badrabbit

Target

Downloads.rar
Size

184.3MB
Sample

201122-6x1at779dj
MD5

9e3e4dd2eca465797c3a07c0fa2254fe
SHA1

16ceee08c07179157b0fb6de04b7605360f34b20
SHA256

f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7
SHA512

f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family

revengerat

Botnet

samay

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family

zloader

Botnet

07/04

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Targets

- Target
  
  Endermanch@000.exe
- Size
  
  6.7MB
- MD5
  
  f2b7074e1543720a9a98fda660e02688
- SHA1
  
  1029492c1a12789d8af78d54adcb921e24b9e5ca
- SHA256
  
  4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
- SHA512
  
  73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
Score

8^/10

evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  Endermanch@7ev3n.exe
- Size
  
  315KB
- MD5
  
  9f8bc96c96d43ecb69f883388d228754
- SHA1
  
  61ed25a706afa2f6684bb4d64f69c5fb29d20953
- SHA256
  
  7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
- SHA512
  
  550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
Score

10^/10

bootkit evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  Endermanch@AnViPC2009.exe
- Size
  
  1.2MB
- MD5
  
  910dd666c83efd3496f21f9f211cdc1f
- SHA1
  
  77cd736ee1697beda0ac65da24455ec566ba7440
- SHA256
  
  06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
- SHA512
  
  467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
Score

10^/10

badrabbit bootkit evasion ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Loads dropped DLL
- JavaScript code in executable
behavioral3
- Target
  
  Endermanch@Antivirus.exe
- Size
  
  2.0MB
- MD5
  
  c7e9746b1b039b8bd1106bca3038c38f
- SHA1
  
  cb93ac887876bafe39c5f9aa64970d5e747fb191
- SHA256
  
  b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
- SHA512
  
  cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
Score

7^/10

persistence spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  Endermanch@AntivirusPlatinum.exe
- Size
  
  739KB
- MD5
  
  382430dd7eae8945921b7feab37ed36b
- SHA1
  
  c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
- SHA256
  
  70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
- SHA512
  
  26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
Score

10^/10

badrabbit bootkit evasion persistence ransomware trojan upx
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Windows security bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Disables RegEdit via registry modification
  evasion
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Modifies service
  persistence
behavioral5
- Target
  
  Endermanch@AntivirusPro2017.exe
- Size
  
  816KB
- MD5
  
  7dfbfba1e4e64a946cb096bfc937fbad
- SHA1
  
  9180d2ce387314cd4a794d148ea6b14084c61e1b
- SHA256
  
  312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
- SHA512
  
  f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
Score

7^/10

bootkit persistence spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral6
- Target
  
  Endermanch@BadRabbit.exe
- Size
  
  431KB
- MD5
  
  fbbdc39af1139aebba4da004475e8839
- SHA1
  
  de5c8d858e6e41da715dca1c019df0bfb92d32c0
- SHA256
  
  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- SHA512
  
  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
Score

10^/10

badrabbit bootkit evasion ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral7
- Target
  
  Endermanch@Birele.exe
- Size
  
  116KB
- MD5
  
  41789c704a0eecfdd0048b4b4193e752
- SHA1
  
  fb1e8385691fa3293b7cbfb9b2656cf09f20e722
- SHA256
  
  b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
- SHA512
  
  76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
Score

10^/10

badrabbit bootkit evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Modifies WinLogon for persistence
  persistence
- Clears Windows event logs
  evasion ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  Endermanch@Cerber5.exe
- Size
  
  313KB
- MD5
  
  fe1bc60a95b2c2d77cd5d232296a7fa4
- SHA1
  
  c07dfdea8da2da5bad036e7c2f5d37582e1cf684
- SHA256
  
  b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
- SHA512
  
  266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
Score

10^/10

cerber evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blacklisted process makes network request
- Modifies Windows Firewall
  evasion
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral9
- Target
  
  Endermanch@CleanThis.exe
- Size
  
  618KB
- MD5
  
  a50fc0da1d2b3c4aa8a6adaccf69a5de
- SHA1
  
  e001f4043ab4be644ea10e0d65303d6e57b31ffe
- SHA256
  
  cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90
- SHA512
  
  4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b
Score

10^/10

badrabbit bootkit evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Modifies WinLogon for persistence
  persistence
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral10
- Target
  
  Endermanch@ColorBug.exe
- Size
  
  53KB
- MD5
  
  6536b10e5a713803d034c607d2de19e3
- SHA1
  
  a6000c05f565a36d2250bdab2ce78f505ca624b7
- SHA256
  
  775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
- SHA512
  
  61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  Endermanch@DeriaLock.exe
- Size
  
  484KB
- MD5
  
  0a7b70efba0aa93d4bc0857b87ac2fcb
- SHA1
  
  01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
- SHA256
  
  4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
- SHA512
  
  2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
Score

10^/10

badrabbit bootkit evasion ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
behavioral12
- Target
  
  Endermanch@Deskbottom.exe
- Size
  
  461KB
- MD5
  
  c954b69e480950ad8f138bf8848c562c
- SHA1
  
  207c3f932d8ac66bc10e090a97c02ac07dbb68fa
- SHA256
  
  2f4bd27bffe3a5d1f541f1ee682d060316a0043312b35f18dfe5137efe8d7680
- SHA512
  
  e8bbce74a647939337df72c3ab29c320aeef2b6f0214d68768bc7da8262a978e6ed54f7b1aefadb394abc85518757acf8e8633a145c39cb3f712adf8561aeaa9
Score

1^/10
behavioral13
- Target
  
  Endermanch@DesktopPuzzle.exe
- Size
  
  239KB
- MD5
  
  2f8f6e90ca211d7ef5f6cf3c995a40e7
- SHA1
  
  f8940f280c81273b11a20d4bfb43715155f6e122
- SHA256
  
  1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6
- SHA512
  
  2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8
Score

10^/10

badrabbit bootkit evasion ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
behavioral14
- Target
  
  Endermanch@FakeAdwCleaner.exe
- Size
  
  190KB
- MD5
  
  248aadd395ffa7ffb1670392a9398454
- SHA1
  
  c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
- SHA256
  
  51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
- SHA512
  
  582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
Score

10^/10

badrabbit bootkit evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  Endermanch@FreeYoutubeDownloader.exe
- Size
  
  396KB
- MD5
  
  13f4b868603cf0dd6c32702d1bd858c9
- SHA1
  
  a595ab75e134f5616679be5f11deefdfaae1de15
- SHA256
  
  cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
- SHA512
  
  e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
Score

8^/10

discovery persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral16
- Target
  
  Endermanch@HMBlocker.exe
- Size
  
  48KB
- MD5
  
  21943d72b0f4c2b42f242ac2d3de784c
- SHA1
  
  c887b9d92c026a69217ca550568909609eec1c39
- SHA256
  
  2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
- SHA512
  
  04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8
Score

10^/10

badrabbit bootkit persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Adds Run key to start application
  persistence
behavioral17
- Target
  
  Endermanch@HappyAntivirus.exe
- Size
  
  1.9MB
- MD5
  
  cb02c0438f3f4ddabce36f8a26b0b961
- SHA1
  
  48c4fcb17e93b74030415996c0ec5c57b830ea53
- SHA256
  
  64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
- SHA512
  
  373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
Score

1^/10
behavioral18
- Target
  
  Endermanch@Illerka.C.exe
- Size
  
  378KB
- MD5
  
  c718a1cbf0e13674714c66694be02421
- SHA1
  
  001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
- SHA256
  
  cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
- SHA512
  
  ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
Score

10^/10

badrabbit bootkit evasion ransomware trojan
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks whether UAC is enabled
  evasion trojan
behavioral19
- Target
  
  Endermanch@InternetSecurityGuard.exe
- Size
  
  6.1MB
- MD5
  
  04155ed507699b4e37532e8371192c0b
- SHA1
  
  a14107131237dbb0df750e74281c462a2ea61016
- SHA256
  
  b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
- SHA512
  
  6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
Score

9^/10

bootkit discovery evasion persistence spyware
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Enumerates VirtualBox registry keys
  evasion
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Sets file execution options in registry
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral20
- Target
  
  Endermanch@Koteyka2.exe
- Size
  
  762KB
- MD5
  
  7734f0e56da17e9a5940fd782d739f9b
- SHA1
  
  4dfae67e40be6c4c83191ea0cf8d1b28afba884c
- SHA256
  
  8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015
- SHA512
  
  53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632
Score

10^/10

badrabbit bootkit evasion ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral21
- Target
  
  Endermanch@LPS2019.exe
- Size
  
  1.1MB
- MD5
  
  2eb3ce80b26345bd139f7378330b19c1
- SHA1
  
  10122bd8dd749e20c132d108d176794f140242b0
- SHA256
  
  8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
- SHA512
  
  e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
Score

10^/10

badrabbit bootkit evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Adds Run key to start application
  persistence
- JavaScript code in executable
behavioral22
- Target
  
  Endermanch@Movie.mpeg.exe
- Size
  
  414KB
- MD5
  
  d0deb2644c9435ea701e88537787ea6e
- SHA1
  
  866e47ecd80da89c4f56557659027a3aee897132
- SHA256
  
  ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
- SHA512
  
  6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
Score

3^/10
behavioral23
- Target
  
  Endermanch@NavaShield(1).exe
- Size
  
  9.7MB
- MD5
  
  1f13396fa59d38ebe76ccc587ccb11bb
- SHA1
  
  867adb3076c0d335b9bfa64594ef37a7e2c951ff
- SHA256
  
  83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
- SHA512
  
  82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
Score

10^/10

badrabbit discovery macro persistence ransomware spyware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- JavaScript code in executable
behavioral24
- Target
  
  Endermanch@NavaShield.exe
- Size
  
  9.7MB
- MD5
  
  1f13396fa59d38ebe76ccc587ccb11bb
- SHA1
  
  867adb3076c0d335b9bfa64594ef37a7e2c951ff
- SHA256
  
  83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
- SHA512
  
  82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
Score

1^/10
behavioral25
- Target
  
  Endermanch@PCDefender.exe
- Size
  
  878KB
- MD5
  
  e4d4a59494265949993e26dee7b077d1
- SHA1
  
  83e3d0c7e544117d6054e7d55932a7d2dbaf1163
- SHA256
  
  5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
- SHA512
  
  efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
Score

10^/10

badrabbit bootkit evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Modifies WinLogon for persistence
  persistence
- Clears Windows event logs
  evasion ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- JavaScript code in executable
- Modifies service
  persistence
behavioral26
- Target
  
  Endermanch@PCDefenderv2.msi
- Size
  
  860KB
- MD5
  
  b3dce5c3f95a18fd076fad0f73bb9e39
- SHA1
  
  e80cc285a77302ee221f47e4e94823d4b2eba368
- SHA256
  
  df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
- SHA512
  
  c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c
Score

10^/10

bootkit persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies service
  persistence
behavioral27
- Target
  
  Endermanch@PolyRansom.exe
- Size
  
  220KB
- MD5
  
  3ed3fb296a477156bc51aba43d825fc0
- SHA1
  
  9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
- SHA256
  
  1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
- SHA512
  
  dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
Score

10^/10

badrabbit bootkit evasion macro persistence ransomware spyware trojan
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral28
- Target
  
  Endermanch@PowerPoint.exe
- Size
  
  136KB
- MD5
  
  70108103a53123201ceb2e921fcfe83c
- SHA1
  
  c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
- SHA256
  
  9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
- SHA512
  
  996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
Score

8^/10

bootkit persistence ransomware
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Deletes itself
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral29
- Target
  
  Endermanch@ProgramOverflow.exe
- Size
  
  566KB
- MD5
  
  c4aab3b24b159148d6d47a9e5897e593
- SHA1
  
  7061c2e85de9f3fd51cccdecb8965f1e710d1fe5
- SHA256
  
  03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc
- SHA512
  
  9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral30
- Target
  
  Endermanch@RegistrySmart.exe
- Size
  
  1.0MB
- MD5
  
  0002dddba512e20c3f82aaab8bad8b4d
- SHA1
  
  493286b108822ba636cc0e53b8259e4f06ecf900
- SHA256
  
  2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
- SHA512
  
  497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
Score

10^/10

badrabbit bootkit discovery evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Clears Windows event logs
  evasion ransomware
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral31
- Target
  
  Endermanch@SE2011.exe
- Size
  
  2.4MB
- MD5
  
  02f471d1fefbdc07af5555dbfd6ea918
- SHA1
  
  2a8f93dd21628933de8bea4a9abc00dbb215df0b
- SHA256
  
  36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
- SHA512
  
  287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
Score

10^/10

evasion persistence
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral32