In the last article, we analysed STOP ransomware and discovered all its features. We saw that it is dropping VIDAR to steal data on victims computers prior to encrypt them. We will now see how VIDAR works. But first, let take a quick look of the executable that STOP dropped before VIDAR.
During the previous article, we saw the process of unpacking the first stage of the malware. Aside a fairly new anti-debugging technique and process hollowing, this step wasn’t hard. Now that we have successfully unpacked the first stage, let’s jump into it to see its main behaviour.
I will try to be as consice as possible, but trust me, this malware is full of interesting functions.
Back to malware analysis, i recently decided to analyse a completely random sample (as long as it isn’t .NET lol) found on MalwareBazaar, this sample appears to be STOP ransomware.
Après avoir lu beaucoup d’articles concernant les agissements du groupe cyber-criminel Emotet et son malware éponyme, j’ai enfin l’opportunité de l’analyser de mes propres mains, un sample tout frais sorti d’une boîte mail de mon entreprise.