RegretLocker - compiled information, activity and samples
WIN-295748OMAKG
AI Analysis
Technical Summary
RegretLocker is a ransomware family identified in late 2020, targeting Windows systems without specific version dependencies. The malware employs unique evasion techniques, notably checking for a particular username and PC name ("WIN-295748OMAKG") and terminating execution if these match, likely to avoid detection or analysis in certain controlled environments. Persistence is achieved by scheduling itself as a Windows Scheduled Task named "Mouse Application," which runs every minute using Schtasks.exe invoked via cmd.exe and ShellExecuteA, ensuring continuous execution and complicating removal efforts. Distribution appears to be via a publicly accessible URL (http://344744.cloud4box.ru/files/locker/locker.exe), and it communicates with an IP address (109.248.203.209), potentially for command and control or data exfiltration. While no known exploits or widespread active campaigns have been reported, the malware exhibits moderate sophistication with a threat level and analysis rating of 2. The lack of patch information and affected versions suggests it targets Windows broadly. Available technical analyses and reverse engineering reports provide insight into its behavior, but public data on its impact or prevalence remains limited. Overall, RegretLocker represents a ransomware threat with evasion and persistence capabilities that could disrupt operations and compromise data confidentiality if deployed effectively.
Potential Impact
For European organizations, RegretLocker poses a moderate risk primarily through its ransomware capabilities, which can lead to data encryption, operational disruption, and potential financial losses due to ransom payments or recovery costs. The malware's persistence mechanism via scheduled tasks allows it to maintain a foothold on infected systems, increasing potential downtime and complicating incident response. Its evasion techniques may hinder detection by security tools, delaying remediation efforts. Although no active exploitation is currently documented, the presence of a publicly accessible payload and associated command and control infrastructure indicates potential for targeted or opportunistic attacks. Organizations handling sensitive or critical data could face confidentiality breaches if data exfiltration occurs prior to encryption. The operational impact includes loss of data availability, reputational damage, and increased incident response complexity. Given the medium severity and limited exploitation evidence, the immediate threat level is moderate but could escalate if threat actors adopt or evolve this malware to target European entities more aggressively.
Mitigation Recommendations
European organizations should implement specific measures beyond standard ransomware defenses to mitigate RegretLocker risks: 1) Monitor and restrict the creation and execution of scheduled tasks, particularly those named "Mouse Application" or tasks invoking Schtasks.exe at frequent intervals, to disrupt persistence mechanisms. 2) Deploy behavioral detection capabilities to identify malware performing environment checks for specific usernames or PC names, enabling early detection of evasion attempts. 3) Block network access to known malicious URLs and IP addresses associated with RegretLocker, such as http://344744.cloud4box.ru/files/locker/locker.exe and IP 109.248.203.209, using firewalls, web proxies, and DNS filtering. 4) Conduct proactive threat hunting focused on identifying unusual scheduled tasks and persistence artifacts. 5) Harden endpoint security by enforcing application whitelisting and restricting execution privileges to prevent unauthorized binaries from running. 6) Maintain offline, regularly tested backups to ensure rapid recovery without paying ransom. 7) Educate users on phishing risks and suspicious downloads, as initial infection vectors are likely social engineering-based. 8) Engage with threat intelligence sharing platforms to stay updated on RegretLocker developments and emerging indicators of compromise.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- text: WIN-295748OMAKG
- link: http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/
- link: https://twitter.com/VK_Intel/status/1323693700371914753
- link: https://twitter.com/malwrhunterteam/status/1321375502179905536
- link: https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf
- link: https://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/
- url: http://344744.cloud4box.ru/files/locker/locker.exe
- ip: 109.248.203.209
- windows-scheduled-task: Mouse Application
RegretLocker - compiled information, activity and samples
Description
WIN-295748OMAKG
AI-Powered Analysis
Technical Analysis
RegretLocker is a ransomware family identified in late 2020, targeting Windows systems without specific version dependencies. The malware employs unique evasion techniques, notably checking for a particular username and PC name ("WIN-295748OMAKG") and terminating execution if these match, likely to avoid detection or analysis in certain controlled environments. Persistence is achieved by scheduling itself as a Windows Scheduled Task named "Mouse Application," which runs every minute using Schtasks.exe invoked via cmd.exe and ShellExecuteA, ensuring continuous execution and complicating removal efforts. Distribution appears to be via a publicly accessible URL (http://344744.cloud4box.ru/files/locker/locker.exe), and it communicates with an IP address (109.248.203.209), potentially for command and control or data exfiltration. While no known exploits or widespread active campaigns have been reported, the malware exhibits moderate sophistication with a threat level and analysis rating of 2. The lack of patch information and affected versions suggests it targets Windows broadly. Available technical analyses and reverse engineering reports provide insight into its behavior, but public data on its impact or prevalence remains limited. Overall, RegretLocker represents a ransomware threat with evasion and persistence capabilities that could disrupt operations and compromise data confidentiality if deployed effectively.
Potential Impact
For European organizations, RegretLocker poses a moderate risk primarily through its ransomware capabilities, which can lead to data encryption, operational disruption, and potential financial losses due to ransom payments or recovery costs. The malware's persistence mechanism via scheduled tasks allows it to maintain a foothold on infected systems, increasing potential downtime and complicating incident response. Its evasion techniques may hinder detection by security tools, delaying remediation efforts. Although no active exploitation is currently documented, the presence of a publicly accessible payload and associated command and control infrastructure indicates potential for targeted or opportunistic attacks. Organizations handling sensitive or critical data could face confidentiality breaches if data exfiltration occurs prior to encryption. The operational impact includes loss of data availability, reputational damage, and increased incident response complexity. Given the medium severity and limited exploitation evidence, the immediate threat level is moderate but could escalate if threat actors adopt or evolve this malware to target European entities more aggressively.
Mitigation Recommendations
European organizations should implement specific measures beyond standard ransomware defenses to mitigate RegretLocker risks: 1) Monitor and restrict the creation and execution of scheduled tasks, particularly those named "Mouse Application" or tasks invoking Schtasks.exe at frequent intervals, to disrupt persistence mechanisms. 2) Deploy behavioral detection capabilities to identify malware performing environment checks for specific usernames or PC names, enabling early detection of evasion attempts. 3) Block network access to known malicious URLs and IP addresses associated with RegretLocker, such as http://344744.cloud4box.ru/files/locker/locker.exe and IP 109.248.203.209, using firewalls, web proxies, and DNS filtering. 4) Conduct proactive threat hunting focused on identifying unusual scheduled tasks and persistence artifacts. 5) Harden endpoint security by enforcing application whitelisting and restricting execution privileges to prevent unauthorized binaries from running. 6) Maintain offline, regularly tested backups to ensure rapid recovery without paying ransom. 7) Educate users on phishing risks and suspicious downloads, as initial infection vectors are likely social engineering-based. 8) Engage with threat intelligence sharing platforms to stay updated on RegretLocker developments and emerging indicators of compromise.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 2
Indicators of Compromise
Text
Value | Description | Copy |
---|---|---|
textWIN-295748OMAKG | The malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG). If the user name or the PC name matches, the malware will exit immediately. |
Link
Value | Description | Copy |
---|---|---|
linkhttp://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/ | — | |
linkhttps://twitter.com/VK_Intel/status/1323693700371914753 | — | |
linkhttps://twitter.com/malwrhunterteam/status/1321375502179905536 | — | |
linkhttps://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf | — | |
linkhttps://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/ | — |
Url
Value | Description | Copy |
---|---|---|
urlhttp://344744.cloud4box.ru/files/locker/locker.exe | Source url |
Ip
Value | Description | Copy |
---|---|---|
ip109.248.203.209 | — |
Windows scheduled-task
Value | Description | Copy |
---|---|---|
windows-scheduled-taskMouse Application | Next, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from cmd.exe using ShellExecuteA. |
Threat ID: 6828eab8e1a0c275ea6e1ed1
Added to database: 5/17/2025, 7:59:52 PM
Last enriched: 7/8/2025, 12:10:04 PM
Last updated: 8/14/2025, 4:21:57 AM
Views: 10
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.