Date: 03/24/2025
Severity: Critical
Summary
The financially motivated Albabat ransomware group has resurfaced with new versions. Our threat-hunting team recently identified versions 2.0.0 and 2.5, which target Windows while also collecting system and hardware data from Linux and macOS. Previously undetected variants were also discovered, retrieving configuration data via the GitHub REST API using a "User-Agent" string labeled "Awesome App." This configuration contains critical details about the ransomware's behavior and operations.
Indicators of Compromise (IOC) List
Hash : |
1cc2d1f2a991c19b7e633a92b1629641c019cdeb
c7c52fdaecf325dfaf6eda14e0603579feaed40a
8a3ea65147a156d381d8f1773e91eb8e0f6b1e40
8de54cad9d6316679580c91117b484acb493ab72
D67dc8c4232a3943a66608d62874923e9a3fb628
13d128038c341e850b55bc900ecee93496521c74bd9f3f8ea63e86042c5b6a9b
e58b3a701c3fc74a64ec0f4b7cee3550245c93b2f020f0f7bd0304ad855fc32a
963570ba538aa5cac746bd5037847e8b346fc8a052617f6f4dbd12aefbd3c8da
f02db098f98d362925ce997ee6c8c0cfc8f509d135a6b94c7a18a67e418243d4
7057e38c383528f0645bb8b31d7ac4c855d30719ca2671345cc88e82dc968f36 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Hash 1 : |
sha1hash IN ("d67dc8c4232a3943a66608d62874923e9a3fb628","c7c52fdaecf325dfaf6eda14e0603579feaed40a","8de54cad9d6316679580c91117b484acb493ab72","8a3ea65147a156d381d8f1773e91eb8e0f6b1e40","1cc2d1f2a991c19b7e633a92b1629641c019cdeb") |
Hash 2 : |
sha256hash IN (
"13d128038c341e850b55bc900ecee93496521c74bd9f3f8ea63e86042c5b6a9b","e58b3a701c3fc74a64ec0f4b7cee3550245c93b2f020f0f7bd0304ad855fc32a","963570ba538aa5cac746bd5037847e8b346fc8a052617f6f4dbd12aefbd3c8da","f02db098f98d362925ce997ee6c8c0cfc8f509d135a6b94c7a18a67e418243d4","7057e38c383528f0645bb8b31d7ac4c855d30719ca2671345cc88e82dc968f36") |
Reference:
https://www.trendmicro.com/en_us/research/25/c/albabat-ransomware-group.html