badrabbit | f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9 | Triage

Submit
Reports

Overview

overview

Static

static

Trojan-Ran...b9.exe

windows7-x64

6

Trojan-Ran...b9.exe

windows10-2004-x64

Sharing

General

Target

Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
Size

149KB
Sample

220929-pt4essaha4
MD5

7d8f0e539e50eb545d094c50aab0ea9e
SHA1

9368da690ace5328abc4461cd8322d78c1fdc290
SHA256

f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9
SHA512

092d05eb357da75c2a6646a353e1c1cf7f0ae66ea32ac4beff8fda87160c9226417b187b4ac34e7b5745aaa65c8a6b8b33b9f02e19d9a959627544b50a3eae7a
SSDEEP

3072:Pmpq7ybSPGccu5R9Wl7rSmpVYc7+DUltw/ArIW1:epqG2eM5R9kNj2UlgJ

Score

10^/10

badrabbit mimikatz evasion ransomware upx

Static task

static1

Behavioral task

behavioral1

Sample

Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

Resource

win7-20220812-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

Resource

win10v2004-20220812-en

badrabbit mimikatz evasion ransomware upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
- Size
  
  149KB
- MD5
  
  7d8f0e539e50eb545d094c50aab0ea9e
- SHA1
  
  9368da690ace5328abc4461cd8322d78c1fdc290
- SHA256
  
  f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9
- SHA512
  
  092d05eb357da75c2a6646a353e1c1cf7f0ae66ea32ac4beff8fda87160c9226417b187b4ac34e7b5745aaa65c8a6b8b33b9f02e19d9a959627544b50a3eae7a
- SSDEEP
  
  3072:Pmpq7ybSPGccu5R9Wl7rSmpVYc7+DUltw/ArIW1:epqG2eM5R9kNj2UlgJ
Score

10^/10

badrabbit mimikatz evasion ransomware upx
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

badrabbitmimikatzevasionransomwareupx

© 2018-2025

Terms | Privacy