CoinVault Ransomware

#24335 by Grinler
Wed Nov 12, 2014 10:07 pm

New CoinVault ransomware from the same family as CryptoGraphic Locker. Encryption and decryption performed by same executable. Appears to use AES for encryption.

Files associated with CoinVault:

Code: Select all

%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg

Registry entries associated with CoinVault:

Code: Select all

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault	"%AppData%\Microsoft\Windows\coinvault.exe"
HKCU\Control Panel\Desktop\Wallpaper	"%Temp%\wallpaper.jpg"

Attachments

CoinVault.zip

Infected
(400.96 KiB) Downloaded 862 times

BleepingComputer.com

Username

Grinler

Posts

48

Joined

Sun Mar 14, 2010 1:47 pm

Re: CoinVault Ransomware

#25604 by Blaze
Thu Apr 09, 2015 3:18 pm

Fresh samples (dropper + payload) attached.

Attachments

CoinVault.zip

(1.18 MiB) Downloaded 137 times

Username

Blaze

Posts

198

Joined

Fri Aug 27, 2010 7:35 am

Contact

Re: CoinVault Ransomware

#25800 by likeamirror
Tue May 05, 2015 4:54 pm

Hey, I'm new. Couple of questions regarding this specimen.
Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?

Username

likeamirror

Posts

3

Joined

Tue May 05, 2015 2:08 pm

Re: CoinVault Ransomware

#25806 by EP_X0FF
Wed May 06, 2015 4:23 am

likeamirror wrote:Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?

Yes/Yes.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact