SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agendacrypt (Back to overview)

AgendaCrypt

aka: Agenda, Qilin
VTCollection    

Qilin ransomware has been active since at least 2022. Both Golang and Rustlang samples have been observed in use. Qilin is known to operate with a Ransomwareas-a-Service (Raas) model, with double extortion (decrypter + non-release of data) tactics observed.

References
2026-04-15Orange CyberdefenseAlexis Bonnefoi, Marine PICHON, Thomas Brossard
Smoking Out an Affiliate: SmokedHam, Qilin, a few Google ads and some bossware
AgendaCrypt SMOKEDHAM
2026-04-15Orange CyberdefenseAlexis Bonnefoi, Marine PICHON, Thomas Brossard
Smoking Out an Affiliate: SmokedHam, Qilin, a few Google Ads and some Bossware
Qilin AgendaCrypt SMOKEDHAM
2025-08-18Medium RaghavtiResearchBeGoodToAll
Qilin Ransomware-as-a-Service: Threat Analysis and Strategic Outlook
Qilin AgendaCrypt
2022-12-16TrendmicroDon Ovid Ladores, Ivan Nicole Chavez, Jeffrey Francis Bonaobra, Monte de Jesus, Nathaniel Gregory Ragasa, Nathaniel Morales
Agenda Ransomware Uses Rust to Target More Vital Industries
AgendaCrypt
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-08-25Trend MicroBahaa Yamany, Earle Maui Earnshaw, Jay Yaneza, Jeffrey Francis Bonaobra, Mohamed Fahmy, Nathaniel Gregory Ragasa
New Golang Ransomware Agenda Customizes Attacks
AgendaCrypt
2022-08-25Trend MicroBahaa Yamany, Earle Maui Earnshaw, Jay Yaneza, Jeffrey Francis Bonaobra, Mohamed Fahmy, Nathaniel Gregory Ragasa
New Golang Ransomware Agenda Customizes Attacks (IoCs)
AgendaCrypt
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
Yara Rules
[TLP:WHITE] win_agendacrypt_auto (20260504 | Detects win.agendacrypt.)
rule win_agendacrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.agendacrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1ef14 0fa4d001 81e7ff070000 25ffff1f00 83c6ff 81d3ffff0f00 897c2404 }
            // n = 7, score = 100
            //   c1ef14               | shr                 edi, 0x14
            //   0fa4d001             | shld                eax, edx, 1
            //   81e7ff070000         | and                 edi, 0x7ff
            //   25ffff1f00           | and                 eax, 0x1fffff
            //   83c6ff               | add                 esi, -1
            //   81d3ffff0f00         | adc                 ebx, 0xfffff
            //   897c2404             | mov                 dword ptr [esp + 4], edi

        $sequence_1 = { e8???????? 83c40c 8b45ec 8907 895f04 c7470801000000 837dbc00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8907                 | mov                 dword ptr [edi], eax
            //   895f04               | mov                 dword ptr [edi + 4], ebx
            //   c7470801000000       | mov                 dword ptr [edi + 8], 1
            //   837dbc00             | cmp                 dword ptr [ebp - 0x44], 0

        $sequence_2 = { eb2d 31c9 837d1000 894df0 0f852efdffff c745e000000000 8b45e8 }
            // n = 7, score = 100
            //   eb2d                 | jmp                 0x2f
            //   31c9                 | xor                 ecx, ecx
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   0f852efdffff         | jne                 0xfffffd34
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_3 = { 8d8c2490000000 0fb69c24d0000000 8b442468 8b74246c 0fa4c609 c1e009 8d3cdd00000000 }
            // n = 7, score = 100
            //   8d8c2490000000       | lea                 ecx, [esp + 0x90]
            //   0fb69c24d0000000     | movzx               ebx, byte ptr [esp + 0xd0]
            //   8b442468             | mov                 eax, dword ptr [esp + 0x68]
            //   8b74246c             | mov                 esi, dword ptr [esp + 0x6c]
            //   0fa4c609             | shld                esi, eax, 9
            //   c1e009               | shl                 eax, 9
            //   8d3cdd00000000       | lea                 edi, [ebx*8]

        $sequence_4 = { 895008 5d c3 55 89e5 8b4508 f20f100d???????? }
            // n = 7, score = 100
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   f20f100d????????     |                     

        $sequence_5 = { 8d4c3bff 39d1 0f83c4030000 8d47ff 8954240c 897c2414 89442428 }
            // n = 7, score = 100
            //   8d4c3bff             | lea                 ecx, [ebx + edi - 1]
            //   39d1                 | cmp                 ecx, edx
            //   0f83c4030000         | jae                 0x3ca
            //   8d47ff               | lea                 eax, [edi - 1]
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   89442428             | mov                 dword ptr [esp + 0x28], eax

        $sequence_6 = { c1e808 83f81f 7f1e 85c0 743d 83f816 0f85fe000000 }
            // n = 7, score = 100
            //   c1e808               | shr                 eax, 8
            //   83f81f               | cmp                 eax, 0x1f
            //   7f1e                 | jg                  0x20
            //   85c0                 | test                eax, eax
            //   743d                 | je                  0x3f
            //   83f816               | cmp                 eax, 0x16
            //   0f85fe000000         | jne                 0x104

        $sequence_7 = { ff30 e8???????? e9???????? 8b442434 f20f1044242c f20f1054241c f20f104c2424 }
            // n = 7, score = 100
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   f20f1044242c         | movsd               xmm0, qword ptr [esp + 0x2c]
            //   f20f1054241c         | movsd               xmm2, qword ptr [esp + 0x1c]
            //   f20f104c2424         | movsd               xmm1, qword ptr [esp + 0x24]

        $sequence_8 = { a1???????? ff75d0 6a00 ff30 e8???????? 83c438 5e }
            // n = 7, score = 100
            //   a1????????           |                     
            //   ff75d0               | push                dword ptr [ebp - 0x30]
            //   6a00                 | push                0
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   83c438               | add                 esp, 0x38
            //   5e                   | pop                 esi

        $sequence_9 = { c745dca8935600 c745e001000000 c745e400000000 c745ec50675600 c745f000000000 68???????? 56 }
            // n = 7, score = 100
            //   c745dca8935600       | mov                 dword ptr [ebp - 0x24], 0x5693a8
            //   c745e001000000       | mov                 dword ptr [ebp - 0x20], 1
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745ec50675600       | mov                 dword ptr [ebp - 0x14], 0x566750
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   68????????           |                     
            //   56                   | push                esi

    condition:
        7 of them and filesize < 3340288
}
Download all Yara Rules