How to use RansomCoin to extract cryptocurrency addresses and other IoC from source files



RansomCoin is a DFIR tool that can help researchers extract encrypted currency addresses and other intrusion threat indicators IoC from binary source code files. RansomCoin supports the extraction of metadata including ransomware and hard-coded intrusion threat indicators IoC. It can collect data in a scalable, efficient, and integrated form with Cuckoo. Ideally, it can be used in Cuckoo dynamic It is executed during the analysis process, but it can also be used for static analysis of a large number of ransomware. The tool runs very fast, and the false positive rate for cryptocurrency addresses is very low. In addition, the tool has a relatively low false positive rate for emails, URL addresses, onion domains and other domains, but it is difficult to achieve perfection in these aspects.

In short, if you need a simple and fast initial classification of these monetized attack vectors, then RansomCoin is an excellent choice for you.

Tool download

Most users can directly use the following commands to clone the project code locally:

git clone

Tool installation

Before using RansomCoin, please make sure that the Python 3 environment has been installed and configured on your host.

Linux virtual machine

We recommend that you download and install a virtual machine environment, such as VirtualBox. After installing your Linux virtual machine, please follow the steps below to configure it.

Change to the directory where the tool is located, and then run the following command:


sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python-dev python3-tlsh

python3 -m pip install -r requirements.txt


Note: If the system prompts an error about the pip command, please try to run the following command:

sudo apt-get install python3-pip

Tool use

The following commands can be run directly from the “Tools” folder in the project directory and directly analyze the malware samples in the directory. Running commands in this directory can directly scan all files in the directory, and provide the estimated time to complete the analysis through TQDM. Before starting, we need to provide write permission to the Ransomware.csv file in the directory.

Tool demonstration video:

After running, the script will output the analysis results to a file named Ransomware.csv in this directory:


Run the following command to view the analysis results:

less Ransomware.csv


The current version of RansomCoin supports the following detection factors:

-Bitcoin address (BTC)

-Bitcoin Cash Address (BCH)

-Monero address (XMR)

-Bitcoin private key

-Ethereum address (ETH)

-XRP address (XRP)

-Litecoin address (Litecoin)

-DOGECOIN address (DOGE)

-NEO address (NEO)

-DASH address (DASH)

-Domain name (address)

-Email address (email)

-Onion address (address)

We can also view URL addresses, email addresses, and encrypted currency addresses by running the following grep command:

less Ransomware.csv | grep URL

less Ransomware.csv | grep Email

less Ransomware.csv | grep Address

The grep command for the Monero address is as follows:

less Ransomware.csv | grep XMR

We can also search for other types of detection factors by replacing the cryptocurrency name in the above command. will output a time-stamped ransom transaction list. After the script is run, a file named TemporalRansoms.csv will be created, which will store and display the sent and received bitcoin addresses, bitcoin amounts, and transaction times The equivalent exchange rate between Euros and U.S. dollars.


Run the following command to view the analysis results:

less TemporalRansoms.csv

This script needs to be customized to adapt to different MISP instances. The script can use PyMISP to create events from the Ransomware.csv file, and the same event group shares the same event name. By default, it creates an unpublished event, and then you need to manually add the details of the event before publishing.

project address



There are no reviews yet.

Be the first to review “How to use RansomCoin to extract cryptocurrency addresses and other IoC from source files”

Your email address will not be published. Required fields are marked *