RansomCoin – A DFIR Tool To Extract Cryptocoin Addresses And Other Indicators Of Compromise From Binaries

Extracting metadata and hardcoded Indicators of Compromise from ransomware, in a scalable, efficient, way with cuckoo integrations. Ideally, is it run during cuckoo dynamic analysis, but can also be used for static analysis on large collections of ransomware. Designed to be fast, with low false positive for cryptocurrency addresses. Limited false positives for emails, urls, onions, and domains (which is pretty hard to make perfect).
In short, this is fast and easy initial triage if you only want monetisation vectors.

Installation instructions
Please ensure you have Python3 installed.

In a Linux Virtual Machine
It is advisable to download and install a virtualizer such as VirtualBox. Install your desired Linux virtual machine (i.e. Lubuntu, Kali Linux, etc) then follow the instructions below.
From the tools folder:

sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python-dev python3-tlsh
python3 -m pip install -r requirements.txt

Note: If you get an error saying No module named pip, try running

sudo apt-get install python3-pip

Usage instructions
A tutorial video is available: https://youtu.be/3pUDh5HvqVI
The following commands can be run from the “Tools” folder to analyse malware samples located in this directory. This will run the code across all files in the directoy and provide feedback on the estimated time to completion via TQDM. You will need write access for a file called Ransomware.csv in the directory you are working in (which contains the results). It should be possible to run the code across read only malware files though, so only Ransomware.csv need write access.

After running coinlector.py the results are output to a file in the same directory called Ransomware.csv

python3 coinlector.py

View the results by running

less Ransomware.csv

Currently we are testing for:

  • Bitcoin Addresses (BTC)
  • Bitcoin Cash Addresses (BCH)
  • Monero Addresses (XMR)
  • Bitcoin Private Keys
  • Ethereum addresses (ETH)
  • Ripple addresses (XRP)
  • LTC addresses (LTC)
  • DOGECOIN addresses (DOGE)
  • NEO addresses (NEO)
  • DASH addresses (DASH)
  • Domains (Address)
  • Email Addresses (Email)
  • Onion Addresses (Address)

View URLs, email addresses, and cryptocurrency addresses by running the following grep commands.

less Ransomware.csv | grep URL
less Ransomware.csv | grep Email
less Ransomware.csv | grep Address

Grep for Monero addresses by running

less Ransomware.csv | grep XMR

The same command can be used to search for other cryptocurrencies using the abbreviations in the list above.

tempuscoin.py outputs a list of timestamped ransom transactions. The file TemporalRansoms.csv is created showing the sending and receiving Bitcoin addresses, the amount in BTC and its equivalent value in EUR, USD at the time of the transaction.

python3 tempuscoin.py

View the results by running.

less TemporalRansoms.csv

This code will probably need to be altered to be made usable with your own MISP instance. It uses PyMISP to create events from the Ransomware.csv file, and groups of events share the same name. The default is to create events that are not published, and then to add details by hand before publishing. YMMV.

Download RansomCoin


This is only an educational purposes only I am not responsible for further activities

Join my forum and learn more ethical hacking and penetration testing


Get me at







11 Replies to “RansomCoin – A DFIR Tool To Extract Cryptocoin Addresses And Other Indicators Of Compromise From Binaries”

  1. Trulife Distribution – Nutrition Distribution helps our clients achieve success in a complex, competitive retail environment. Our team of nutrition industry experts takes care of everything from importation compliance to marketing, sales and distribution at the ground level. There is no need to navigate the complicated intricacies of the American market when we have already done the work. Let us use our experience to expand your brand and put your product into the hands of American consumers. https://trulifedist.com/

  2. I was wondering if anyone knows what happened to Dime Piece LA celebrity streetwear brand? I am having trouble to proceed to the checkout on Dimepiecela site. I have read in Cosmopolitan that they were bought out by a UK-based hedge fund for $50 million. I’ve just bought the Dimepiece Control the Guns Not Women’s Bodies Cuffed Beanie from Ebay and totally love it xox

  3. I operate a vape store submission site and we have had a listing from a vape store in the USA that additionally offers CBD products. A Calendar month later, PayPal has written to use to say that our account has been restricted and have requested us to remove PayPal as a payment method from our vape shop website directory. We do not offer for sale CBD goods like CBD oil. We simply offer internet marketing professional services to CBD firms. I have had a look at Holland & Barrett– the UK’s Leading Health and wellness Merchant and if you take a good look, you will witness that they sell a comparatively comprehensive range of CBD products, specifically CBD oil and they also happen to take PayPal as a settlement solution. It seems that PayPal is applying twos sets of rules to different companies. Because of this stipulation, I can no longer accept PayPal on my CBD-related online site. This has limited my payment choices and presently, I am greatly contingent on Cryptocurrency payments and straightforward bank transfers. I have spoken with a lawyer from a Magic Circle law practice in London and they stated that what PayPal is doing is absolutely not legal and inequitable as it ought to be applying an uniform criterion to all companies. I am yet to talk with a different attorney from a US law office in The city of london to see what PayPal’s legal position is in the United States. In the meantime, I would be very appreciative if anyone here at targetdomain could offer me with substitute payment processors/merchants that deal with CBD firms.

Leave a Reply

Your email address will not be published. Required fields are marked *