nRansom v3

nRansom Analysis: http://xywcloud.blogspot.com/2017/09/nransom.html
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/

Recently I got a sample, it claimed to be "nRansom3".
The sample I got is written in C#.NET, not packed or obfuscated.
So let's loaded into decompiler.
Loaded into decompiler
We can easily find the unlock code, and nothing about file encryption found, it also didn't contain music play module.
But, when I ran it in Sandboxie, I found something different.
Run it in Sandboxie
The author asks user to buy $150 worth of bitcoin(cancer cells...) and send them to a specific bitcoin address first, seems like an additional requirement than nRansom v1 & v2.
In my laptop, the email address has been covered by an input-box, maybe author didn't think about how to fit the screen. But we can find the original text from file's resource.
Original text
It uses the same email address of nRansom v2.
Well, I think it's another "LockScreen", not a "Ransomware".

Related MD5:
6851D5EEF0C103649F02DF57A4D2648E
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen

Comments

Popular posts from this blog

满血满魔,原地复活!

nRansom

X-Sec Antivirus开发者日志 - X-Sec Antivirus被误报的那些日子以及盗版的那些事儿