God of death steals your data: Ransomware/Anubis

A new info stealing malware Ransomware/Anubis is now actively distributed in the wild. The malware code is forked from Loki malware. The malware is developed in c# and the authors have called it as Anubis in it’s settings, sharing the name with an unrelated family of Android banking malware.

Technical Details

Binary Info
MD5: B73E3725DDCDDBBF83DB1610C162A950
SHA1: 5862E19E3A31F88DD7D69F7247B0AEAB872F8EFA
Size: 266,240 bytes
DateTimeStamp: 22 June 2020 8:57:44 PM GMT

Anubis has code to steal system info, screen shots, passwords, browser cookies, credit card details, crypto currency wallets, lock files, etc

The domain anubis.fun where the admin panel is hosted points to 3 ipv4 addresses,
104.27.159.138
104.27.158.138
171.67.191.19 (down)

The admin panel is protected by authentication.

The site uses SSL certificate from GlobalSign.


It captures the screenshots of webcam and also the current screen.


It steals the credentials from Filezilla and Telegram applications.

It steals the web cookies stored by the web browsers. It also steals the crypto wallets of the following Crypto currencies,

  • Bitcoin
  • Bytecoin
  • Dashcoin
  • Electrum
  • Ethereum
  • Litecoin

It steals credit card details from web browser storage.

It steals credentials from NordVPN.


It collects following information from infected machines,

  • Public IP address
  • Country
  • State
  • City
  • Timezone
  • ZIP
  • ISP
  • Coordinates
  • User name
  • Machine name
  • UUID
  • HWID
  • CPU
  • GPU
  • RAM
  • MAC id
  • Screen resolution
  • System language
  • Browser versions

The collected information are send to the C2 server. The C2 URI is hard coded in the binary settings.

It steals credentials from Steam, a video game distribution software.


The ransomware (file lock) functionality doesn’t gets executed in this version, but would execute if the feature is turned on in binary settings.

The encrypted (locked) files are renamed by appending “.loki” string. The File locker module doesn’t encrypt the files with size less than 30MB.

The ransomware note is hard coded in the binary.