- First seen: July 2017
- Aliases:FriedEx,IEncrypt,wp_encrypt
- Samples:
- 1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 106496 bytes |
| CRC32 | 0x537b927c |
| MD5 | 0a19dd8fdd632f175f0ff0488e4cd8f2 |
| SHA1 | 9aa00d808a205495f24909e9f78ba414f08cdb15 |
| SHA256 | 1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363 |
| SHA512 | f303cbc3279e26883ba068df1d604ad0cbe16b0ae266f6adea549727c2fd6dc5f9b83b7d8367464d4519ef6567907dae384a10673d37f60c9ff92cfe48084f4a |
| Ssdeep | 1536:ebz2SGrGebFr17/05RJmbFd364uVJOuCY62WhC:ebzB/ebB1T05RchqV5c2WhC |
| Magic | PE32 executable (console) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2013)[-] PE: linker: Microsoft Linker(8.0 or 11.0)[EXE32,console] |
| TrID | 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3) |
+ Avast: clean
- Avira: HEUR/AGEN.1010803
- Bitdefender: MemScan:Trojan.Ransom.BitPaymer.C
- Clamav: Win.Ransomware.BitPaymer-6336249-0
- Comodo: Malware
- Drweb: Trojan.Encoder.15345
- Eset: Win32/Filecoder.FriedEx.A
- Fsecure: Heuristic.HEUR/AGEN.1207374
- Kaspersky: Trojan-Ransom.Win32.Cryptor.iu
+ Mcafee: clean
- Sophos: Troj/Dridex-YV
- Symantec: Ransom.Gen
- Trendmicro: Ransom_BITPAYER.C
+ Windefender: clean- https://www.lifars.com/2019/11/analysis-of-dridex-bitpaymer-and-doppelpaymer-campaign/
- https://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
- https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
- https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/
- https://nakedsecurity.sophos.com/2017/09/21/how-bitpaymer-ransomware-covers-its-tracks/
- https://www.youtube.com/watch?v=pMlZXOtbkf8