badrabbit

Sharing

Copy URL

Twitter E-mail

General

Target

MalwareCollection-master.zip
Size

57.3MB
Sample

240224-nle7kaac64
MD5

b59aed5137772e644e29ad334dba17e0
SHA1

a2e545bbe058bddee0f7af68e21c3471d4abc3ab
SHA256

c6a916c33096cd488ca57c28863c433cf5279128aa50ea156761bab6444f4937
SHA512

daaa8ff6ddb53cb2c3c0218f73be43807982b13f0b5893a322bdd719e0f208b7b98586d0516b04e2e0f36c7dea45dde3fa8423c421f7d82cb9dbb14e3cede525
SSDEEP

1572864:9j/A/cygNPTitKk8Gq4+/34speZ0jqmhkv71Cg8a6Egs5:Z/ZygNPTitKkRqh/34sprj3q1C31Egs5

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message E56F723E In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

coronavirus@qq.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message 4D0CCC78 In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

coronavirus@qq.com

Targets

- Target
  
  Ransomware.7ev3n.exe
- Size
  
  315KB
- MD5
  
  9f8bc96c96d43ecb69f883388d228754
- SHA1
  
  61ed25a706afa2f6684bb4d64f69c5fb29d20953
- SHA256
  
  7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
- SHA512
  
  550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
- SSDEEP
  
  6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Ransomware.BadRabbit.exe
- Size
  
  431KB
- MD5
  
  fbbdc39af1139aebba4da004475e8839
- SHA1
  
  de5c8d858e6e41da715dca1c019df0bfb92d32c0
- SHA256
  
  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- SHA512
  
  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
- SSDEEP
  
  12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score

10^/10

badrabbit mimikatz ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  Ransomware.CoronaVirus.exe
- Size
  
  1.0MB
- MD5
  
  055d1462f66a350d9886542d4d79bc2b
- SHA1
  
  f1086d2f667d807dbb1aa362a7a809ea119f2565
- SHA256
  
  dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
- SHA512
  
  2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
- SSDEEP
  
  24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (312) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  Ransomware.CryptoLocker.exe
- Size
  
  338KB
- MD5
  
  04fb36199787f2e3e2135611a38321eb
- SHA1
  
  65559245709fe98052eb284577f1fd61c01ad20d
- SHA256
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
- SHA512
  
  533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
- SSDEEP
  
  6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score

10^/10

cryptolocker persistence ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  MalwareCollection-master/Ransomware/Ransomware.NoMoreRansom.zip
- Size
  
  916KB
- MD5
  
  032f198b7b5d9553ba2e7bf34d9f33c0
- SHA1
  
  23bb43f6991b59516b20ed7d07cc55879a9192f2
- SHA256
  
  a1a0c26a3976bd07fae54519d2ca62818987ddcb7ae8dd44cebc710c1928548b
- SHA512
  
  92f9f0dfce9b48602d87d86d6e73f308573168a01e851982d1a0a0baa76568495b5815a3ed11928463db5f5aa8b6d0b685968588eb75ef9624ae5b9355922788
- SSDEEP
  
  24576:whK+SCleARYrlhgOZiapPMOiwtCd8BvABnU0FJtjVcW7:whVSCRAhgMia+OFnFAVtpZ7
Score

1^/10
behavioral10 behavioral9
- Target
  
  MalwareCollection-master/Ransomware/Ransomware.WannaCrypt0r.v1.zip
- Size
  
  191KB
- MD5
  
  04d2762c440097c67cef47fcba96ce3c
- SHA1
  
  6ecf78935809ea1699a9dd075b489ef27bd00c02
- SHA256
  
  593a4b3fb31a25c433f4c04fe6a9bdacfc30771ac41e3f394b81b0a13f6e5df8
- SHA512
  
  c00118b7fb2ef8c386c49cb95fc0e0e9d39d90eb9b1cdd10145ce2bc5d99bb6361daf90b9b5e5de42464583c9ee864b29de5d87aaeb8f82f610342fc6fd13bfd
- SSDEEP
  
  3072:kNmj7C7mm4HynVpIDTLjbMQ40rDi9Lpnrq3TrWmb/wnLCJuPCx:MmjO7hNnLIvnb2qiJpn23TrWmDwnLCJT
Score

1^/10
behavioral11 behavioral12
- Target
  
  MalwareCollection-master/Trojan/Trojan.000.zip
- Size
  
  121KB
- MD5
  
  ea01841aaa16d6c7d6d6d8c4d94d1278
- SHA1
  
  fb6662262d0b18278ba111fdb65e1208793444a5
- SHA256
  
  697e2609b2430c8f5a2421a8ff86926bb2bc1dfa9fc67aebf58152102ad02b13
- SHA512
  
  b11807f1f52264e4e0c5653f7350c3d50a5e4350b92e23f6c4e3bb26edebe79502f0710058c27ba892c0436868004cba29f6e93344fdc23b1db3b9852d69454a
- SSDEEP
  
  3072:vbGHZNTKIVLS8c++PpUKhcLY7U/RWN1lz62h/lTwJcZK:vIZhKI88yPjhWIU81llTwJcY
Score

1^/10
behavioral13 behavioral14
- Target
  
  MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip
- Size
  
  8KB
- MD5
  
  6d1c6d848c80c62c8886f3f4a05d9e16
- SHA1
  
  cd815164b65537f8134b389ea8698591b5f92043
- SHA256
  
  d6eb28f01b2d59777c30d37b851c095ce73c7fca0523805b7c1e6ad687d41d89
- SHA512
  
  39dcfd16526e4a9f395a151a277deccee62f46a4e0380adebaa3556e7e6b73ee6a197b32db1b70ec0c1dc6e766e82115e8bce088ce3ba48ca0e9d790b4b20eb2
- SSDEEP
  
  192:XIpLlKueTbS91NnmDPYG9Yuq/XmONuwsBThAb4WULr1ZyZdyg:0LlKPSYTYWLqruphAdULTqdV
Score

1^/10
behavioral15 behavioral16
- Target
  
  MalwareCollection-master/Worm/Email-Worm/Email-Worm.Mylife.A.zip
- Size
  
  21KB
- MD5
  
  16ede8d6dc128db98c80d0291644ec28
- SHA1
  
  ee06a26bdf7084ab6fe987af6e6c9bfafd4fcc09
- SHA256
  
  ee963ace2c315a3a6323a22e1eaf7e6b80bfcaf8f1f0080d9f0b1cd25ce4eff6
- SHA512
  
  32aeb31ba894b7a6bbb6299b590be98c08bb407d7585459bc62f3d453fa77ea3cb0aa8263bd75fde91c605718fa33a6eae3f4bb3f2b7d98ae64b44322a8c7cb2
- SSDEEP
  
  384:h1GVZNKbSIBbRlWotth9IL13lAdZQzCuV85zKTtfzHLZKsMTfoihPL9OsU:KZNKeIBbRI/3lAdwp85zWHlKNzo8rU
Score

1^/10
behavioral17 behavioral18