Avast WEBforum

Other => Viruses and worms => Topic started by: Mr. Consumer on November 28, 2021, 01:56:12 PM

Title: Ransomware (Suspicious)
Post by: Mr. Consumer on November 28, 2021, 01:56:12 PM

This is a suspicious ransomware that manages to encrypt some files in the Download folder.

Sample:
https://www.virustotal.com/gui/file/06107fa7b33572bfcbc007e3d5bd2436590477bfc7153c813d2a9e1554953486
A similar sample is detected by Avast:
https://www.virustotal.com/gui/file/5fb2646af512828b3de4a5c7e69e907f8948b182ed6a61958069f8e6c0de4cbf
AnyRun analysis:
https://app.any.run/tasks/2e6a8630-a98c-42e7-8100-bb63dc7fa7da

The sample was submitted to Avast more than once before.

Title: Re: Ransomware (Suspicious)
Post by: Pondus on November 28, 2021, 09:24:26 PM

Quote

The sample was submitted to Avast more than once before.

It was first uploaded to virustotal  2021-06-21 

So i guess those that has not added signatur detection for it by now have a reason for not doing it

Title: Re: Ransomware (Suspicious)
Post by: polonus on November 28, 2021, 10:00:33 PM

To protect against Muldrop BAT ransomware an important first line of precaution is not to open links from inside phishy looking mails.

polonus

Title: Re: Ransomware (Suspicious)
Post by: Mr. Consumer on November 29, 2021, 01:59:00 PM

Quote from: Pondus on November 28, 2021, 09:24:26 PM

Quote

The sample was submitted to Avast more than once before.

It was first uploaded to virustotal  2021-06-21 

So i guess those that has not added signatur detection for it by now have a reason for not doing it

I believe so too. But the confusing fact for me is that the only difference between the two samples I posted above is that one has this extra code at the start to elevate admin privilege.

Code: [Select]

@echo off
if _%1_==_payload_  goto :payload

:getadmin
    echo %~nx0: elevating self
    set vbs=%temp%\getadmin.vbs
    echo Set UAC = CreateObject^("Shell.Application"^)                >> "%vbs%"
    echo UAC.ShellExecute "%~s0", "payload %~sdp0 %*", "", "runas", 1 >> "%vbs%"
    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
goto :eof

:payloadEverything else is the same. The sample doesn't even require admin privilege and works fine without it. In fact, that's how the original sample was, without the admin privilege code. The code was added by an amateur for testing purpose.
There must be a reason, I guess, for Avast and also Kaspersky not to add a signature but it's still a bit confusing.

Title: Re: Ransomware (Suspicious)
Post by: Mr. Consumer on November 29, 2021, 02:01:09 PM

Quote from: polonus on November 28, 2021, 10:00:33 PM

To protect against Muldrop BAT ransomware an important first line of precaution is not to open links from inside phishy looking mails.

polonus

Good suggestion. I don't do that. The sample was given to me by someone for testing.