Malware Analysis Space: The ransom group d0glun, is it hidden threat or just for fun?

Summary

The below ransomware d0glun was first submitted on 2025-01-16; it is worth paying more attention to because his motivation is low confidence.

Analysis

The details of the D0glun ransomware are as follows: it displays the private information “QQ424714982 TG@CXL13131,” the product name is 8180VPN, and the product version is 1.0.0.0.

Figure1-Details of file

A text file for warning displays on the desktop, which tells the victim what date and time they were infected by ransomware.

Figure2-a warn text on the desktop

On the screen, a text ransom note tells the victim what types of files will be encrypted; this is different from the other ransom group and how to recover and contact the attacker and leave the address of the dark site but without requiring any bitcoin.

Figure3-ransom notes

Different types of files use different suffixes, which are not very common.

Figure4-different suffix

The other windows are used for decryption and timing. To decrypt the file, the victim has to enter the KEY and ID; the timing seems not limited. A special tip on the windows and express the operator starting a ransom attack just for fun.

Figure5-ransom notes

On the driver C, the d0glun ransomware releases @cxl.bmp and @Main wallpaper.bmp. and on the directory c:\config, it generated many files like [@]Chengxilun.exe, [@]Chengxilun.txt, and so on. The config.ini includes the victim ID.

Figure6-release some files

And to run [@]Chengxilun.exe, it will display the way of payment and the information of the attack, which includes email, TG, QQ, and Chinese name. Both the payment and the Figure 5 tips for fun seem to be used for different motivations. But according to the above behaviors, d0lgun seems to have a new try as a beginner.

Figure7-payment and private information

IOCs

80422A4B94653C8C10E33767ED8C155B

c:\@cxl.bmp
c:\@Main wallpaper.bmp

Runcxl.txt

33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad[.]onion

cx113131[@]163[.]com

TG:[@]CXL13131

QQ:424714982

Conclusion

From the above behaviors of d0glun, until now, it seems to be between getting payment and just for fun as a beginner to the door of doing a ransom attack; it is a hidden threat or just for fun, which is up to his choice.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.