ioc[.]one - OSINT Cyber Threat Intelligence Database

Kaspersky discovers new Ymir ransomware used together with RustyStealer

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Obfuscated Files Or Information
country:	Angola Australia Central African Republic Colombia Republic Of The Congo Pakistan Ukraine
attack-pattern:	Data Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Powershell - T1059.001 Software - T1592.002 Virtualization/Sandbox Evasion - T1497 Time Based Evasion - T1497.003 Virtualization/Sandbox Evasion - T1633 Command-Line Interface - T1059 Connection Proxy - T1090 Execution Through Module Load - T1129 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 System Information Discovery - T1082

Show in Graph

Common Information

Type	Value
UUID	c9ee5788-ed03-43f0-8987-27b184f09b43
Fingerprint	b41438e329390608
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 11, 2024, 10 a.m.
Added to db	Nov. 11, 2024, 11:15 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	Ymir: new stealthy ransomware in the wild
Title	Kaspersky discovers new Ymir ransomware used together with RustyStealer
Detected Hints/Tags/Attributes	108/3/47

Source URLs

	Redirection	Url
Details	Source	https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/

URL Provider

Details	Provider	Source level domain
Details	securelist.com	securelist.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	223	✔	Securelist	https://securelist.com/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	4127	github.com
Details	Domain	3	trojan.msil.dnoper.sb
Details	File	4	setup-qtox-x86_64-release.exe
Details	File	6	incident_report.pdf
Details	File	533	ntdll.dll
Details	File	25	cryptsp.dll
Details	File	12	rsaenh.dll
Details	File	52	bcrypt.dll
Details	File	82	kernelbase.dll
Details	File	1208	powershell.exe
Details	File	137	conhost.exe
Details	File	80	msvcrt.dll
Details	File	108	0.exe
Details	File	18	1.ps1
Details	File	73	trojan.msi
Details	File	7	advanced_ip_scanner.exe
Details	File	7	39-setup.exe
Details	md5	3	12acbb05741a218a1c83eaa1cfc2401f
Details	md5	5	5ee1befc69d120976a60a97d3254e9eb
Details	md5	5	5384d704fadf229d08eab696404cbba6
Details	md5	5	39df773139f505657d11749804953be5
Details	sha1	5	3648359ebae8ce7cacae1e631103659f5a8c630e
Details	sha1	3	e6c4d3e360a705e272ae0b505e58e3d928fb1387
Details	sha1	2	8287d54c83db03b8adcdf1409f5d1c9abb1693ac
Details	sha1	5	fe6de75d6042de714c28c0a3c0816b37e0fa4bb3
Details	sha1	5	f954d1b1d13a5e4f62f108c9965707a2aa2a3c89
Details	sha256	3	cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8
Details	sha256	5	8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
Details	sha256	5	51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
Details	sha256	5	b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
Details	IPv4	5	74.50.84.181
Details	IPv4	5	94.158.244.69
Details	IPv4	5	85.239.61.60
Details	IPv4	5	5.255.117.134
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	57	T1497.003
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	120	T1129
Details	MITRE ATT&CK Techniques	627	T1027
Details	Url	4	https://github.com/qtox/qtox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
Details	Windows Registry Key	188	HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	98	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Details	Yara rule	3	import "pe" rule Ymir { meta: author = "Kaspersky - GERT" description = "Yara rule for detecting the Ymir ransomware." target_entity = "file" strings: $s1 = "powershell -w h -c Start-Sleep -Seconds 5; Remove-Item -Force -Path" ascii wide nocase $s2 = "setup-qtox-x86_64-release.exe" ascii wide nocase $s3 = "6C5oy2dVr6" ascii wide nocase $s4 = "INCIDENT_REPORT.pdf" ascii wide nocase $s5 = "D:20240831154833-06" ascii wide nocase $s6 = "ChaCha" ascii wide nocase $s7 = "x64dbg" ascii wide nocase condition: (3 of ($s*)) and pe.imports("msvcrt.dll", "memmove") }