badrabbit

General

Target

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.zip
Size

143KB
Sample

230419-qdzbksce4z
MD5

e94a370b9f0f0b736a0671be28ba173c
SHA1

b5a80c657654e50348410d8f10352b26ec0fa4df
SHA256

0b3e020b38d82713f98143e909cfdaf919b8aeedba30313614c8a6a08a9774ab
SHA512

29444e784f7a832224555e3bfa32d0642722693f82a1f1d35eff26eed904125fd9bd54a03a70914d8b0cd44d355fb91559bc75895f96eabc4e9609a67e1ad708
SSDEEP

3072:S5u/OvayrbCsCtrULWxk/DRBr+pOax7v+LES8nUGVN7yx0M2ETJ1/:SrvayrbCIWsNBElKunUGVJgZ2Er/

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\xfrhqmla.hkm\[email protected]

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L�sWAY��d��^�� @�� `��W��@��_�� H��.text��d�� `.sdata��8�� @��.rsrc��_��@��`��@��@.reloc��J��@��B��@��H��\F��P ��|{��lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet��gSystem.Drawing.SizeF, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3afSystem.Drawing.Size, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aSystem.Windows.Forms.FormStartPosition, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089gSystem.Drawing.Point, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a�Z��FX�յ찊L��u�ĩ\��Y(ǭ��xH��9�vO�w$�l��O�"l�7�C�B��B�:�S[��S}��p��G��7��$��n��)��o��\��H��.��2$�t�h�i�s�.�A�u�t�o�S�c�a�l�e�D�i�m�e�n�s�i�o�n�s�� $�t�h�i�s�.�C�l�i�e�n�t�S�i�z�e��&$�t�h�i�s�.�S�t�a�r�t�P�o�s�i�t�i�o�n�I��$�t�h�i�s�.�T�e�x�t��>�>�$�t�h�i�s�.�N�a�m�e��>�>�$�t�h�i�s�.�T�y�p�e��>�>�T�e�x�t�B�o�x�1�.�N�a�m�e�y��">�>�T�e�x�t�B�o�x�1�.�P�a�r�e�n�t��>�>�T�e�x�t�B�o�x�1�.�T�y�p�e��">�>�T�e�x�t�B�o�x�1�.�Z�O�r�d�e�r��>�>�T�e�x�t�B�o�x�2�.�N�a�m�e��">�>�T�e�x�t�B�o�x�2�.�P�a�r�e�n�t��>�>�T�e�x�t�B�o�x�2�.�T�y�p�e��">�>�T�e�x�t�B�o�x�2�.�Z�O�r�d�e�r��"T�e�x�t�B�o�x�1�.�L�o�c�a�t�i�o�n��T�e�x�t�B�o�x�1�.�S�i�z�e�+��"T�e�x�t�B�o�x�1�.�T�a�b�I�n�d�e�x��T�e�x�t�B�o�x�1�.�T�e�x�t��"T�e�x�t�B�o�x�2�.�L�o�c�a�t�i�o�n��T�e�x�t�B�o�x�2�.�S�i�z�e��"T�e�x�t�B�o�x�2�.�T�a�b�I�n�d�e�x��T�e�x�t�B�o�x�2�.�T�e�x�t��@��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.SizeF��widthheight��@��PAA��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.Size��widthheight��I��B��WSystem.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089��&System.Windows.Forms.FormStartPosition��value__�� Form1rSystem.Windows.Forms.Form, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089TextBox1$thisuSystem.Windows.Forms.TextBox, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0891TextBox2$thisuSystem.Windows.Forms.TextBox, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0890C��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.Point��xy��A��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.Size��widthheight��YOU BECAME A VICTIM OF THE INFINITYLOCK RANSOMWARE! ALL YOUR FILES HAVE BEEN ENCRYPTED FOR EACH TRY TO DO ANYTHING I WILL DELETE FILES PAY 0.17 BITCOINS TO THIS ADDRESS : 1LSgvYFY7SDNje2Mhsm51FxhqPsbvXEhpE YOU CAN BUY BITCOINS ON "BLOCKCHAIN.INFO" SEND YOUR UNIQE ID IN THE DESCRIPTION OF THE BITCOIN PAYMENT YOU CAN FIND THEM ON YOUR DESKTOP IN "INFINITYLOCK_UNIQEID.TXT" AFTER THE PAYMENT YOUR FILES WILL BE DECRYPTED!C��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.Point��xy��&��A��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.Size��widthheight�� YOU BECAME A VICTIM OF THE INFINITYLOCK RANSOMWARE! ALL YOUR FILES HAVE BEEN ENCRYPTED WITH RSA 2048 DONT TRY TO DELETE ME FOR EACH TRY TO DO ANYTHING I WILL DELETE FILES PAY 0.17 BITCOINS TO THIS ADDRESS : 1LSgvYFY7SDNje2Mhsm51FxhqPsbvXEhpE YOU CAN BUY BITCOINS ON "BLOCKCHAIN.INFO" SEND YOUR UNIQE ID IN THE DESCRIPTION OF THE BITCOIN PAYMENT YOU CAN FIND THEM ON YOUR DESKTOP IN "INFINITYLOCK_UNIQEID.TXT" AFTER THE PAYMENT YOUR FILES WILL BE DECRYPTED! �j��lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet��PADPADP�sY��U�I�� j�MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L��M=Y��T��.r�� @�� `��q�W�� H��.text��4R�� T�� `.sdata��8��X��@��.rsrc�� Z��@��@.reloc��h��@��B��r��H��?�T2��P ��lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet��PADPADP��?��lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet��fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj��l��\��$�t�h�i�s�.�I�c�o�n��T�e�x�t�B�o�x�2�.�T�e�x�t�? �@��QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a��System.Drawing.Icon��IconDataIconSizeSystem.Drawing.Size�� System.Drawing.Size��widthheight��>�� (��(�� "��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��&��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)

Wallets

1LSgvYFY7SDNje2Mhsm51FxhqPsbvXEhpE

Targets

- Target
  
  72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
- Size
  
  148KB
- MD5
  
  6ed3e3327246cc457d22bb92bd3bba8b
- SHA1
  
  1329a6af26f16bb371782ff404d526eec1af9d22
- SHA256
  
  72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
- SHA512
  
  f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
- SSDEEP
  
  3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh
Score

10^/10

badrabbit mimikatz discovery evasion persistence ransomware upx
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies WinLogon for persistence
  persistence
- mimikatz is an open source tool to dump credentials on Windows
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
behavioral1 behavioral2