nRansom v3

nRansom Analysis:
nRansom v2 Analysis:

Recently I got a sample, it claimed to be "nRansom3".
The sample I got is written in C#.NET, not packed or obfuscated.
So let's loaded into decompiler.
Loaded into decompiler
We can easily find the unlock code, and nothing about file encryption found, it also didn't contain music play module.
But, when I ran it in Sandboxie, I found something different.
Run it in Sandboxie
The author asks user to buy $150 worth of bitcoin(cancer cells...) and send them to a specific bitcoin address first, seems like an additional requirement than nRansom v1 & v2.
In my laptop, the email address has been covered by an input-box, maybe author didn't think about how to fit the screen. But we can find the original text from file's resource.
Original text
It uses the same email address of nRansom v2.
Well, I think it's another "LockScreen", not a "Ransomware".

Related MD5:
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen


Popular posts from this blog