Pulse Detail — Threat Intelligence

PULSE NAME

What is Astro Locker Team?

WHITE Astro Locker Team AlienVault 2021-04-06 Modified: 2021-05-06

IOCs

MEDIUM VOLUME

A recent incident with a new Sophos Managed Threat Response (MTR) customer has raised questions about the Mount Locker ransomware group and the relationship it has with Astro Locker Team. From the tactics, techniques, and procedures (TTPs) used, to the files involved, and even the ransom note left behind – pointed to this being the work of the Mount Locker group; however, something odd happened when the investigators followed the link included in the ransom note. Upon following the TOR link, MTR investigators were presented with a chat directly with the “support” team for the ransomware who introduced themselves as the “AstroLocker Team” and also the “Astro Locker Team.”

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003.001 T1027 T1053.005 T1059 T1082 T1083 T1134 T1218.011 T1222 T1486 T1560.001 T1569.002

MALWARE FAMILIES

Mount Locker Cobalt Strike - S0154

Indicators of Compromise (22)

All FileHash-MD5 FileHash-SHA256 FileHash-SHA1 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	14a52f10653ab52dbfa4f84c93d12af3	MD5 of 0a671d9d7ca62274e5e210813d02d860846baf59188e2a07522cd3a1cc3f9cc0	2021-04-06
FileHash-MD5	1473cd276e116f53bd88e51405e4afaf	MD5 of 2c44444d207a78da7477ae1af195d4265134e895bebb476f7b2c003f1467a033	2021-04-06
FileHash-SHA256	0a671d9d7ca62274e5e210813d02d860846baf59188e2a07522cd3a1cc3f9cc0	—	2021-04-06
FileHash-SHA256	2c44444d207a78da7477ae1af195d4265134e895bebb476f7b2c003f1467a033	—	2021-04-06
FileHash-SHA1	4ee9c1e32a1c9adb7f3a6f113ccfc1cfbf19500a	SHA1 of 0a671d9d7ca62274e5e210813d02d860846baf59188e2a07522cd3a1cc3f9cc0	2021-04-06
FileHash-SHA1	f84102dfe51af18c31bc8b314e8619fe11ad82f4	SHA1 of 2c44444d207a78da7477ae1af195d4265134e895bebb476f7b2c003f1467a033	2021-04-06
domain	albanallahacrab.club	Registered=11/04/2020 Registrar=Porkbun NS=a.dnspod.com	2021-04-06
domain	dclogictrust.com	NS=dns1.registrar-servers.com	2021-04-06
domain	masskwearing.cyou	NS=a.dnspod.com	2021-04-06
domain	padishahmurrka.best	NS=a.dnspod.com	2021-04-06
domain	uragusexgre.club	Registered=11/04/2020 Registrar=Porkbun NS=a.dnspod.com	2021-04-06
FileHash-MD5	9fda38454048a826257cd2e8f86248fc	MD5 of 5606c92af263869268a11eb730eb32d5fd770896530b23e42d2390d6ef230d61 MD5 of 5606c92af263869268a11eb730eb32d5fd770896530b23e42d2390d6ef230d61	2021-04-06
FileHash-MD5	38ff68376b7590b20e7af22c4337da51	MD5 of 864930113d66c413bab705e79add3659efa95126449bfad05abf99c6d7e8ae00	2021-04-06
FileHash-SHA256	5606c92af263869268a11eb730eb32d5fd770896530b23e42d2390d6ef230d61	—	2021-04-06
FileHash-SHA256	864930113d66c413bab705e79add3659efa95126449bfad05abf99c6d7e8ae00	—	2021-04-06
FileHash-SHA1	c204b2949504ab8b05fed70397fa69a283bafb96	SHA1 of 5606c92af263869268a11eb730eb32d5fd770896530b23e42d2390d6ef230d61 SHA1 of 5606c92af263869268a11eb730eb32d5fd770896530b23e42d2390d6ef230d61	2021-04-06
FileHash-SHA1	a21fdd0b11a9c3a265946b28c95cafafb7d9713a	SHA1 of 864930113d66c413bab705e79add3659efa95126449bfad05abf99c6d7e8ae00	2021-04-06
domain	felpojdhf8980.cyou	NS=a.dnspod.com	2021-04-06
domain	supercombinating.com	Registered=07/16/2020 Registrar=PDR Ltd. d/b/a PublicDomainRegistry.com NS=ns1.entrydns.net	2021-04-06
FileHash-MD5	06dd860ae6d69e0b579e22715c8663f2	MD5 of d8c9660404ee38d2e4f8715a8316596f679f4d42	2021-04-06
FileHash-SHA256	30ff38e859a849b6776dd7b0f299ba83605858f661297f39585bcf928769feef	SHA256 of d8c9660404ee38d2e4f8715a8316596f679f4d42	2021-04-06
FileHash-SHA1	d8c9660404ee38d2e4f8715a8316596f679f4d42	—	2021-04-06

References (3)

↗ https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/ ↗ https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MountLocker.csv ↗ https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv