/RansomExx_samples_and_related_artifacts

Just some research into RansomExx. Took a ton of time and had no real outcome other then me sorting some samples :/

Just some research into the samples provided by VXUnderground. No real result but a bunch of commented samples I sorted to their Malware family. Maybe someone else can make use of this. Samples are all related to RansomExx but of different nature:

Vatet Loader:

3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2f
2f149a79f721bb78eb956f70183b531fb6a1b233ceb4a3d6385759a0b0c16fd3
bacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e
e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc
cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55c
8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212
e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66a
01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb
47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b
fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0f
ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605d
2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886
2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623b
5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440d
5e0062def3e1d2ac206aa43854a60e23b0d1158fa982e99e0ba8190e77290dbf
0b42bf15b77cfe9f9e693f2776691647e78a91be27f5bdb8d1a366be510a773f
e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367
91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18
c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34be
a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26ac
4421720e0321ac8b3820f8178eb8a5ff684388438b62c85f93df9743a1d9fdb9
625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0
95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25da
d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469
3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8d
66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314
0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ff
01a2404fcf56027be610c65bbfb0f2dda9cfaf67385cb7f93f0b586e3aa6803a
56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693
7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6
ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab
b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680
840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8
ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82
a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd
a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234
bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7d
87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8
b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719
80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8
56f6084d84bd6371918c3ae7b555099474cdb6665bed0d969f6b5762b8cf5cc9
8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86
73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e
6497d14f6dd14c39c037cb7da24b51d90b7040af64c245aaab6c6cc80cde7f3b
4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6
3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8ad
bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd
ef7e21d874a387f07a9f74f01f2779a280ff06dff3dae0d41906d21e02f9c975
d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1
e5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955
3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192
57eea67e3eebde707c3fb3473a858e7f895ae12aad37cc664f9c0512c0382e6a
ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62d
c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518
edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5
1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039
75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6
5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacd
6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349a
d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915
382d9bf5da142d44de5fda544de4fffe2915a3ffc67964b993f3c051aa8c2989
10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525
915e660ec51abea9ffd5716fb2c9b8593643adc5e9ea0834a88d8ea4016899f0
375afe90771e63dbec77de439625267d723dc6bbb37cc5e94cf4d281d16c2ca8
37e8d3ae4c34441b30098d7711df8ef0bcc12c395f265106b825221744b956bc
e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd
88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69
6ac07424e5c9b87d76645aa041772ac8af12e30dc670be8adf1cf9f48e32944b
d46f72b8598ff80de5661205f6cac0b47831778f70b5edd7525e23418706cc1a
d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00
350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201
608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32
d7bcb52f027f66c988e595dc29a343e27af7599e3659901f85a92c26440a5e1f
6c1b17c8d8eca38b9926b40637cb793d0997a6183156d9e6353b53d7b3955f20
d353eeb623e96b32c086a9b64991dfedbc8d31254aec2c3cda51042ceb07ee82
b159fadb829a206c9a59ec547aa9e2a3ee83e8a3cc1441de04f58fd02a43c760

PyXie Rat:

e2d4aa8662b3db2f3857dbacada1ff0da0ceaf75bbba579bc5ef1a555c065206
c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5ea
5937746fc1a511d9a8404294b0caa2aedae2f86b5b5be8159385b6c7a4d6fb40
ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0
8d2b3b0cbb32618b86ec362acd142177f5890917ae384cb58bd64f61255e9c7f
411eb20988f57317c177ea64c8bb4c059cc39da6e91eb1e7b9b8da96775d93d5
814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0
563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908
f9da4d61344457c3d68ef0525139c2cf6ee28d3f09220168ba2be601b5c54d6f
e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13c
3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845
c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497
78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363b
7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675d
b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48
f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7
744d0c4b89e1b2ddd70d614b4dc009afa8f3a528c821c371cf72e60cc3367f19
260be87cd75f304272094d3bef02eff6ef6b605f01ffe2983361e6e2f6116769
3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741
de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e
0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768
c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b
b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4
56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078
e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e
aed5b487e13e920835b0ba5ca964e25a815f8a10011d8e1eb29278ae254771d9
80bd15267756343f028cbe77afe810068b0e6a36ce32f52be63f620ef5b5ed89
37268f0ade3050fa2008b546920c4f2052732c092de04a6e108257f5de22ff48
ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc
5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79e
82a2149aa09b2b59ee7c97e05d7200d4ccbcd8444182aca2f8c4913f1f59a42c
09bb81e5a6c716f14c625ff36beb3b184d0089ed29252af10635b604b69f22ef
d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ff
edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89
92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285
5d26300ad2fc008fe278f17f98f173236c8bd7eeb6382062d677d1d6fd37c5b5
a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623
e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8
84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061
70dfa6b21f5eea28ccb77ddac876cf6eac58b2ac55ab7b9ee52d79b1b5f3734d
1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b

RansomExx / Defray (Seems they are somehow related, arround 3-5 Defray Samples included, some not in VX_Database)

cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849
ed2b1f855fc7a39a7cf2cfbfd5a10707801ba313bab9c5d748fcd3703aad66fc
6b667bb7e4f3f2cb6c6f2d43290f32f41ae9f0d6ed34b818d78490050f7582a1
196eb5bfd52d4a538d4d0a801808298faadec1fc9aeb07c231add0161b416807
e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162
fa28436aaf459d16215dd2d96ea5756c09198216c52d90a7a20abde4e826909b
64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4
9bdf08f35511c859ade0f4dfda227eb81da3b4c66f8fc5945a96724dda5e447c
c90e20e8dbcfbc7fab6164260f1bc57cab0e99c3305c314982ab87e5fed67959
1fb3db9bfa0960ff9cf5cd4dc875ec72dd3fd8a60340c7bf2631d8bc30d54a0f
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
08113ca015468d6c29af4e4e4754c003dacc194ce4a254e15f38060854f18867
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e
eef4c0104caf1f2349ac843405b2c68cba6fd41c782b64aede5e1e6e724e6a4c
c0f07b493cc32ffcbb4ca1ca92f5752c4040b1d0be7b69981c22a27f69cfb890
f543c477ba67afd4fb2ae111b22c8d596bf8e61e13a627f6a972fac4762a70c1

Vatet Payloads (Probably mostly Cobalt Strike according to: https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ ) (If you manage to decode them using the process described in the article please give me a shoutout on Twitter: @Gi7w0rm , I would love to add these Information here)

309af51a8d86e031e25c2c928101b9afc9bcd1dcadbf4ef27ed3c0e8d7da0c98
0e7824dfb7668af175a2b887e592773517f17213555c3b9af4f98d54278621d5
c2861e5626c5ba40d28ec6c7d4ac32edc972a969d2454e74dc50829d02b5de2a
d389e2fc1515b8a2d8d365d072c201a308f776c873fdb185f826a35fde6fbf2b
8a7dc1c39321d972a21bf4fdd24f6f2ef3a03e4ea95c49f383ba03902010210c
a512e5ffd33da906fdf896c536bf64adc59599ec2227f60dace4a4ef23d3d21a
ab432a84b05de381c2f96a000c318ec78c98e39abfa7eea3210840c85b0cbee7
bde87df68407fafc3ebd95665838eb5476cb854b338fb97252d153a2250f28b8
77f2df32060e5125c6d4a3ab2a2a0c862eb44bc44614d494d23f4690a45d08a3
2f1e047e840620460bdf7371e62e966919f25f763a53248357f890a4ff11791f
6812190b1dec8c2a4c5d2b327d1bdbe72974fc017d86d2337ea06e9d3337959e

PyXie Lite which is essencially a newer/smaller Version of PyXie Rat with some less functionalities:

fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5
a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca
0ad10472f7aedfd241ecb65a53d5cafdeb94672d92883d161cb37f769e60f013
5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366
c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0
f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f
4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956
61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848e
9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cd
6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffc

IcedID samples related to the Initial Access in RansomExx Attacks:

IcedID:

884fe75824ad10d800fd85d46b54c8e45c4735db524c247018743eb471190633
3c5af2d1412d47be0eda681eebf808155a37f4911f2f2925c4adc5c5824dea98

and a malicious macro doc, maybe used to drop IcedID:

6fb5af0a4381411ff1d9c9041583069b83a0e94ff454cba6fba60e9cd8c6e648

Wouldn't have included the last once but they are in fact in the repo and mentioned in regards to Initial Access here: https://www.trendmicro.com/en_ca/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html

Main sources in regards to this "research" where: