A new Screenlocker / Stalker under development called StalinLocker or StalinScreamer was discovered by MalwareHunterTeam, giving you 10 minutes to enter a code or trying to erase the contents of the drives on the computer. During the run, a screen is displayed showing Stalin playing the anthem of the USSR and displaying a countdown until files are deleted.

  StalinLocker / StalinScreamer - lock screen
StalinLocker / StalinScreamer – lock screen

StalinLocker performs the following actions when executed:

  • Extract the file "USSR_Anthem.mp3" into the folder% UserProfile% AppData Local and play it off. This anthem is the same as in this YouTube video but of much poorer quality.
  • It copies itself to% UserProfile% AppData Local stalin.exe and creates an autorun called "Stalin" This launches the screenlocker / wiper when the user logs on to the computer.
  • It creates% UserProfile% AppData Local fl.dat and writes the current number of remaining seconds divided by 3. Each time you start the command program, the countdown is much lower
  • Trying to process other than Skype or Discord terminate
  • Terminate Explorer.exe and taskmgr.exe
  • Tried to launch a scheduled task called "Driver Update" to start Stalin .exe. This part of the code is currently throwing bugs.

StalinLocker then displays the above lock screen, which contains a 10 minute countdown until your files are deleted or you enter a code. According to to MalwareHunterTeam this code is derived by subtracting the current date of execution of the program until the date 1922.12.30. When the user enters the correct code, the wiper is terminated and the autorun is deleted.

  Enter code
Enter code source

If, on the other hand, the code is not entered at the time the countdown reaches zero, the screen lock attempts to clear all files on each drive letter on the computer. This will scan all drive letters from A to Z, and delete all drives accessible as shown below.

  Source code for deleting files on drive letters AZ
Source code for deleting files on drive letters from AZ

This wiper is currently under development, but could easily be put into a working state. Luckily, most security vendors recognize this either through definitions or heuristics, so make sure you have an anti-virus program installed and updated to the latest definitions.



  SHA256: 853177d9a42fab0d8d62a190894de5c27ec203240df0d9e70154a675823adf04 [19659021] Related files: 
% UserProfile%  AppData  Local  fl.dat
% Userprofile%  AppData  Local  stalin.exe
% UserProfile%  AppData  Local  USSR_Anthem.mp3

Mapped registry entries:

  HKLM  SOFTWARE  Microsoft  Windows  CurrentVersion  Run  Stalin% UserProfile%  AppData  Local  stalin.exe

Source link


Please enter your comment!
Please enter your name here