ioc[.]one - OSINT Cyber Threat Intelligence Database

Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme

Tags

cmtmf-attack-pattern:	Supply Chain Compromise
attack-pattern:	Data Model Malware - T1587.001 Malware - T1588.001 Software - T1592.002 Supply Chain Compromise - T1474 Brute Force - T1110 Supply Chain Compromise - T1195 Default Credentials Supply Chain Compromise

Show in Graph

Common Information

Type	Value
UUID	ac2daa82-065c-4ccb-a90e-fb5dfe82b59c
Fingerprint	964580388b379ee9
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 6, 2022, midnight
Added to db	Oct. 15, 2024, 3:35 p.m.
Last updated	Nov. 15, 2024, 1:38 p.m.
Headline	Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme
Title	Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme
Detected Hints/Tags/Attributes	79/2/19

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_hk/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_nl/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_th/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_ph/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_id/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_ae/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_se/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_au/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_no/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_be/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_ca/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_nz/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Details	Source	https://www.trendmicro.com/en_in/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	61		censys.io
Details	Domain	1		cgi.sh
Details	File	10		document.docx
Details	File	2		spreadsheet.xls
Details	File	1		deadbolt.json
Details	md5	1		5da2297bad6924526e48e00dbfc3c27a
Details	md5	1		fb2e2de57fb405512f539a1c302e2b4f
Details	sha256	1		2dab7013f332b465b23e912d90d84c166aefbf60689242166e399d7add1c0189
Details	sha256	1		3c4af1963fc96856a77dbaba94e6fd5e13c938e2de3e97bdd76e1fca6a7ccb24
Details	sha256	1		80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c
Details	sha256	1		e16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77
Details	sha256	1		acb3522feccc666e620a642cadd4657fdb4e9f0f8f32462933e6c447376c2178
Details	sha256	1		14a13534d21d9f85a21763b0e0e86657ed69b230a47e15efc76c8a19631a8d04
Details	sha256	1		444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf
Details	sha256	1		4f0063bbe2e6ac096cb694a986f4369156596f0d0f63cbb5127e540feca33f68
Details	sha256	1		81f8d58931c4ecf7f0d1b02ed3f9ad0a57a0c88fb959c3c18c147b209d352ff1
Details	sha256	1		3058863a5a169054933f49d8fe890aa80e134f0febc912f80fc0f94578ae1bcb
Details	sha256	1		e0580f6642e93f9c476e7324d17d2f99a6989e62e67ae140f7c294056c55ad27
Details	Yara rule	1		import "elf" rule deadbolt_uncompressed : ransomware { meta: description = "Looks for configuration fields in the JSON parsing code" author = "Trend Micro Research" date = "2022-03-23" hash = "444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf" hash = "80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c" hash = "e16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77" strings: $ = "json:\"key\"" $ = "json:\"cgi_path\"" $ = "json:\"client_id\"" $ = "json:\"vendor_name\"" $ = "json:\"vendor_email\"" $ = "json:\"vendor_amount\"" $ = "json:\"payment_amount\"" $ = "json:\"vendor_address\"" $ = "json:\"master_key_hash\"" $ = "json:\"payment_address\"" $ = "json:\"vendor_amount_full\"" condition: elf.type == elf.ET_EXEC and all of them }