ioc[.]one - OSINT Cyber Threat Intelligence Database

YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Software - T1592.002 Vulnerabilities - T1588.006 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	bfc59835-9ce3-49b9-9b91-ed04b6ad01e9
Fingerprint	a633081846b396cb
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 2, 2022, midnight
Added to db	Feb. 17, 2023, 9:52 p.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation
Title	YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation
Detected Hints/Tags/Attributes	74/2/101

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_hk/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_nl/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_th/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_id/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_ae/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_no/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_be/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_gb/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Details	Source	https://www.trendmicro.com/en_fi/research/22/f/yourcyanide-a-cmd-based-ransomware.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	Domain	358	pastebin.com
Details	Domain	3	hacktool.win32.nirsoftpt.sm
Details	File	2	yourcyanide.exe
Details	File	1208	powershell.exe
Details	File	2	'yourcyanide.exe
Details	File	14	advpack.dll
Details	File	3	%systemdrive%\autoexec.bat
Details	File	2	black.bat
Details	File	291	user32.dll
Details	File	2	ycynnote.txt
Details	File	2	other.txt
Details	File	58	win.ini
Details	File	29	system.ini
Details	File	3	mail.vbs
Details	File	2	loveletter.vbs
Details	File	2	gettoken.exe
Details	File	2	mytokens.txt
Details	File	3	userdata.txt
Details	File	10	tokens.txt
Details	File	2	forme.txt
Details	File	13	passwords.exe
Details	File	2	gonnacope.bat
Details	File	48	trojan.bat
Details	File	73	trojan.msi
Details	File	25	ransom.msi
Details	File	18	trojanspy.msi
Details	File	10	worm.vbs
Details	File	3	msg.vbs
Details	File	3	pua.vbs
Details	File	3	msgbox.vbs
Details	File	2	nokeyboard.reg
Details	File	367	readme.txt
Details	File	3	downloader.vbs
Details	File	20	trojan.vbs
Details	File	2	ransom.bat
Details	File	2	trojanspy.bat
Details	File	5	ransom.html
Details	File	2	kekpopdicord.exe
Details	File	38	trojan.ps1
Details	File	2	forme.exe
Details	File	33	read_me.txt
Details	sha256	2	ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968
Details	sha256	2	0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122
Details	sha256	1	f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3
Details	sha256	2	2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280
Details	sha256	2	7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7
Details	sha256	2	7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374
Details	sha256	1	26bde18048c32f6612d8d76b8696b2ce59db227913dccd51f696b51640ee11e9
Details	sha256	2	ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a
Details	sha256	2	d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54
Details	sha256	2	a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e
Details	sha256	1	9c39b7535b527df3b70800562bad98dc2e046de321fe3914dab896eda753cf38
Details	sha256	2	45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083
Details	sha256	2	c8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262
Details	sha256	1	296ba1469d072c37c6361fe80ba396a92f6461b9562103a3b5a20841d0757722
Details	sha256	2	bfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f
Details	sha256	2	f8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d
Details	sha256	2	1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54
Details	sha256	2	d2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56
Details	sha256	2	9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75
Details	sha256	2	7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b
Details	sha256	2	53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
Details	sha256	1	6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
Details	sha256	2	e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913
Details	sha256	2	3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259
Details	sha256	1	23269070507a70c34a4e219f9be19943211ed38eec4a9ce2b3a49bf76676a5e3
Details	sha256	2	e0946a55e9cbdb3485f154f72994bad765b74ba280a2149485af113503b7dc78
Details	sha256	2	602533e3c67a248e4dc152fa266a372dd2b2d82ff68fdc17c1591ecc429147bc
Details	sha256	2	07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85
Details	sha256	2	f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416
Details	sha256	2	080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868
Details	sha256	2	56622656231060b6401dcea515953d517fd9212b8de66c33c4847840aa958c83
Details	sha256	2	31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad
Details	sha256	2	9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe
Details	sha256	2	c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50
Details	sha256	2	f9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649
Details	sha256	2	8249d6e886a97aec60d35d360773e76c6630d822817dabe1c7674a0b51965669
Details	sha256	2	d51538d8da12af8ae36f95b645e76218e4fd61ab433504a3900c14942160446c
Details	sha256	2	6a645f72acf1d6c906e8c844e4e8b3fc92c411bf69937cfe7069df2cc51b8a4e
Details	sha256	1	2f2fac2c91268a9b31401633b63a374242e46919dc21106466c6c05bab3ce3f8
Details	sha256	1	a180c31666788fb6a7da421a743bb1c487099297ec06f2bdd841f342021f3763
Details	sha256	2	b43d1af1abeef8b552f0b362b2162c3a940a843f5474518c665e145b3aa01ace
Details	sha256	2	6e33a2c56b7b32be8e99a15920cf179b4e7aa62eaef8496ace67261543569c25
Details	sha256	1	6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91
Details	sha256	1	f8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323
Details	sha256	2	8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402
Details	sha256	2	67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf
Details	sha256	2	a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c
Details	sha256	2	0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2
Details	sha256	2	298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c
Details	sha256	1	4e455d4b353c7cce0155ce1050afc30d064fd93c57bc6428eb3cd988ecd855f0
Details	sha256	1	a4c3412ac96061561c6cf05a259dd14e5151fe66eee115ff154d6a0366ba1a12
Details	sha256	2	316403043e4135474637c0e3f958e72015a08242dc2712f7635012e253cb81b2
Details	sha256	1	6a95f52d228316f9b48618a1c728e1c47ec71843e5b4cfb76ab3ef86dcd8cf8c
Details	sha256	1	77fd8fba88236d5f55bbb12dbaaa69ee7673397d8606c0c67b22ce523af818cd
Details	sha256	2	40b923db9c5da6b3bfe345139c42a71e2fd124de6a2808f8cec2a979a044f191
Details	sha256	2	b0f7c2021c00a1d495f408295d161befa3faceab02d9c4047cee4904db6c1272
Details	Url	2	https://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/yourcyanide.exe
Details	Url	2	https://pastebin.com/raw/2k5m42xp.
Details	Windows Registry Key	6	HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Details	Windows Registry Key	48	HKLM\Software\Microsoft\Windows\CurrentVersion\Run