badrabbit

General

Target

Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
Size

149KB
Sample

220929-pt342abhbp
MD5

e8583ee36603531bcf5001346c7474a7
SHA1

4a740bc0de76cf7597d001f5cb659b220de6dccd
SHA256

792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
SHA512

fb813d434cea07aea28bf52834a125a8bd46ae7f34034a96793785c1d8cda3adc3c811af98dc6a1337a1bc6b73397d177c29d1c9ff282f29415b616b236c7e13
SSDEEP

3072:p+OvuAoccS2sTQMMBXZ+YSuwydCcGmDceCd4aMc9KDouBIOQ:p+OvujS2sTFOXZ+YKmADd4alwJN

Score

10^/10

Malware Config

Targets

- Target
  
  Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
- Size
  
  149KB
- MD5
  
  e8583ee36603531bcf5001346c7474a7
- SHA1
  
  4a740bc0de76cf7597d001f5cb659b220de6dccd
- SHA256
  
  792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
- SHA512
  
  fb813d434cea07aea28bf52834a125a8bd46ae7f34034a96793785c1d8cda3adc3c811af98dc6a1337a1bc6b73397d177c29d1c9ff282f29415b616b236c7e13
- SSDEEP
  
  3072:p+OvuAoccS2sTQMMBXZ+YSuwydCcGmDceCd4aMc9KDouBIOQ:p+OvujS2sTFOXZ+YKmADd4alwJN
Score

10^/10

badrabbit troldesh wannacry bootkit discovery evasion persistence ransomware themida trojan upx worm mimikatz
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies WinLogon for persistence
  persistence
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- mimikatz is an open source tool to dump credentials on Windows
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2