LostTrust Ransomware - Trust nothing — ShadowStackRE
Tags
Common Information
| Type | Value |
|---|---|
| UUID | bffad0a6-0c78-4abe-956f-03606596860b |
| Fingerprint | 3f38ba3107270e14 |
| Analysis status | DONE |
| Considered CTI value | 1 |
| Text language | |
| Published | Nov. 26, 2024, midnight |
| Added to db | Aug. 31, 2024, 10:57 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | LostTrust Ransomware |
| Title | LostTrust Ransomware - Trust nothing — ShadowStackRE |
| Detected Hints/Tags/Attributes | 57/1/33 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.shadowstackre.com/analysis/losttrust |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 434 | ✔ | ShadowStackRE | https://www.shadowstackre.com/analysis?format=rss | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 10 | shadowstackre.com |
|
| Details | Domain | 18 | opensource.org |
|
| Details | File | 34 | psapi.dll |
|
| Details | File | 45 | mpr.dll |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 81 | werfault.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 3 | vmnetdhcp.exe |
|
| Details | File | 7 | vmware-authd.exe |
|
| Details | File | 4 | vmware-hostd.exe |
|
| Details | File | 6 | vmware-tray.exe |
|
| Details | File | 5 | vmware-usbarbitrator64.exe |
|
| Details | File | 2 | vmware-usbarbitrator32.exe |
|
| Details | File | 3 | webroot_updater.exe |
|
| Details | File | 26 | windowsupdate.exe |
|
| Details | File | 3 | vmware-usbarbitrator.exe |
|
| Details | File | 351 | recycle.bin |
|
| Details | File | 243 | autorun.inf |
|
| Details | File | 120 | boot.ini |
|
| Details | File | 90 | bootfont.bin |
|
| Details | File | 99 | bootsect.bak |
|
| Details | File | 196 | desktop.ini |
|
| Details | File | 101 | iconcache.db |
|
| Details | File | 193 | ntuser.dat |
|
| Details | File | 100 | ntuser.dat.log |
|
| Details | File | 66 | ntuser.ini |
|
| Details | File | 143 | thumbs.db |
|
| Details | File | 3 | losttrustencoded.txt |
|
| Details | sha256 | 1 | 25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708 |
|
| Details | Pdb | 1 | fake_exe.pdb |
|
| Details | Pdb | 2 | c:\fake_exe.pdb |
|
| Details | Url | 10 | https://opensource.org/license/mit |
|
| Details | Yara rule | 1 | rule LostTrust {
meta:
description = "rule to detect LostTrust ransomware"
author = "ShadowStackRe.com"
date = "2023-11-26"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "LostTrust"
License = "MIT License, https://opensource.org/license/mit/"
strings:
$strOption1 = "--onlypath" ascii wide
$strOption2 = "--enable-shares" ascii wide
$strEncodedLog = "ENCODED : %ws (total files : %d)"
$strExt = ".losttrustencoded" ascii wide
$strDecryptLog = "decrypt file %ws, %ws"
$strReadMe1 = "So we decided to change our business model."
$strReadMe2 = "This is serious business for us"
condition:
all of them
} |