Kaspersky discovers new Ymir ransomware used together with RustyStealer | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Obfuscated Files Or Information
country: Angola Central African Republic Colombia Republic Of The Congo Pakistan
attack-pattern: Data Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Powershell - T1059.001 Software - T1592.002 Virtualization/Sandbox Evasion - T1497 Time Based Evasion - T1497.003 Virtualization/Sandbox Evasion - T1633 Command-Line Interface - T1059 Connection Proxy - T1090 Execution Through Module Load - T1129 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 System Information Discovery - T1082
Show in Graph
Common Information
Type Value
UUID fa959d88-d11e-4ebd-8b14-4c865c108a67
Fingerprint b45438e329398608
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 11, 2024, 2:22 p.m.
Added to db Nov. 11, 2024, 4:15 p.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline Kaspersky discovers new Ymir ransomware used together with RustyStealer | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware
Title Kaspersky discovers new Ymir ransomware used together with RustyStealer | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Detected Hints/Tags/Attributes 104/3/39
Source URLs
Redirection Url
Details Source https://nationalcybersecurity.com/kaspersky-discovers-new-ymir-ransomware-used-together-with-rustystealer-hacking-cybersecurity-infosec-comptia-pentest-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=kaspersky-discovers-new-ymir-ransomware-used-together-with-rustystealer-hacking-cybersecurity-infosec-comptia-pentest-ransomware
URL Provider
Details Provider Source level domain
Details nationalcybersecurity.com nationalcybersecurity.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 6 National Cyber Security Consulting http://nationalcybersecurity.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4127 
github.com
Details File 4 
setup-qtox-x86_64-release.exe
Details File 6 
incident_report.pdf
Details File 533 
ntdll.dll
Details File 25 
cryptsp.dll
Details File 12 
rsaenh.dll
Details File 52 
bcrypt.dll
Details File 82 
kernelbase.dll
Details File 1208 
powershell.exe
Details File 137 
conhost.exe
Details File 80 
msvcrt.dll
Details File 108 
0.exe
Details File 7 
advanced_ip_scanner.exe
Details File 7 
39-setup.exe
Details md5 5 
5ee1befc69d120976a60a97d3254e9eb
Details md5 5 
5384d704fadf229d08eab696404cbba6
Details md5 5 
39df773139f505657d11749804953be5
Details sha1 5 
3648359ebae8ce7cacae1e631103659f5a8c630e
Details sha1 5 
fe6de75d6042de714c28c0a3c0816b37e0fa4bb3
Details sha1 5 
f954d1b1d13a5e4f62f108c9965707a2aa2a3c89
Details sha256 5 
8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
Details sha256 5 
51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
Details sha256 5 
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
Details IPv4 5 
74.50.84.181
Details IPv4 5 
94.158.244.69
Details IPv4 5 
5.255.117.134
Details IPv4 5 
85.239.61.60
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 57 
T1497.003
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 120 
T1129
Details MITRE ATT&CK Techniques 627 
T1027
Details Url 4 
https://github.com/qtox/qtox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
Details Windows Registry Key 98 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Details Yara rule 1 
import "pe"

rule Ymir {
	meta:
		author = "Kaspersky  GERT"
		description = "Yara rule for detecting the Ymir ransomware."
		target_entity = "file"
	strings:
		$s1 = "powershell -w h -c Start-Sleep -Seconds 5; Remove-Item -Force -Path" ascii wide nocase
		$s2 = "setup-qtox-x86_64-release.exe" ascii wide nocase
		$s3 = "6C5oy2dVr6" ascii wide nocase
		$s4 = "INCIDENT_REPORT.pdf" ascii wide nocase
		$s5 = "D:20240831154833-06" ascii wide nocase
		$s6 = "ChaCha" ascii wide nocase
		$s7 = "x64dbg" ascii wide nocase
	condition:
		(3 of ($s*)) and pe.imports("msvcrt.dll", "memmove")
}