badrabbit

Resubmissions

20-07-2023 23:03

230720-21x8ksba59 10

20-07-2023 23:02

20-07-2023 23:01

19-04-2023 13:09

23-03-2023 02:20

11-03-2023 13:45

Sharing

Copy URL

Twitter E-mail

General

Target

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.zip
Size

143KB
Sample

230323-csx56seh7w
MD5

e94a370b9f0f0b736a0671be28ba173c
SHA1

b5a80c657654e50348410d8f10352b26ec0fa4df
SHA256

0b3e020b38d82713f98143e909cfdaf919b8aeedba30313614c8a6a08a9774ab
SHA512

29444e784f7a832224555e3bfa32d0642722693f82a1f1d35eff26eed904125fd9bd54a03a70914d8b0cd44d355fb91559bc75895f96eabc4e9609a67e1ad708
SSDEEP

3072:S5u/OvayrbCsCtrULWxk/DRBr+pOax7v+LES8nUGVN7yx0M2ETJ1/:SrvayrbCIWsNBElKunUGVJgZ2Er/

Score

10^/10

Malware Config

Targets

- Target
  
  72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
- Size
  
  148KB
- MD5
  
  6ed3e3327246cc457d22bb92bd3bba8b
- SHA1
  
  1329a6af26f16bb371782ff404d526eec1af9d22
- SHA256
  
  72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
- SHA512
  
  f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
- SSDEEP
  
  3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh
Score

10^/10

badrabbit mimikatz discovery evasion persistence ransomware upx troldesh wannacry bootkit trojan worm
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies WinLogon for persistence
  persistence
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- mimikatz is an open source tool to dump credentials on Windows
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2