CoinVault Ransomware

Forum for analysis and discussion about malware.

CoinVault Ransomware

Postby Grinler » Wed Nov 12, 2014 10:07 pm

New CoinVault ransomware from the same family as CryptoGraphic Locker. Encryption and decryption performed by same executable. Appears to use AES for encryption.

Image

Files associated with CoinVault:

Code: Select all
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg

Registry entries associated with CoinVault:

Code: Select all
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault   "%AppData%\Microsoft\Windows\coinvault.exe"
HKCU\Control Panel\Desktop\Wallpaper   "%Temp%\wallpaper.jpg"
You do not have the required permissions to view the files attached to this post.
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Re: CoinVault Ransomware

Postby Blaze » Thu Apr 09, 2015 3:18 pm

Fresh samples (dropper + payload) attached.

Image
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: CoinVault Ransomware

Postby likeamirror » Tue May 05, 2015 4:54 pm

Hey, I'm new. Couple of questions regarding this specimen.
Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?
likeamirror
 
Posts: 3
Joined: Tue May 05, 2015 2:08 pm
Reputation point: 0

Re: CoinVault Ransomware

Postby EP_X0FF » Wed May 06, 2015 4:23 am

likeamirror wrote:Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?


Yes/Yes.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562


Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests