RegretLocker
Tags
attack-pattern: Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Vnc - T1021.005 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 7e10e6c3-829a-4032-b6cf-01f817cfa39f
Fingerprint 8e04a913aa298381
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 17, 2020, midnight
Added to db Sept. 11, 2022, 12:37 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline RegretLocker
Title RegretLocker
Detected Hints/Tags/Attributes 51/1/27
Source URLs
Redirection Url
Details Source http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/
URL Provider
Details Provider Source level domain
Details chuongdong.com chuongdong.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
regretzjibibtcgb.onion
Details Domain 129 
api.ipify.org
Details Domain 14 
chuongdong.com
Details Domain 911 
any.run
Details Domain 1 
tutorialjinni.com
Details Domain 1373 
twitter.com
Details Domain 4127 
github.com
Details File 229 
advapi32.dll
Details File 83 
crypt32.dll
Details File 3 
virtdisk.dll
Details File 1 
tor-lib.dll
Details File 249 
schtasks.exe
Details File 2126 
cmd.exe
Details File 105 
bcdedit.exe
Details File 140 
files.txt
Details File 1122 
svchost.exe
Details File 1 
weaponizingwindowsvirtualization.pdf
Details Github username 2 
vxunderground
Details md5 1 
3265b2b0afc6d2ad0bdd55af8edb9b37
Details sha256 1 
a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
Details Url 1 
http://regretzjibibtcgb.onion/input
Details Url 11 
http://api.ipify.org
Details Url 4 
http://chuongdong.com/reverse
Details Url 1 
https://twitter.com/vk_intel/status/1323693700371914753
Details Url 1 
https://twitter.com/malwrhunterteam/status/1321375502179905536
Details Url 1 
https://github.com/vxunderground/vxug-papers/blob/main/weaponizing
Details Yara rule 1 
rule regretlocker {
	meta:
		description = "YARA rule for RegretLocker"
		reference = "http://chuongdong.com/reverse engineering/2020/11/17/RegretLocker/"
		author = "@cPeterr"
		tlp = "white"
	strings:
		$str1 = "tor-lib.dll"
		$str2 = "http://regretzjibibtcgb.onion/input"
		$str3 = ".mouse"
		$cmd1 = "taskkill /F /IM \\"
		$cmd2 = "wmic SHADOWCOPY DELETE"
		$cmd3 = "wbadmin DELETE SYSTEMSTATEBACKUP"
		$cmd4 = "bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures"
		$cmd5 = "bcdedit.exe / set{ default } recoveryenabled No"
		$func1 = "open_virtual_drive()"
		$func2 = "smb_scanner()"
		$checklarge = { 81 FE 00 00 40 06 }
	condition:
		all of ($str*) and any of ($cmd*) and any of ($func*) and $checklarge
}