jotuhup.com

ceyuvigi.com

xafehot.com

pucaxejun.com

nemucefah.com

pijixepi.com

hakakebero.com

sakogabu.com

tevokaxol.com

vosuxizen.com

duladani.com

wijakezada.com

dehelibe.com

rikukof.com

talulime.com

powershell.exe

akira_readme.txt

comsvcs.dll

64F8E1B825887AFE3130AF4BF4611C21

3F63951399F8CD578E2A6FAED2C9C0F0

C2CBBD6E392A453A47DA69D086756E71

FD380DB23531BB7BB610A7B32FC2A6D5

7ca94d84f4a02fb1f608818c1c3ab62d

Adf426e30f8a3383c6696d2f142907d3

495afbc7ebae07d50c529c1bd5889f54

0c706908df97857255252837ac1b90c9

91.132.92.60

148.72.168.13

199.127.60.236

80.66.88.203

152.89.196.111

185.11.61.114

23.108.57.151

20.99.133.109

13.107.4.50

23.216.147.64

64.44.135.135

162.159.134.233

108.177.127.94

108.177.126.132

23.108.57.1

23.106.123.15

23.106.215.64

23.19.58.94

23.81.246.200

23.106.160.141

108.62.118.180

108.177.235.187

45.147.230.83

64.44.102.127

64.44.102.19

64.44.98.232

T1059

T1074

T1486

T1003

T1562

rule TA_Ransomware_Akira {
	meta:
		description = "Akira: The old-new style crime"
		category = "Ransomware"
		author = "vc0rexor"
		reference = ""
		date = "2024-06-01"
	strings:
		$a1 = "expand 32-byte" ascii wide nocase
		$a2 = "akira" ascii nocase
		$a3 = "onion" ascii nocase
		$a4 = "TOR browser" ascii nocase fullword
		$a5 = "--encryption_path" ascii wide nocase
		$a6 = "--encryption_percent" ascii wide nocase
		$a7 = "CreateThread" ascii nocase fullword
		$a8 = "CreateIoCompletionPort" ascii nocase fullword
		$a9 = "AcquireSRWLockExclusive" ascii nocase fullword
		$a10 = "GetCurrentThreadId" ascii nocase fullword
		$a11 = "GetLogicalDriveStrings" ascii nocase fullword
		$a12 = "GetQueuedCompletionStatus" ascii nocase fullword
		$a13 = "encrypt" ascii nocase
		$a14 = "thread pool" ascii nocase fullword
		$a15 = "failed" ascii wide nocase
		$a16 = "System Volume Information" ascii nocase fullword
		$a17 = "Paths Finded" ascii nocase fullword
		$b1 = { 0F 11 45 ?? 0F 57 C9 F3 0F 7F 4D ?? 4C 63 C0 33 D2 48 8D 4D ?? E8 ?? ?? FE FF 48 8D 4D ?? 48 83 7D ?? 08 48 0F 43 4D ?? 4C 8D 45 ?? 48 83 7D ?? 10 4C 0F 43 45 ?? 8B 45 ?? 89 44 24 28 48 89 4C 24 20 44 8B 4D ?? 33 D2 33 C9 FF 15 ?? ?? ?? 00 0F 10 45 ?? 0F 11 45 ?? 0F 10 4D ?? 0F 11 4D ?? 66 0F 6F 05 ?? ?? ?? 00 F3 0F 7F 45 ?? 66 89 ?? ?? }
		$b2 = { 8B C7 0F 57 C0 0F 11 44 24 ?? 4C 89 74 24 ?? 4D 8B C7 4C 89 74 24 ?? 48 8D 0C 40 48 8B ?? 24 ?? }
		$b3 = { 48 8D ?? 27 48 83 ?? E0 48 89 ?? F8 48 89 ?? ?? ?? 8D ?? 00 20 00 00 ?? 89 ?? ?? 33 D2 41 B8 00 20 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 04 01 00 00 FF 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? 8D ?? ?? 66 66 66 0F 1F 84 00 00 00 00 00 }
		$b4 = { 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 0F B7 90 D2 03 00 00 48 8B 84 D0 D8 03 00 00 48 83 C1 F8 }
		$b5 = { 48 8B 4E ?? E8 ?? ?? ?? 00 48 8D 7C 24 20 48 89 07 48 89 F9 E8 ?? ?? ?? ?? 48 8B 46 28 48 89 47 10 0F 10 46 18 0F 29 07 48 8B 0E E8 ?? ?? ?? 00 48 8D 7C 24 20 48 89 F9 E8 ?? ?? ?? ?? 48 8B 5E 08 48 8D 4B 18 E8 ?? ?? ?? ?? 48 C7 43 18 01 00 00 00 48 83 63 20 00 48 8B 46 08 48 89 07 48 8D 4C 24 20 E8 ?? ?? ?? ?? 90 48 83 C4 40 5B 5F 5E }
	condition:
		filesize > 500KB and filesize < 1100KB and (8 of ($a*) and 2 of ($b*)) and uint16(0) == 0x5a4d
}