Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram ThePornDude
Home Artists Posts Import Register

Live Steam VOD: RansomHouse Part 1 - Password Protection (Patreon)

Published:
2024-06-02 19:46:38
Edited:
2024-06-03 17:20:26
Imported:
Tags:

Content

Back to basics, full reverse engineering! In this stream we investigate how the password protection feature works on RansomHouse/WhiteRabbit ransomware.

Sample

acf361296c9e1cf5b4ceff11e1790c57e6e1d753df9bef087aadad256dc5a123

No notes, just pure RE and chill 🍹👾

Files

Live Steam VOD: RansomHouse Part 1 - Password Protection

Comments

Demonslay335

RansomHouse is more of like a data broker from what we've observed if I recall... They "use" or work with various ransomwares. That's why the articles differ in their analysis from yours. Also on the topic of snooping chats, it can create various issues for the actual victim. Many times, the TA side shows them when the victim last read the chat, which can hinder certain negotiation tactics. Sometimes even visiting the site can trigger things like a supposed count down to leaking the data or something. It's a constant problem that our negotiations team has to deal with whenever the note is leaked, or if the credentials are static in the malware that is leaked. So you really need to be careful with them.

Demonslay335

Took a quick look at the crypto you were poking at, and yeah, the config is encrypted with RC6, specifically in CBC mode. Even without having the correct password, you can just give it a garbage key, break at the cipher function, and just see if you can reproduce the output.

oalabs
>>139871950

Ah nice! Of course that works, why didn't I think of that lol. Def gonna use this trick in the future!

m4n0w4r

I used IDA + OllyDbg with the help of labeless plugin to import the decompressed region to IDA, the IAT resolved correctly . I tried x64dbg but not successful, IDA cannot show the memory regions, maybe some conflict between the version / the backend, .... Here is the result: https://imgur.com/a/ZrhIaew Refs: https://research.checkpoint.com/2018/19558-2/ https://www.youtube.com/watch?v=M5K5Ldaq284

oalabs

Ah nice, yeh the next stream I will show how to just fix the pe header and load it like a normal PE which is a bit time consuming but in the end works the best.

James S.

I'm 1.5 hours in. I'll probably watch the rest tomorrow. Great video. Cool seeing your process. Also, I like the chill aspect to it.