FidRW.exe Ransomware

FidRW.exe is a piece of malware which will download additional stages to your computer with the ultimate goal of launching ransomware. These files are ultimately benign.

Filename

FidRW.exe

MD5

4ff4a8ac43c73b3829ec8452f7ef5ad7

Sample

Download Sample

Video

DETAILS

FidRW.exe begins by logging in to the following FTP server: 

IP: 69.89.20.50
URL: ftp.lassatt.com
USERNAME: [email protected]
PASSWORD: Z^?m6K!uh^rh

Upon successful authentication, there are 7 files listed in the server’s directory. FindRW.exe first requests exfiltrator.pdf which is actually an EXE. The file is downloaded as notepadd.exe and launched.

This second stage executable mimics the first and again logs into the FTP server but this time downloads persist.bat. This file is still under development as indicated by its contents. This will most likely be filled with persistence mechanisms to maintain the infection on the box.

The Demo_Ransomware.exe application collects the following system survey information and passes it back to the server.

After this, the application drops “Ransom Note.txt” to the public users directory and it reads:

Alas, we have been swindled by a ransomware application intended for demonstration/awareness purposes. Drats. No threat here.

DETECTION

The initial dropper and subsequent stages are adequately detected by many anti-virus solutions as being potentially malicious. Since this is an application intended for demonstration purposes only, so there is no real threat to be detected.

CONCLUSION

Although this application is intended for demonstration/awareness of how ransomware works, it uses real world techniques employed by malware around the globe. It is a nice example of multi-staged malware and can be used by RE/security researchers for practice.