CoinVault Ransomware

Forum for analysis and discussion about malware.
Post Reply
Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

CoinVault Ransomware

Post by Grinler » Wed Nov 12, 2014 10:07 pm

New CoinVault ransomware from the same family as CryptoGraphic Locker. Encryption and decryption performed by same executable. Appears to use AES for encryption.

Image

Files associated with CoinVault:

Code: Select all

%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
Registry entries associated with CoinVault:

Code: Select all

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault	"%AppData%\Microsoft\Windows\coinvault.exe"
HKCU\Control Panel\Desktop\Wallpaper	"%Temp%\wallpaper.jpg"
You do not have the required permissions to view the files attached to this post.
BleepingComputer.com

User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: CoinVault Ransomware

Post by Blaze » Thu Apr 09, 2015 3:18 pm

Fresh samples (dropper + payload) attached.

Image
You do not have the required permissions to view the files attached to this post.

likeamirror
Posts: 3
Joined: Tue May 05, 2015 2:08 pm

Re: CoinVault Ransomware

Post by likeamirror » Tue May 05, 2015 4:54 pm

Hey, I'm new. Couple of questions regarding this specimen.
Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?

User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: CoinVault Ransomware

Post by EP_X0FF » Wed May 06, 2015 4:23 am

likeamirror wrote:Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?
Yes/Yes.
Ring0 - the source of inspiration

Post Reply