Ransomware (Suspicious)

This is a suspicious ransomware that manages to encrypt some files in the Download folder.

Sample:
https://www.virustotal.com/gui/file/06107fa7b33572bfcbc007e3d5bd2436590477bfc7153c813d2a9e1554953486
A similar sample is detected by Avast:
https://www.virustotal.com/gui/file/5fb2646af512828b3de4a5c7e69e907f8948b182ed6a61958069f8e6c0de4cbf
AnyRun analysis:
https://app.any.run/tasks/2e6a8630-a98c-42e7-8100-bb63dc7fa7da

The sample was submitted to Avast more than once before.

The sample was submitted to Avast more than once before.
It was first uploaded to virustotal 2021-06-21

So i guess those that has not added signatur detection for it by now have a reason for not doing it

To protect against Muldrop BAT ransomware an important first line of precaution is not to open links from inside phishy looking mails.

polonus

I believe so too. But the confusing fact for me is that the only difference between the two samples I posted above is that one has this extra code at the start to elevate admin privilege.

@echo off
if _%1_==_payload_  goto :payload

:getadmin
    echo %~nx0: elevating self
    set vbs=%temp%\getadmin.vbs
    echo Set UAC = CreateObject^("Shell.Application"^)                >> "%vbs%"
    echo UAC.ShellExecute "%~s0", "payload %~sdp0 %*", "", "runas", 1 >> "%vbs%"
    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
goto :eof

:payload

Everything else is the same. The sample doesn’t even require admin privilege and works fine without it. In fact, that’s how the original sample was, without the admin privilege code. The code was added by an amateur for testing purpose.
There must be a reason, I guess, for Avast and also Kaspersky not to add a signature but it’s still a bit confusing.

Good suggestion. I don’t do that. The sample was given to me by someone for testing.