cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mattheer
Viewer

Bad Rabbit

Beware of the next Ransomware attack, Bad Rabbit is it's name. Read the article on https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tibb... to see how bit defender prevents te reboot and maybe the encryption process.
Silent people hear more
3 Replies
artfulbodger
Newcomer I

A couple of Researchers also pulling together some information:

https://success.trendmicro.com/solution/1118637
https://blogs.forcepoint.com/insights/forcepoint-statement-bad-rabbit-cyber-attacks

Richard Carpenter, CISSP
Adeel
Newcomer I

Some of the domain name and hash values listed below. They need to blocked as much as outer level and hash-values need to be monitored.

 

Domains:

1dnscontrol.com

http://diskcryptor.net/

 

 

File Hashes:

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

afeee8b4acff87bc469a6f0364a81ae5d60a2add

b14d8faf7f0cbcfad051cefe5f39645f

de5c8d858e6e41da715dca1c019df0bfb92d32c0

fbbdc39af1139aebba4da004475e8839

 

 

1- File name:

dispci.exe

Size     140KiB (142848 bytes)

MD5                b14d8faf7f0cbcfad051cefe5f39645f

SHA-1             afeee8b4acff87bc469a6f0364a81ae5d60a2add

SHA256          8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

File Type         Win32 EXE

Other file names:

rabbit2.exe

ddd._exe

localfile~

payload_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.bin

dsc.exe

 

Imported files:

ADVAPI32.dll

CRYPT32.dll

KERNEL32.dll

NETAPI32.dll

PSAPI.DLL

SHLWAPI.dll

USER32.dll

ole32.dll

 

Runtime Process

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe.bin

 

 

 

2- File Name

flash_install.php

FlashUtil.exe

File size           431.54 KB

MD5                fbbdc39af1139aebba4da004475e8839

SHA-1             de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA-256         630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

File Type         Win32 EXE

 

Other file names:

BadRabbit.exe.virus

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da.exe

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da.bin

localfile~

Discoder BadRabbit RANSOMWARE

install_flash_player.exe

 

Imported Files:

KERNEL32.dll

SHELL32.dll

USER32.dll

msvcrt.dll

Jason
Newcomer I

Just a reminder to apply the latest signatures/definitions to your systems. Most products have already covered this threat in their latest update.