Qilin Ransomware malware analysis — ShadowStackRE
Tags
attack-pattern: Data Defacement - T1491 Inhibit System Recovery - T1490 Malware - T1587.001 Malware - T1588.001 Software - T1592.002 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID fa255f6b-4bfc-44ad-8bea-5999c844aba9
Fingerprint be1cf83137210f09
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 6, 2024, midnight
Added to db Aug. 31, 2024, 10:57 a.m.
Last updated Nov. 12, 2024, 11:50 a.m.
Headline Qilin Ransomware
Title Qilin Ransomware malware analysis — ShadowStackRE
Detected Hints/Tags/Attributes 47/1/8
Source URLs
Redirection Url
Details Source https://www.shadowstackre.com/analysis/qilin
URL Provider
Details Provider Source level domain
Details shadowstackre.com www.shadowstackre.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 434 ShadowStackRE https://www.shadowstackre.com/analysis?format=rss 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 39 
kb.vmware.com
Details Domain 10 
shadowstackre.com
Details Domain 18 
opensource.org
Details md5 1 
417ad60624345ef85e648038e18902ab
Details sha256 1 
555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4
Details Url 1 
https://kb.vmware.com/s/article/2052302
Details Url 10 
https://opensource.org/license/mit
Details Yara rule 1 
rule QilinRansomware {
	meta:
		description = "rule to detect Qilin Ransomware"
		author = "ShadowStackRe.com"
		date = "2023-12-06"
		Rule_Version = "v1"
		malware_type = "ransomware"
		malware_family = "Qilin"
		License = "MIT License, https://opensource.org/license/mit/"
	strings:
		$strMotd = "/etc/motd"
		$strEncryptQuestion = "Are you sure to start encryption"
		$strConfigStart = "--- Configuration start ---"
		$strEsxiUsage = "esxcli"
		$strEncryptRenameFail = "Failed to rename encrypted file to"
		$strStartJob = "Started job..."
		$strBug = "\x1B[%uG 100%%"
	condition:
		all of them
}