{
	"id": "2e4b5c04-d264-4fce-8f61-47f5c6725cf9",
	"created_at": "2026-04-06T00:16:40.854899Z",
	"updated_at": "2026-04-10T03:31:13.333446Z",
	"deleted_at": null,
	"sha1_hash": "7ca1b589c99fc913f309fc2b6e3691db24de04af",
	"title": "Conti ransomware source code investigation - part 1.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1920941,
	"plain_text": "Conti ransomware source code investigation - part 1.\r\nBy cocomelonc\r\nPublished: 2022-03-27 · Archived: 2026-04-05 21:39:21 UTC\r\n4 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nA Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in\r\nrevenge for the cybercriminals siding with Russia on the invasion of Ukraine.\r\nAs you can see the last modified dates being January 25th, 2021.\r\nwhat’s Conti ransomware?Permalink\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 1 of 16\n\nContiLocker is a ransomware developed by the Conti Ransomware Gang, a Russian-speaking criminal collective\r\nwith suspected links with Russian security agencies. Conti is also operates a ransomware-as-a-service (RaaS)\r\nbusiness model.\r\nstructurePermalink\r\nThe source code leak is a Visual Studio solution (contains conti_v3.sln ):\r\nthat allows anyone with access to compile the ransomware locker:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 2 of 16\n\nand decryptor:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 3 of 16\n\nAV engines evasionPermalink\r\nThe first thing that usually attracts me to professionally written malware is the action by which this malware itself\r\nevasion AV engines and hides its activity.\r\nTo see the mechanism of communication with WinAPI, I look in the folder api :\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 4 of 16\n\nSo, looking at the file getapi.cpp . First of all see:\r\nAs you can see, to convert RVA (Relative Virtual Address) to VA (Virtual Address) conti used this macro.\r\nThen, find function GetApiAddr which find Windows API function address by comparing it’s hash:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 5 of 16\n\nthat is, Conti uses one of the simplest but effective AV engines bypass tricks, I wrote about this in a previous post.\r\nAnd what hashing algorithm is used by conti?\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 6 of 16\n\nMurmurHash is a non-cryptographic hash function and was written by Austin Appleby.\r\nAfter that, the api module is invoked to execute an anti-sandbox technique with the purpose of disable all the\r\npossible hooking’s on known DLLs. In fact, the following DLLs are loaded through the just resolved\r\nLoadLibraryA API:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 7 of 16\n\nthreadingPermalink\r\nWhat about module threadpool ?. Each thread allocates its own buffer for the upcoming encryption and initialize\r\nits own cryptography context through the CryptAcquireContextA API and an RSA public key.:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 8 of 16\n\nThen, each thread waits in an infinite loop for a task in the TaskList queue. In case a new task is available, the\r\nfilename to encrypt is extracted from the task:\r\nencryptionPermalink\r\nThe encryption for a specific file starts with a random key generation using the CryptGenRandom API:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 9 of 16\n\nof a 32 -bytes key and another random generation of an 8 -bytes IV.\r\nAnd as you can see, conti used ChaCha stream cipher which developed by D.J.Bernstein.\r\nCheckForDataBases method is invoked to check for a possible full or partial encryption:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 10 of 16\n\nagainst the following extensions:\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 11 of 16\n\n.4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf,\r\n.ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm,\r\n.db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk,\r\n.dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3,\r\n.fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx,\r\n.kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas.mav, .mdb, .mdf, .mpd, .mrg, .mud,\r\n.mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3,.ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .ogy, .orx,\r\n.owc, .p96, .p97, .pan, .pdb, .p dm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd,\r\n.sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spg, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx,\r\n.tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld,\r\n.xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut, .maw, .mdn, .mdt\r\nAnd CheckForVirtualMachines method is invoked to check for a possible partial encryption ( 20% ):\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 12 of 16\n\nthe following extensions:\r\nvdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol, .bin, .vsv, .avhd,\r\n.vmrs, .vhdx, .avdx, .vmcx, .iso\r\nand in other cases, the following pattern is followed:\r\nif the file size is lower than 1048576 bytes (1.04 GB) - perform a full encryption\r\nif the file size is \u003c 5242880 bytes (5.24 GB) and \u003e 1048576 bytes (1.04 GB) - partial encryption: only\r\nheaders\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 13 of 16\n\nelse, 50% partial encryption:\r\nobfuscationPermalink\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 14 of 16\n\nIn addition, an interesting module was found in the source codes: obfuscation :\r\nwhich can generate obfuscated code via ADVObfuscator. For example strings:\r\nThat’s all today. In the next part I will investigate network_scanner and filesystem modules.\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 15 of 16\n\nconclusionPermalink\r\nOn February 25th, 2022 , Conti released a statement of full support for the Russian government - coupled with a\r\nstern warning addressed at anyone who might consider retaliating against Russia via digital warfare.\r\nContiLeaks is a turning point in the cybercrime ecosystem, and in this case, we can expect a lot of changes in how\r\ncybercriminal organizations operate. From the one side less mature cybercriminal orgs might be very powerful\r\nand instead more sophischated gangs will learn from Conti’s mistakes.\r\nI hope this post spreads awareness to the blue teamers of this interesting malware techniques, and adds a weapon\r\nto the red teamers arsenal.\r\nCarbanak\r\nGetApiAddr implementation in Carberp malware\r\nCarbanak source code\r\nMurmurHash by Austin Appleby\r\nADVObfuscator\r\nChaCha cipher\r\ntheZoo repo in Github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nhttps://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html"
	],
	"report_names": [
		"malw-inv-conti-1.html"
	],
	"threat_actors": [
		{
			"id": "c9617bb6-45c8-495e-9759-2177e61a8e91",
			"created_at": "2022-10-25T15:50:23.405039Z",
			"updated_at": "2026-04-10T02:00:05.387643Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Carbanak",
				"Anunak"
			],
			"source_name": "MITRE:Carbanak",
			"tools": [
				"Carbanak",
				"Mimikatz",
				"PsExec",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ed3810b7-141a-4ed0-8a01-6a972b80458d",
			"created_at": "2022-10-25T16:07:23.443259Z",
			"updated_at": "2026-04-10T02:00:04.602946Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider",
				"ELBRUS",
				"G0008",
				"Gold Waterfall",
				"Sangria Tempest"
			],
			"source_name": "ETDA:Carbanak",
			"tools": [
				"AVE_MARIA",
				"Agentemis",
				"AmmyyRAT",
				"Antak",
				"Anunak",
				"Ave Maria",
				"AveMariaRAT",
				"BABYMETAL",
				"BIRDDOG",
				"Backdoor Batel",
				"Batel",
				"Bateleur",
				"BlackMatter",
				"Boostwrite",
				"Cain \u0026 Abel",
				"Carbanak",
				"Cl0p",
				"Cobalt Strike",
				"CobaltStrike",
				"DNSMessenger",
				"DNSRat",
				"DNSbot",
				"DRIFTPIN",
				"DarkSide",
				"FOXGRABBER",
				"FlawedAmmyy",
				"HALFBAKED",
				"JS Flash",
				"KLRD",
				"MBR Eraser",
				"Mimikatz",
				"Nadrac",
				"Odinaff",
				"POWERPIPE",
				"POWERSOURCE",
				"PsExec",
				"SQLRAT",
				"Sekur",
				"Sekur RAT",
				"SocksBot",
				"SoftPerfect Network Scanner",
				"Spy.Agent.ORM",
				"TEXTMATE",
				"TeamViewer",
				"TiniMet",
				"TinyMet",
				"Toshliph",
				"VB Flash",
				"WARPRISM",
				"avemaria",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ca1b589c99fc913f309fc2b6e3691db24de04af.pdf",
		"text": "https://archive.orkl.eu/7ca1b589c99fc913f309fc2b6e3691db24de04af.txt",
		"img": "https://archive.orkl.eu/7ca1b589c99fc913f309fc2b6e3691db24de04af.jpg"
	}
}