Ragnarok

Ragnarok

• First seen: January 2020
• Aliases:
• Samples:
  • b7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c | windows | ransom | pe

Ragnarok Windows Payload

Basic Properties

Property	Value
Size	215040 bytes
CRC32	0xc623f543
MD5	48452dd2506831d0b340e45b08799623
SHA1	74993759f49d123ec334111f29cdbbf2e0276b58
SHA256	b7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c
SHA512	5a0b4f5884ae2d302661b0581ab2475c1403555af0f531e1d0c29e240454dfe9979a32979d30856c5ad5da0ea1ffac1ec2c16eb6fa07b7ece74e069fcf2e5958
Ssdeep	3072:LNWPHNek0igmpXlZwbvsBQUbtqJQW7xAZ22yz6VoSYMFZoJ8lsPGKLpZnoHq86f:RGSigm1lmbaBp7O6qSYCiNPhzHa
Magic	PE32 executable (GUI) Intel 80386, for MS Windows
Packer	PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-] PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32]
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)

Antivirus Scan

- Avast: Win32:Malware-gen
- Avira: TR/AD.MegaCortex.sbcde
- Bitdefender: Generic.Ransom.Ragnar.2.66CA3EF0
+ Clamav: clean
- Comodo: Malware
- Drweb: Trojan.Encoder.30873
- Eset: Win32/Filecoder.Ragnarok.A
- Fsecure: Trojan.TR/AD.MegaCortex.sbcde
- Kaspersky: Trojan.Win32.DelShad.cha
+ Mcafee: clean
- Sophos: Troj/Ransom-FUY
- Symantec: Downloader
- Trendmicro: Ransom.Win32.RAGNAROK.A
- Windefender: Ransom:Win32/Ragnarok.PC!MTB

References

• https://resources.infosecinstitute.com/topic/malware-analysis-ragnarok-ransomware/
• https://voidsec.com/malware-analysis-ragnarok-ransomware/
• https://www.mandiant.com/resources/blog/nice-try-501-ransomware-not-implemented
• https://www.pcrisk.com/removal-guides/16840-ragnarok-ransomware