CSE Malware ZLab – Malware Analysis Report: A new variant of Mobef Ransomware

Pierluigi Paganini February 28, 2018

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, a malware that in the past mainly targeted Italian users.

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.

I personally obtained the sample by researchers at @MalwareHunterTeam and the Italian expert @Antelox and passed it to the experts at the ZLab.

Seems it's a new version of Mobef (or maybe not even a new version, just a new note). Note that most of Mobef victims we seen in past year also were from Italy.
For this, we only seen victims from Italy till now. 1st on 16th this month.
The above sample also seen from Italy…

— MalwareHunterTeam (@malwrhunterteam) February 24, 2018

Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.

Mobef ransomware note

The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.

After the execution, the ransomware creates three files:

4YOU: it contains the ransom note as shown in the popup window; it is stored in each folder in which there are encrypted files.
KEI: it contains the personal key used to identify the victim; it is stored in each folder in which there are encrypted files.
log: it contains the list of the encrypted files and it is stored in “C:\Windows”. This file represents also the kill-switch of the malware and the filename is the same for every infection.

Mobef ransomware – List of encrypted files

Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.

It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.

A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.

Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180228_CSE_Mobef_ransomware_new_variant.pdf

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mobef ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 08, 2025

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

Pierluigi Paganini July 08, 2025