badrabbit

Sharing

General

Target

Windows.zip
Size

53.8MB
Sample

240228-2gf5ysfe3t
MD5

b0dc3a53687d1017d27c64f4a19801f0
SHA1

6ae3c60cc70125e9ddea61869a44c5ac63e2002e
SHA256

b59d4d38c6c98590709bcb7e4299a4e10306b29d46a56c5e8a6bb274bd4bef31
SHA512

1e0e5f058f5f670f64886b1684d6592a88fe5408926a5ac76363543acf20bef00910e382dd3510110e466b1a0f3d3b4c42e8648ae840865d12896a646c45d264
SSDEEP

1572864:2TTg/vmlX09CYwKyHiz6ZH27xTiBMymMEAHWZATpIbBPR:H/u0lOHs6H+xTAbHEEpYBPR

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

- Target
  
  BUG32.exe
- Size
  
  3.0MB
- MD5
  
  149cc2ec1900cb778afb50d8026eadf5
- SHA1
  
  a7bc1bbc7bdc970757ec369ef0b51dc53989f131
- SHA256
  
  817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797
- SHA512
  
  d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553
- SSDEEP
  
  49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Renames multiple (133) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  Windows/Bonzify.exe
- Size
  
  6.4MB
- MD5
  
  9c352d2ce0c0bdc40c72f52ce3480577
- SHA1
  
  bd4c956186f33c92eb4469f7e5675510d0790e99
- SHA256
  
  d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e
- SHA512
  
  c1926d59272df0e049467f4497bcc3631bbc1aa5337e87f4af31bfdba60c9ef460e394380024ffa7e71fef8938761d48d75e9dc93dc7529d2b9c8c638dddae92
- SSDEEP
  
  196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:naWedh+Idx75QYub//73lc6u7bLMYxD
Score

8^/10

discovery exploit persistence
- Modifies AppInit DLL entries
  persistence
- Modifies Installed Components in the registry
  persistence
- Possible privilege escalation attempt
  exploit
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  BossDaMajor.exe
- Size
  
  1.9MB
- MD5
  
  38ff71c1dee2a9add67f1edb1a30ff8c
- SHA1
  
  10f0defd98d4e5096fbeb321b28d6559e44d66db
- SHA256
  
  730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
- SHA512
  
  8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
- SSDEEP
  
  49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies system executable filetype association
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6
- Target
  
  Happy99.exe
- Size
  
  9KB
- MD5
  
  02dd0eaa9649a11e55fa5467fa4b8ef8
- SHA1
  
  a4a945192cb730634168f79b6e4cd298dbe3d168
- SHA256
  
  4ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18
- SHA512
  
  3bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441
- SSDEEP
  
  192:nR81cIkA5Dbaj/CaFx40Z9HnLH8bzTbjt5BNUFO:RycyhqN4u9HnLH8bnbjtpl
Score

5^/10
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  Magistr.exe
- Size
  
  107KB
- MD5
  
  9890349fe3c68f5923b29347bba021a4
- SHA1
  
  fa080a50486b205b75833a6b5c9505abb1e3b4df
- SHA256
  
  068f2ee28af7645dbf2a1684f0a5fc5ccb6aa1027f71da4468e0cba56c65e058
- SHA512
  
  aedd86837987cbe8c0b1cf3b4ca0c3a875e4cc9bcc8097c160d0d6070427ad9e1d871d5339ea95cc03499c39a6536b5a6b6d43372a49eeaf2e87bf755a3d3367
- SSDEEP
  
  3072:pRr1m0iQwTlFiIoXTLDCLLUsgULFsfMGdd64:Lk0LCwIi3DMUwFNGd04
Score

1^/10
behavioral10 behavioral9
- Target
  
  Maldal.exe
- Size
  
  80KB
- MD5
  
  cbcd34a252a7cf61250b0f7f1cba3382
- SHA1
  
  152f224d66555dd49711754bf4e29a17f4706332
- SHA256
  
  abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787
- SHA512
  
  09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9
- SSDEEP
  
  1536:wh6S2wzALFx8hkMsiUmxi6QPitAKQjY8c4B5h:dS212xlQvKCYx4B
Score

5^/10
- Drops file in System32 directory
behavioral11 behavioral12
- Target
  
  MeltingScreen.exe
- Size
  
  17KB
- MD5
  
  4784e42c3b15d1a141a5e0c8abc1205c
- SHA1
  
  48c958deba25a4763ef244ac87e87983c6534179
- SHA256
  
  9d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c
- SHA512
  
  d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97
- SSDEEP
  
  384:eHsipOITNe52uuCiuhwYW5t/QS5uoIjkg:PivNZuhi+wYW5toBoB
Score

1^/10
behavioral13 behavioral14
- Target
  
  Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
- Size
  
  15.9MB
- MD5
  
  0f743287c9911b4b1c726c7c7edcaf7d
- SHA1
  
  9760579e73095455fcbaddfe1e7e98a2bb28bfe0
- SHA256
  
  716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
- SHA512
  
  2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
- SSDEEP
  
  393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1
Score

10^/10

evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral15 behavioral16
- Target
  
  Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
- Size
  
  431KB
- MD5
  
  fbbdc39af1139aebba4da004475e8839
- SHA1
  
  de5c8d858e6e41da715dca1c019df0bfb92d32c0
- SHA256
  
  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- SHA512
  
  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
- SSDEEP
  
  12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score

10^/10

badrabbit mimikatz ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Loads dropped DLL
behavioral17 behavioral18
- Target
  
  Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
- Size
  
  71KB
- MD5
  
  e9fdc21bd273444925a4512166188e5b
- SHA1
  
  e398138686eedcd8ef9de5342025f7118e120cdf
- SHA256
  
  78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815
- SHA512
  
  64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08
- SSDEEP
  
  768:Uv3mq1oJQpwvZlXhVkcDsaoi9P9TJKvaoStYARRQwfwiIySf4BtIl82+hE8x:YmqMQoXhVN4aooJhDCSeyxel82WNx
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral19 behavioral20
- Target
  
  Windows/Ransomware/Monster Ransomware/XMoon.exe
- Size
  
  669KB
- MD5
  
  a690cce59e21f5198ca304243b084f9e
- SHA1
  
  8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
- SHA256
  
  ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
- SHA512
  
  9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
- SSDEEP
  
  12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c
Score

10^/10

evasion ransomware trojan upx
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral21 behavioral22
- Target
  
  Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
- Size
  
  254KB
- MD5
  
  e3b7d39be5e821b59636d0fe7c2944cc
- SHA1
  
  00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
- SHA256
  
  389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
- SHA512
  
  8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
- SSDEEP
  
  3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral23 behavioral24
- Target
  
  Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
- Size
  
  365KB
- MD5
  
  c4e9fc349d5c8b24c0ddb1533de2c16b
- SHA1
  
  147e938bd06709b3c20eea4ac461093d573be037
- SHA256
  
  28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71
- SHA512
  
  fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be
- SSDEEP
  
  6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral25 behavioral26
- Target
  
  Windows/Ransomware/Trojan.Ransom.NotPetya/NotPetya.exe
- Size
  
  390KB
- MD5
  
  b6cc1e4052f613e15a8b05439f5877b4
- SHA1
  
  9bb3cb5080ae18985d93a28faeca6ae06d768b21
- SHA256
  
  e2ea7f9581a7e1386fc6601d1421e1194373c1c891f2d406de6d49810fcc7737
- SHA512
  
  cd48f448cd355a1463ca090d8ad47100596e1ed1a1a771f26c672406669433e9d9d915268def0aad844511f65a3c69fbb3ab2e2dc610ecc0f66a8524a6a8ea73
- SSDEEP
  
  12288:rF/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:BXATS/x9jNg+95vdQa
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral27 behavioral28
- Target
  
  Windows/Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.PetrWrap
- Size
  
  473KB
- MD5
  
  17c25c8a7c141195ee887de905f33d7b
- SHA1
  
  7fa8079e8dca773574d01839efc623d3cd8e6a47
- SHA256
  
  e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660
- SHA512
  
  de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b
- SSDEEP
  
  12288:ZPaAhutLwUVsvLPcFZXYl0oIZdm9n50DNq:ZPjutLRuvLPcX8mC5S
Score

1^/10
behavioral29 behavioral30
- Target
  
  Windows/Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.PetrWrap(Patched)
- Size
  
  473KB
- MD5
  
  f9dc218f57d7ecf5a8664a6561a59a2e
- SHA1
  
  f9e15d4799c382a00b17c322826c0fbee7a7014b
- SHA256
  
  bb990e2307c5f1143f3b8fabd77e62a2754c25b1de45636b93b6c87d1dc12784
- SHA512
  
  00c3e39687bcd9951d63adb521c096120d1c81521bb56615b32c42a0f5126f31fea023a173a95230a0d1e74056cd84baad29ffd7615409ff8b07640c550d955a
- SSDEEP
  
  12288:9PaAhutLwUVsvLPcFZXYl0oIZdm9n50DNx:9PjutLRuvLPcX8mC5S
Score

3^/10
behavioral31 behavioral32