d8267f
-
SHA512
45d40fc2a9fb331f12a8cf22f3f47ccbe7e5a9ed4438dcc98c2695028545360046f6d09bc5f084aeece475c29dd6975c5525b0231ad2bd29b218e7a3507881c3
-
SSDEEP
3072:O6glyuxE4GsUPnliByocWepbEOUgwAvmR:O6gDBGpvEByocWexsgwImR
Behavioral task
behavioral1
Sample
2025-04-21_f94d17b5f232e9cfd2255ca9823cb18a_darkside_elex_lockbit.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-04-21_f94d17b5f232e9cfd2255ca9823cb18a_darkside_elex_lockbit.exe
Resource
win11-20250410-en
Malware Config
Extracted
C:\jErs0FgGP.README.txt
braincipher
http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion
http://brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion
Targets
-
-
Target
2025-04-21_f94d17b5f232e9cfd2255ca9823cb18a_darkside_elex_lockbit
-
Size
147KB
-
MD5
f94d17b5f232e9cfd2255ca9823cb18a
-
SHA1
633e11c6b1829076318478e41658fdcd432f6230
-
SHA256
ec089cdd699fafbeb3cfd7dc68ac16f556c3456c7f7a57984030ae8975d8267f
-
SHA512
45d40fc2a9fb331f12a8cf22f3f47ccbe7e5a9ed4438dcc98c2695028545360046f6d09bc5f084aeece475c29dd6975c5525b0231ad2bd29b218e7a3507881c3
-
SSDEEP
3072:O6glyuxE4GsUPnliByocWepbEOUgwAvmR:O6gDBGpvEByocWexsgwImR
-
Brain Cipher
Ransomware family based on Lockbit that was first observed in June 2024.
-
Braincipher family
-
Renames multiple (7701) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-