Skip to main content

RegretLocker - compiled information, activity and samples

Medium
Published: Wed Dec 30 2020 (12/30/2020, 00:00:00 UTC)
Source: MISP

Description

WIN-295748OMAKG

AI-Powered Analysis

AILast updated: 07/08/2025, 12:10:04 UTC

Technical Analysis

RegretLocker is a ransomware family identified in late 2020, targeting Windows systems without specific version dependencies. The malware employs unique evasion techniques, notably checking for a particular username and PC name ("WIN-295748OMAKG") and terminating execution if these match, likely to avoid detection or analysis in certain controlled environments. Persistence is achieved by scheduling itself as a Windows Scheduled Task named "Mouse Application," which runs every minute using Schtasks.exe invoked via cmd.exe and ShellExecuteA, ensuring continuous execution and complicating removal efforts. Distribution appears to be via a publicly accessible URL (http://344744.cloud4box.ru/files/locker/locker.exe), and it communicates with an IP address (109.248.203.209), potentially for command and control or data exfiltration. While no known exploits or widespread active campaigns have been reported, the malware exhibits moderate sophistication with a threat level and analysis rating of 2. The lack of patch information and affected versions suggests it targets Windows broadly. Available technical analyses and reverse engineering reports provide insight into its behavior, but public data on its impact or prevalence remains limited. Overall, RegretLocker represents a ransomware threat with evasion and persistence capabilities that could disrupt operations and compromise data confidentiality if deployed effectively.

Potential Impact

For European organizations, RegretLocker poses a moderate risk primarily through its ransomware capabilities, which can lead to data encryption, operational disruption, and potential financial losses due to ransom payments or recovery costs. The malware's persistence mechanism via scheduled tasks allows it to maintain a foothold on infected systems, increasing potential downtime and complicating incident response. Its evasion techniques may hinder detection by security tools, delaying remediation efforts. Although no active exploitation is currently documented, the presence of a publicly accessible payload and associated command and control infrastructure indicates potential for targeted or opportunistic attacks. Organizations handling sensitive or critical data could face confidentiality breaches if data exfiltration occurs prior to encryption. The operational impact includes loss of data availability, reputational damage, and increased incident response complexity. Given the medium severity and limited exploitation evidence, the immediate threat level is moderate but could escalate if threat actors adopt or evolve this malware to target European entities more aggressively.

Mitigation Recommendations

European organizations should implement specific measures beyond standard ransomware defenses to mitigate RegretLocker risks: 1) Monitor and restrict the creation and execution of scheduled tasks, particularly those named "Mouse Application" or tasks invoking Schtasks.exe at frequent intervals, to disrupt persistence mechanisms. 2) Deploy behavioral detection capabilities to identify malware performing environment checks for specific usernames or PC names, enabling early detection of evasion attempts. 3) Block network access to known malicious URLs and IP addresses associated with RegretLocker, such as http://344744.cloud4box.ru/files/locker/locker.exe and IP 109.248.203.209, using firewalls, web proxies, and DNS filtering. 4) Conduct proactive threat hunting focused on identifying unusual scheduled tasks and persistence artifacts. 5) Harden endpoint security by enforcing application whitelisting and restricting execution privileges to prevent unauthorized binaries from running. 6) Maintain offline, regularly tested backups to ensure rapid recovery without paying ransom. 7) Educate users on phishing risks and suspicious downloads, as initial infection vectors are likely social engineering-based. 8) Engage with threat intelligence sharing platforms to stay updated on RegretLocker developments and emerging indicators of compromise.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
2

Indicators of Compromise

Text

ValueDescriptionCopy
textWIN-295748OMAKG
The malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG). If the user name or the PC name matches, the malware will exit immediately.

Link

ValueDescriptionCopy
linkhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/
linkhttps://twitter.com/VK_Intel/status/1323693700371914753
linkhttps://twitter.com/malwrhunterteam/status/1321375502179905536
linkhttps://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf
linkhttps://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/

Url

ValueDescriptionCopy
urlhttp://344744.cloud4box.ru/files/locker/locker.exe
Source url

Ip

ValueDescriptionCopy
ip109.248.203.209

Windows scheduled-task

ValueDescriptionCopy
windows-scheduled-taskMouse Application
Next, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from cmd.exe using ShellExecuteA.

Threat ID: 6828eab8e1a0c275ea6e1ed1

Added to database: 5/17/2025, 7:59:52 PM

Last enriched: 7/8/2025, 12:10:04 PM

Last updated: 8/14/2025, 4:21:57 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats