Resubmissions

22/04/2025, 18:11

250422-wspzcatsez 5

22/04/2025, 17:09

250422-vn4fhawlv7 10

General

  • Target

    https://bazaar.abuse.ch/sample/6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417/

  • Sample

    250422-vn4fhawlv7

Malware Config

Extracted

Path

C:\flzQgniJJ.README.txt

Family

braincipher

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: uYrTA6hpRFsWQR0nqlFk5WK8S+zUIHNd9T3L6aykdR27ztPJwC3xHOsdSBkZhmr+yKcnVLCct0ffjVRy5yvFQydzhzQWJR Email to support: [email protected]
URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Targets

    • Target

      https://bazaar.abuse.ch/sample/6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417/

    • Brain Cipher

      Ransomware family based on Lockbit that was first observed in June 2024.

    • Braincipher family

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks