{
	"id": "31275a8c-548c-4fb3-af98-32077b170102",
	"created_at": "2026-04-06T00:07:52.159175Z",
	"updated_at": "2026-04-10T13:12:51.251039Z",
	"deleted_at": null,
	"sha1_hash": "19d1a851ed133b09c12931f49c2d624760ddce4d",
	"title": "From the Front Lines | Slam! Anatomy of a Publicly-Available Ransomware Builder",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6914787,
	"plain_text": "From the Front Lines | Slam! Anatomy of a Publicly-Available\r\nRansomware Builder\r\nBy Jim Walter\r\nPublished: 2022-09-15 · Archived: 2026-04-05 22:22:28 UTC\r\nThe barrier to entry for enterprising cybercriminals has been dropping considerably over recent years, in part due to the\r\navailability of RaaS (Ransomware as a Service) offerings on the darknet but also due to publicly-accessible code being\r\nshared for free. One such offering is the Slam Ransomware Builder, which had been hosted until recently on Github. In this\r\npost, we highlight how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible\r\nthreat to organizations and enterprises. We provide a detailed list of indicators to help security teams detect and protect\r\nagainst Slam ransomware payloads.\r\nRansomware For “Educational Purposes Only”?\r\nThe Slam Ransomware Builder first appeared in late 2021, with Slam ransomware payloads appearing in the wild shortly\r\nafter (e.g., ConsoleApp2.exe). During mid-2022, downloadable and executable versions of the Slam Ransomware Builder\r\nappeared on a publicly-visible repository on Github and were available for several months until Github admins removed the\r\nrepository on September 1st, 2022.\r\nThe owner of the now-removed repository dubbed it “The Most Advanced Free Ransomware Builder” and has a history of\r\nproviding “educational” videos on Vimeo, Youtube and KZHome, instructing viewers how to build ransomware and “virus\r\npayloads”.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 1 of 11\n\nSource: Slam ransomware builder video hosted on Vimeo\r\nWhile the author’s public postings contain the usual “for educational purposes only” and “don’t try this” disclaimers to\r\navoid responsibility, they also contain language such as “most advanced ransomware” and “damage rate: destructive”.\r\nSource: Slam ransomware builder video hosted on Youtube\r\nThe author had described the ransomware’s behavior in detail in earlier publicly-posted videos, describing how victim data\r\ncould be exfiltrated to an attacker-controlled site.\r\nThe author’s reasons for distributing free ransomware builders can only be guessed at, but despite being free, the builder and\r\npayloads are genuine threats that can cause real damage. As our analysis below shows, Slam is a full-featured ransomware\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 2 of 11\n\nwith AES256 encryption, UAC bypass, shadow backup copy deletion and data exfiltration capabilities. In other words,\r\neverything needed to lock and steal enterprise data.\r\nSlam Ransomware Builder Features\r\nThe most recent release of the Slam ransomware builder prior to being removed from Github was version 1.7. Earlier\r\nversions of the tool supported either English or Spanish locales, while later versions including 1.7 allow toggling between\r\nthe two.\r\nThe existing feature set includes the following:\r\nFully customizable ransom notes\r\nCustom encryption passphrases\r\nAll ransomware to lay dormant until a network is available\r\nUAC Bypass (1)\r\nRun external commands with the ransomware launch\r\nVSS/ backup deletion\r\nBasic file transfers (HTTP) for exfiltration\r\nDespite the code being removed from Github, it is possible the author intends to find or already has other distribution\r\noutlets. A list of features promised for the future include screen locking, MBR overwrites, and “LogonUI overwriting”.\r\nUpon running the code provided on Github, users of the builder are presented with a menu leading to different builder\r\ncomponents or indications of their upcoming release.\r\nVersion 1.6 of the Slam Ransomware Builder\r\nWhen choosing the “slam ransomware builder” option, users must first “Install”, then “Start” to launch the builder interface.\r\nThis installation essentially consists of writing the builder EXE to c:\\slam_ransomware_builder\\ . Any other component\r\nrequiring an “Install” step will also go to the root of the C drive (e.g., c:\\slam_mbr_builder)\r\nOnce the main interface is launched, the user is presented with a standard set of options for building their ransomware\r\npayloads.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 3 of 11\n\nOptions including the following are present in this interface:\r\nRansom note name and text\r\nWallpaper modification options and images\r\nAffected file extensions\r\nFile encryption (types / extensions to encrypt)\r\nRemote folder options (OneDrive)\r\nThe tool provides more ‘Advanced’ configuration options as well. These options are accessible via the “advanced” button.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 4 of 11\n\nOptions in this section include:\r\nNetwork awareness (remain idle until Wi-Fi is available)\r\nVerbose output options (decrypter)\r\nPersistence (add to startup)\r\nInhibit recovery (website blocking, self-destruction, backup destruction).\r\nThe “block antivirus websites” option is meant to inhibit the victims from being able to download security software or check\r\nsuspicious files on public malware repository sites such as VirusTotal.\r\nThe ransomware achieves this by modifying the device’s Hosts file, adding a long list of sites belonging to the likes of\r\nAvast, Avira, Bitdefender, CCleaner, Google, Kaspersky, McAfee, Microsoft, Panda Security, Trend Micro, VirusTotal,\r\nYouTube, and others. Each site is simply bound to the machine’s loopback address (typically, 127.0.0.1 ), preventing the\r\ndomain name from being resolved to an external IP address.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 5 of 11\n\nSome of the almost 100 domain names added to the Hosts file\r\nWith regard to bypasses, the version of Slam we analyzed includes a single UAC bypass, based on UACMe, which attempts\r\nto defeat Windows User Account Control by abusing the built-in Windows AutoElevate backdoor. UACMe is a bypass\r\ntechnique that has been known for some years and widely abused by a number of other malware families including\r\nMultiplug adware, Dyre, Empercrypt and IcedID.\r\nTo exfiltrate victim data, the user can specify an HTTP server in the configuration interface, where a connection test can also\r\nbe performed. If the connection test fails, an error is displayed. Other options available to the user include USB infection\r\nand execution of custom commands when the payload is detonated on the victim machine.\r\nSlam Ransomware Payloads\r\nWith all options configured, the executable payloads generated are standard EXE files. The builder outputs both the\r\nencryptor and decryptor tools.\r\nWhen executed with non-Administrator privileges, the UAC prompts and/or configured bypasses will come into play.\r\nSlam payload UAC prompt\r\nPost-execution, the victim device is encrypted according to the options configured in the builder.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 6 of 11\n\nThe payload is written to %AppData%\\Local\\discord.exe , which is called in the registry (Run key), ensuring the\r\nransomware payload is persistent.\r\nAs advertised, the Slam payload successfully inhibits recovery via removal of VSS backups on an unprotected machine.\r\nBoth wmic and vssadmin methods are utilized for VSS deletion.\r\n/c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default} bootstatuspolicy igno\r\nwmic shadowcopy delete\r\nThe ransomware also deletes various logs, Windows installation and recovery-related files via cleanmgr.exe . In the\r\npayload we analyzed, for example, a process named wgMHhFHnkiczPUNfqaA8Cx4kqwVcRG.exe issues the cleanmgr.exe\r\ncommand with the /AUTOCLEAN parameter, which executes Windows disk cleanup and removes Windows installation files\r\non unprotected devices.\r\n\\system32\\cleanmgr.exe /autoclean /d C:\r\nThe Slam builder also contains a very early stage “Alpha” MBR builder tool. Choosing to “Install” should write start.exe\r\nto c:\\slam_mbr_builder\\start.exe . This does not appear to occur in our testing and analysis, and the feature appears to be\r\nnon-functional in the version of the Slam Builder we analyzed from Github.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 7 of 11\n\nHowever, we were able to obtain a copy of the builder from another source that allowed us to launch the builder and observe\r\nthe output.\r\nSlam “Alpha” MBR builder\r\nWithin the MBR Builder interface, users are able to configure the message displayed to the victim.\r\nSlam MBR Builder Ransom Note Configuration\r\nPrior to executing the build, a final screen allows the attacker to choose the “reboot mode” with the options being\r\nDo Nothing\r\nBSOD\r\nReboot\r\nShutdown\r\nNothing\r\nPayloads from the MBR builder have been observed in the wild with the following PDB string.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 8 of 11\n\nC:\\slam_mbr_builder\\MbrOverwriter\\mbrcs\\obj\\Debug\\mbrcs.pdb\r\nConclusion\r\nIn this area and many others of infosec, there is a fine line between “education” and researcher-led offensive security that\r\nseeks to explore and improve weaknesses in enterprise defenses on the one hand, and simple, out-and-out malicious code\r\ndesigned to aid and abet criminal offenses on the other. We see no indications in the various public artifacts around the Slam\r\nransomware builder (code, videos, Github repository) that suggest it could reasonably be interpreted as in the service of the\r\nformer.\r\nHowever that may be, once in the hands of unscrupulous actors, full-featured projects such as these represent a real risk to\r\nenterprises and organizations.\r\nWe applaud Github for removing this code and hope this post serves as a reminder to defenders to be vigilant as threat actors\r\ncontinue to simplify the ransomware-centric extortion process. The barrier to entry into the world of cybercrime has never\r\nbeen lower.\r\nSentinelOne Singularity™ detects and prevents malicious behavior associated with Slam Ransomware and its associated\r\nartifacts.\r\nIndicators of Compromise\r\nObserved File Names\r\nConsoleApp2.exe\r\nmbrcs.exe\r\nJpegMedic ARWE\r\nslam ransomware builder.exe\r\nObserved PDB Strings\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 9 of 11\n\nC:\\slam_mbr_builder\\MbrOverwriter\\mbrcs\\obj\\Debug\\mbrcs.pdb\r\nc:\\slam_ransomware_builder\\ConsoleApp2\\ConsoleApp2\\obj\\Debug\\ConsoleApp2.pdb\r\nC:\\Users\\amdga\\Desktop\\UACME-master\\Source\\Akagi\\output\\Win32\\Debug\\Akagi.pdb\r\nD:\\agent\\_work\\20\\s\\\\binaries\\x86ret\\bin\\i386\\\\vcruntime140d.i386.pdb\r\nc:\\slam_ransomware_builder\\uac\\ConsoleApp2\\obj\\Debug\\ConsoleApp2.pdb\r\nc:\\slam_ransomware_builder\\ConsoleApp2\\ConsoleApp2\\obj\\Debug\\ConsoleApp2.pdb\r\nC:\\slam_mbr_builder\\MbrOverwriter\\mbrcs\\obj\\Debug\\mbrcs.pdb\r\nC:\\Users\\amdga\\source\\repos\\conect\\conect\\obj\\Debug\\conect.pdb\r\nC:\\Users\\ander\\source\\repos\\slam ransomware builder\\slam ransomware builder\\obj\\Debug\\slam ransomware builder\r\nSHA1 Hashes\r\n1ba9043ac164c6c60de4a1ee2ca50b2e7f4ebaf5\r\n2037d9f2e7cd15930e83f5142c5a48adecd3b617\r\n272566e8b5880e32cefb7a165a833652815a003f\r\n27b1ca0793caa19edabfbc49e6cffc05b73093da\r\n2c41f64557056e69541acf5ba52313869122f625\r\n336371f4200af680f73c0b9c51fca5a25dd5754a\r\n35ab1d4924990bf98a8e2e1026f91b5c9052de8e\r\n3fa6705ca1b056a66f25a689dff72af0893f5b86\r\n40bfa92e86484c09f2f7668121a1c4047c17ae72\r\n44aaef83b79f4e963c4fee56250bc053eae5ec64\r\n4879bd193dd73681c977371c857217257f141c92\r\n4cff2b02cb6c1f866499125c003af1032a81b480\r\n5a28f787cc73cffa7b5786faf3298d43e00d12aa\r\n61e8ba86725ec3f4e034c51950cabc6254c5cca5\r\n6325c42719b1aa3a48dd39b8add200054d3e0118\r\n669ce00937bde782a88526205f083861e6d71be1\r\n6e420a6c7b8e2d144df66dcbbae1afba62c82f4b\r\n7429fdf9151dfa9e4d4dc8ef86528313d13dc73f\r\n7690c273c8164a65602ed8f4284f0d50966d27c6\r\n863edff3c71e89349674df35ab07f27ecb6702ef\r\n880c343e75e7e8731f185ce756357599c37be065\r\n8b46ce2ffa24a377ff30ea094e02bc3ba3e808da\r\n8f3dc8437563182e06699763581fd6f7923b7582\r\n9edd3d920fbe89240d52cc8b300a90e5bf576f73\r\nb031d4c3747b58d930f33fe73abbf518dac63a31\r\nbe82474f54f49249c43c701c12907ec730e2a723\r\nc5351846988ef5d6e7b95f564416138f59e2092a\r\nc84aeb8c0b3939fd7f6beb9d73e72cc5ed8745db\r\nc998384c7b8cfd2ca881f282dfdbc104d8402bac\r\nca2999c9c5a17b0253579194f651b4aafdce16f1\r\ncb243b61a8d43816e1de7f0767b1377d0276dd71\r\ncf30cc1e653043df81aa9d8974f2f927ceadc826\r\nd187d81f4d021839e8f6e925dc192e231eb4679c\r\nd635103117daaf2a2b93d465e32e7b722dd4d367\r\nd6c9a556f5770f0a8f8ad05c5d46becd0cd021d3\r\nd94eb94bb3c2c6c0c70916f8be2417ac616e8b43\r\ndc327f3afbb6c770656be16fc885e1090f8395a3\r\nddba71aae3b8139210f71e835e1b89e90b0bd1dc\r\ne0868fdb2f09d3a4aefe4c79d6af88c2f9b55ce2\r\ne2052995d368355e899a518dbbbab716045abbd1\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 10 of 11\n\ne9a5b40d0ba5a8bb5c4a1c5471616c93e0851558\r\nea4f7dda5a64a740a9c5570870ccba2788c69ea6\r\nee144154139619b8c1d890e5b6f9bf130d929e6f\r\neeafbbfaaf05d8b7a8a1dc3f7858a21e7fdb0531\r\nf31855a1d5509b1e906caee75db3326515488cbc\r\nfcd90af249796fc3c40e1e94d558b6f2d61304b5\r\nMITRE ATT\u0026CK\r\nT1542.003 – Pre-OS Boot: Bootkit\r\nT1047 – Windows Management Instrumentation\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1564.003 – Hide Artifacts: Hidden Window\r\nT1112 – Modify Registry\r\nT1490 – Inhibit System Recovery\r\nT1486 – Data Encrypted for Impact\r\nT1491.001 – Defacement: Internal Defacement\r\nT1083 – File and Directory Discovery\r\nT1005 – Data from Local System\r\nT0809 – Data Destruction\r\nSource: https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/"
	],
	"report_names": [
		"from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder"
	],
	"threat_actors": [],
	"ts_created_at": 1775434072,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19d1a851ed133b09c12931f49c2d624760ddce4d.pdf",
		"text": "https://archive.orkl.eu/19d1a851ed133b09c12931f49c2d624760ddce4d.txt",
		"img": "https://archive.orkl.eu/19d1a851ed133b09c12931f49c2d624760ddce4d.jpg"
	}
}