Author Topic: Ransomware (Suspicious)  (Read 1287 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Ransomware (Suspicious)
« on: November 28, 2021, 01:56:12 PM »
This is a suspicious ransomware that manages to encrypt some files in the Download folder.

Sample:
https://www.virustotal.com/gui/file/06107fa7b33572bfcbc007e3d5bd2436590477bfc7153c813d2a9e1554953486
A similar sample is detected by Avast:
https://www.virustotal.com/gui/file/5fb2646af512828b3de4a5c7e69e907f8948b182ed6a61958069f8e6c0de4cbf
AnyRun analysis:
https://app.any.run/tasks/2e6a8630-a98c-42e7-8100-bb63dc7fa7da

The sample was submitted to Avast more than once before.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Ransomware (Suspicious)
« Reply #1 on: November 28, 2021, 09:24:26 PM »
Quote
The sample was submitted to Avast more than once before.
It was first uploaded to virustotal  2021-06-21 

So i guess those that has not added signatur detection for it by now have a reason for not doing it


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Ransomware (Suspicious)
« Reply #2 on: November 28, 2021, 10:00:33 PM »
To protect against Muldrop BAT ransomware an important first line of precaution is not to open links from inside phishy looking mails.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Ransomware (Suspicious)
« Reply #3 on: November 29, 2021, 01:59:00 PM »
Quote
The sample was submitted to Avast more than once before.
It was first uploaded to virustotal  2021-06-21 

So i guess those that has not added signatur detection for it by now have a reason for not doing it
I believe so too. But the confusing fact for me is that the only difference between the two samples I posted above is that one has this extra code at the start to elevate admin privilege.
Code: [Select]
@echo off
if _%1_==_payload_  goto :payload

:getadmin
    echo %~nx0: elevating self
    set vbs=%temp%\getadmin.vbs
    echo Set UAC = CreateObject^("Shell.Application"^)                >> "%vbs%"
    echo UAC.ShellExecute "%~s0", "payload %~sdp0 %*", "", "runas", 1 >> "%vbs%"
    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
goto :eof

:payload
Everything else is the same. The sample doesn't even require admin privilege and works fine without it. In fact, that's how the original sample was, without the admin privilege code. The code was added by an amateur for testing purpose.
There must be a reason, I guess, for Avast and also Kaspersky not to add a signature but it's still a bit confusing.

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Ransomware (Suspicious)
« Reply #4 on: November 29, 2021, 02:01:09 PM »
To protect against Muldrop BAT ransomware an important first line of precaution is not to open links from inside phishy looking mails.

polonus
Good suggestion. I don't do that. The sample was given to me by someone for testing.