SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atomsilo (Back to overview)

ATOMSILO


There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-06-27} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora Rook
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-10-15ZscalerRajdeepsinh Dodia
@online{dodia:20211015:atomsilo:81b4ff1, author = {Rajdeepsinh Dodia}, title = {{AtomSilo Ransomware Enters the League of Double Extortion}}, date = {2021-10-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion}, language = {English}, urldate = {2021-11-03} } AtomSilo Ransomware Enters the League of Double Extortion
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:9d4ce80, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-02-02} } AtomSilo Ransomware
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:d3abf78, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-01-25} } AtomSilo Ransomware
ATOMSILO
2021-10-04SophosSean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979, author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah}, title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}}, date = {2021-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/}, language = {English}, urldate = {2021-10-11} } Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-09-14Twitter (@siri_urz)S!Ri
@online{sri:20210914:atomsilo:7b746d4, author = {S!Ri}, title = {{Tweet on ATOMSILO ransomware}}, date = {2021-09-14}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1437664046556274694?s=20}, language = {English}, urldate = {2021-10-11} } Tweet on ATOMSILO ransomware
ATOMSILO
Yara Rules
[TLP:WHITE] win_atomsilo_auto (20220516 | Detects win.atomsilo.)
rule win_atomsilo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.atomsilo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d4c2438 e8???????? 90 488d542438 488d4c2460 e8???????? 488d154ca30800 }
            // n = 7, score = 100
            //   488d4c2438           | mov                 eax, ecx
            //   e8????????           |                     
            //   90                   | inc                 ecx
            //   488d542438           | mov                 eax, dword ptr [ecx + 0xc]
            //   488d4c2460           | inc                 esp
            //   e8????????           |                     
            //   488d154ca30800       | mov                 edi, dword ptr [esp]

        $sequence_1 = { e8???????? 4889b42488000000 4d8bcc 4c8b4308 498bd5 488bcb e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889b42488000000     | dec                 eax
            //   4d8bcc               | mov                 dword ptr [esp + 0x10], edx
            //   4c8b4308             | push                ebp
            //   498bd5               | dec                 eax
            //   488bcb               | sub                 esp, 0x20
            //   e8????????           |                     

        $sequence_2 = { bb30000000 eb0d 8bd9 f7d3 83e320 83cb41 83eb0a }
            // n = 7, score = 100
            //   bb30000000           | test                eax, eax
            //   eb0d                 | cmovle              edx, eax
            //   8bd9                 | dec                 eax
            //   f7d3                 | lea                 edx, [0x613d2]
            //   83e320               | dec                 eax
            //   83cb41               | lea                 ecx, [esp + 0x60]
            //   83eb0a               | dec                 eax

        $sequence_3 = { 480f43ca 4c8b442478 4d85c0 7413 498bf8 33c0 488b09 }
            // n = 7, score = 100
            //   480f43ca             | mov                 dword ptr [esi + 0x28], ebx
            //   4c8b442478           | dec                 eax
            //   4d85c0               | lea                 edx, [0xa3113]
            //   7413                 | dec                 ecx
            //   498bf8               | mov                 ecx, ebp
            //   33c0                 | inc                 esp
            //   488b09               | mov                 esp, edx

        $sequence_4 = { 0f89b00a0000 498b0424 4c8d4c243c 4c8d05ff120a00 488d1540780600 498bcc ff5008 }
            // n = 7, score = 100
            //   0f89b00a0000         | shr                 ebp, 1
            //   498b0424             | dec                 esp
            //   4c8d4c243c           | mov                 ecx, ebp
            //   4c8d05ff120a00       | dec                 esp
            //   488d1540780600       | mov                 edi, ecx
            //   498bcc               | mov                 dword ptr [ebp - 0x39], 0
            //   ff5008               | dec                 eax

        $sequence_5 = { 4123c8 4133cb 895c2420 81c39979825a 41c1c802 8bc2 c1c005 }
            // n = 7, score = 100
            //   4123c8               | dec                 eax
            //   4133cb               | mov                 ebx, ecx
            //   895c2420             | push                edi
            //   81c39979825a         | dec                 eax
            //   41c1c802             | sub                 esp, 0x70
            //   8bc2                 | dec                 eax
            //   c1c005               | mov                 dword ptr [esp + 0x20], 0xfffffffe

        $sequence_6 = { 488bca e8???????? 90 488b4d98 488b4590 483bc1 }
            // n = 6, score = 100
            //   488bca               | dec                 esp
            //   e8????????           |                     
            //   90                   | mov                 eax, eax
            //   488b4d98             | dec                 eax
            //   488b4590             | lea                 edx, [esp + 0x70]
            //   483bc1               | inc                 esi

        $sequence_7 = { 4c8d4c2420 4c8d0504e40900 488d1525dd0500 488bcf ff5008 837c242010 0f8cc8080000 }
            // n = 7, score = 100
            //   4c8d4c2420           | dec                 eax
            //   4c8d0504e40900       | mov                 eax, dword ptr [ebx + 0x18]
            //   488d1525dd0500       | dec                 eax
            //   488bcf               | mov                 ecx, dword ptr [ebx + 0x20]
            //   ff5008               | dec                 eax
            //   837c242010           | test                eax, eax
            //   0f8cc8080000         | je                  0x2af

        $sequence_8 = { 8955a3 4c03e0 48894da7 4c896577 440fb66567 66660f1f840000000000 f30f6f13 }
            // n = 7, score = 100
            //   8955a3               | mov                 dword ptr [ebp - 1], eax
            //   4c03e0               | dec                 eax
            //   48894da7             | lea                 ebx, [ebp - 0x11]
            //   4c896577             | dec                 eax
            //   440fb66567           | cmp                 edx, 0x10
            //   66660f1f840000000000     | dec    eax
            //   f30f6f13             | cmovae              ebx, dword ptr [ebp - 0x11]

        $sequence_9 = { 488b4678 4813d7 4c03d2 4c3bd2 4c13cf 48f76350 498d0c02 }
            // n = 7, score = 100
            //   488b4678             | dec                 eax
            //   4813d7               | mov                 dword ptr [esp + 0x28], eax
            //   4c03d2               | dec                 eax
            //   4c3bd2               | mov                 dword ptr [esp + 0x20], ecx
            //   4c13cf               | dec                 eax
            //   48f76350             | stosd               dword ptr es:[edi], eax
            //   498d0c02             | dec                 eax

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules