RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Why RL Built Spectra Assure Community

Why RL Built Spectra Assure Community

We set out to help dev and AppSec teams secure the village: OSS dependencies, malware, more. Learn how.

Read More about Why RL Built Spectra Assure Community
Why RL Built Spectra Assure Community

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
Threat ResearchOctober 26, 2017

ReversingLabs' YARA rule detects BadRabbit encryption routine specifics

BadRabbit a previously unknown ransomware family which started spreading on October 24th

FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
ReversingLabs' YARA rule detects BadRabbit encryption routine specifics

The ransomware's fake FlashPlayer dropper was distributed through compromised websites via drive-by downloads.

Targets are mostly Russia based but there have also been reports of victims in Ukraine, Turkey and Germany.

Although several sources pointed to existing similarities between NotPetya and BadRabbit, besides the same compiler and similar methods being used, the source code of the two has noticable differences.

ReversingLabs' YARA rule detects BadRabbit encryption routine specifics.

BadRabbit Ransomware DROPPER

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
Original name: FlashUtil.exe
File size: 431.5 KB (441899 bytes)

8911fdb8c1ac8f6098057dfbbd77fc0c5e6a55a78d4a2f9701b965230ce32cf9
Original name: FlashUtil.exe
File size: 409.6 KB (419401 bytes)

7160bd96104d2ff21d836e9585b8d869edcc0aa60ee84157b7670d9abb1cd785
Original name: FlashUtil.exe
File size: 431.5 KB (441898 bytes)

5c3dc8a0c37c55af92336fde825e8280c6fd28c3f9fe69e61facb3b1da20c0df
Original name: FlashUtil.exe
File size: 431.5 KB (441899 bytes)

BadRabbit unpacked

579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
C:\Windows\infpub.dat
File size: 401.1 KB (410760 bytes)

BadRabbit PAYLOAD

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Original name: dispci.exe
File size: 139.5 KB (142848 bytes)

10e741ef66bdd9166434781d5a0ce465f50f270fdf538a351e91a5161458c888
Original name: dispci.exe
File size: 139.5 KB (142855 bytes)

BadRabbitComponent Diskcryptor

682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806
Original name: dcrypt.sys
C:\Windows\cscc.dat x32 diskcryptor

0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
Original name: dcrypt.sys
C:\Windows\cscc.dat x64 diskcryptor

BadRabbitComponent Mimikatz

2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035
File size: 52.4 KB (53624 bytes)
mimikatz-like x86

301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
File size: 60.9 KB (62328 bytes)
mimikatz-like x64

BadRabbit debug build

52d4747637b94db89996c9da113160eff2eee95c5528fb3abb7f85c2d7eb291c
DISCKCODER debug build
File size: 536.5 KB (549376 bytes)

ae8a2eea804cdc233a518eead2a5e050189ba183548b73b85d97d66e8dbd3fd7
DISCKCODER debug build
File size: 536.5 KB (549376 bytes)

3354967433417380fb34b1fd030f8a6aa4de4a6e2f4a69559d70be328283bc73
DISCKCODER debug build
File size: 536.5 KB (549376 bytes)

1c6fdf8b58afb6e28934acc1bc7eb50a7713dc0aff1cc58d4b0bb5a3479beca1
DISCKCODER debug build
File size: 536.5 KB (549378 bytes)

Keep learning

  • Get up to speed on the Agentic Development Security tools landscape in this June 18 webinar with Forrester Sr. Analyst Janet Worthington.
  • Learn why binary analysis is a must-have control in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take a deep dive on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:Threat Research

More Blog Posts

Thousands of developer projects compromised in npm hack

32 Red Hat npm packages backdoored in 72 seconds

RL has discovered a new supply chain attack affecting 9.8M total downloads across Red Hat's Hybrid Cloud Console JavaScript ecosystem.

Learn More about 32 Red Hat npm packages backdoored in 72 seconds
32 Red Hat npm packages backdoored in 72 seconds
Hunting Megalodon Fossils

Researcher's Notebook: Hunting Megalodon Fossils

Analyzing C2 responses from compromised GitHub Actions linked a current threat to an earlier one, showing the value of retrohunting.

Learn More about Researcher's Notebook: Hunting Megalodon Fossils
Researcher's Notebook: Hunting Megalodon Fossils
Hackers Abuse Parental Controls To Hijack Google Accounts

Hackers Abuse Parental Controls to Hijack Google Accounts

Learn how attackers are re-casting adults as minors to bypass recovery and lock users out.

Learn More about Hackers Abuse Parental Controls to Hijack Google Accounts
Hackers Abuse Parental Controls to Hijack Google Accounts
How DirtyFrag rose from the Linux privilege escalation exploit

How Dirty Frag rose from the Copy Fail exploit

RL documented 163 samples of the Linux exploit's new variants, active malware — and developed YARA rules.

Learn More about How Dirty Frag rose from the Copy Fail exploit
How Dirty Frag rose from the Copy Fail exploit

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top