nRansom v3
nRansom Analysis: http://xywcloud.blogspot.com/2017/09/nransom.html
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
Recently I got a sample, it claimed to be "nRansom3".
The sample I got is written in C#.NET, not packed or obfuscated.
So let's loaded into decompiler.
We can easily find the unlock code, and nothing about file encryption found, it also didn't contain music play module.
But, when I ran it in Sandboxie, I found something different.
The author asks user to buy $150 worth of bitcoin(cancer cells...) and send them to a specific bitcoin address first, seems like an additional requirement than nRansom v1 & v2.
In my laptop, the email address has been covered by an input-box, maybe author didn't think about how to fit the screen. But we can find the original text from file's resource.
It uses the same email address of nRansom v2.
Well, I think it's another "LockScreen", not a "Ransomware".
Related MD5:
6851D5EEF0C103649F02DF57A4D2648E
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
Recently I got a sample, it claimed to be "nRansom3".
The sample I got is written in C#.NET, not packed or obfuscated.
So let's loaded into decompiler.
![]() |
Loaded into decompiler |
But, when I ran it in Sandboxie, I found something different.
![]() |
Run it in Sandboxie |
In my laptop, the email address has been covered by an input-box, maybe author didn't think about how to fit the screen. But we can find the original text from file's resource.
![]() |
Original text |
Well, I think it's another "LockScreen", not a "Ransomware".
Related MD5:
6851D5EEF0C103649F02DF57A4D2648E
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Comments
Post a Comment