badrabbit | d99ad2ba440f2b8eb3ff86d4b7b6eddb76f97129673443e957c38a39b581941e | Triage

Submit
Reports

Overview

overview

Static

static

1

loader.bat

windows11-21h2-x64

Sharing

General

Target

loader.bat
Size

314B
Sample

240914-xxj5bs1blr
MD5

8df113c0dab1608ab53df4d18e925ac7
SHA1

f607ba1bc71d58c601dd08f26b9b35dde8322524
SHA256

d99ad2ba440f2b8eb3ff86d4b7b6eddb76f97129673443e957c38a39b581941e
SHA512

23e36824d2113a9ac334418211d33428fd37f335034b7ddc1e487164cf0aa950b82f9c45f5ea2d3fe8d5e12f62fad0cd1f792b580726975ba45c6472e3804ebc

Score

10^/10

badrabbit cryptolocker aspackv2 defense_evasion discovery execution impact persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

loader.bat

Resource

win11-20240802-en

badrabbit cryptolocker aspackv2 defense_evasion discovery execution impact persistence ransomware

windows11-21h2-x64

35 signatures

150 seconds

Malware Config

Targets

- Target
  
  loader.bat
- Size
  
  314B
- MD5
  
  8df113c0dab1608ab53df4d18e925ac7
- SHA1
  
  f607ba1bc71d58c601dd08f26b9b35dde8322524
- SHA256
  
  d99ad2ba440f2b8eb3ff86d4b7b6eddb76f97129673443e957c38a39b581941e
- SHA512
  
  23e36824d2113a9ac334418211d33428fd37f335034b7ddc1e487164cf0aa950b82f9c45f5ea2d3fe8d5e12f62fad0cd1f792b580726975ba45c6472e3804ebc
Score

10^/10

badrabbit cryptolocker aspackv2 defense_evasion discovery execution impact persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Blocklisted process makes network request
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

badrabbitcryptolockeraspackv2defense_evasiondiscoveryexecutionimpactpersistenceransomware

© 2018-2024

Terms | Privacy