SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atomsilo (Back to overview)

ATOMSILO


There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-10-15ZscalerRajdeepsinh Dodia
@online{dodia:20211015:atomsilo:81b4ff1, author = {Rajdeepsinh Dodia}, title = {{AtomSilo Ransomware Enters the League of Double Extortion}}, date = {2021-10-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion}, language = {English}, urldate = {2021-11-03} } AtomSilo Ransomware Enters the League of Double Extortion
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:d3abf78, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-01-25} } AtomSilo Ransomware
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:9d4ce80, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-02-02} } AtomSilo Ransomware
ATOMSILO
2021-10-04SophosSean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979, author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah}, title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}}, date = {2021-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/}, language = {English}, urldate = {2021-10-11} } Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-09-14Twitter (@siri_urz)S!Ri
@online{sri:20210914:atomsilo:7b746d4, author = {S!Ri}, title = {{Tweet on ATOMSILO ransomware}}, date = {2021-09-14}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1437664046556274694?s=20}, language = {English}, urldate = {2021-10-11} } Tweet on ATOMSILO ransomware
ATOMSILO
Yara Rules
[TLP:WHITE] win_atomsilo_auto (20221125 | Detects win.atomsilo.)
rule win_atomsilo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.atomsilo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d1569790900 488bcb e8???????? 488bd0 498bce e8???????? 90 }
            // n = 7, score = 100
            //   488d1569790900       | dec                 ecx
            //   488bcb               | mov                 edi, eax
            //   e8????????           |                     
            //   488bd0               | dec                 eax
            //   498bce               | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_1 = { 4883c430 415f 415e 5f c3 4055 56 }
            // n = 7, score = 100
            //   4883c430             | dec                 eax
            //   415f                 | mov                 ebx, ecx
            //   415e                 | dec                 ecx
            //   5f                   | inc                 eax
            //   c3                   | inc                 eax
            //   4055                 | push                ebx
            //   56                   | dec                 eax

        $sequence_2 = { 41b9ffffffff 4533c0 33d2 488d4c2468 488b442468 ff5030 488b4590 }
            // n = 7, score = 100
            //   41b9ffffffff         | xor                 ecx, ecx
            //   4533c0               | dec                 esp
            //   33d2                 | mov                 eax, ebx
            //   488d4c2468           | dec                 eax
            //   488b442468           | mov                 edx, dword ptr [esp + 0x60]
            //   ff5030               | dec                 eax
            //   488b4590             | mov                 ecx, eax

        $sequence_3 = { 498b7330 498be3 415e 5f 5d c3 4053 }
            // n = 7, score = 100
            //   498b7330             | dec                 eax
            //   498be3               | lea                 ecx, [esp + 0x48]
            //   415e                 | nop                 
            //   5f                   | dec                 esp
            //   5d                   | mov                 eax, ebx
            //   c3                   | dec                 eax
            //   4053                 | mov                 edx, eax

        $sequence_4 = { 7505 4d85e4 744f 48894c2448 4533c9 4889542450 488d4c2450 }
            // n = 7, score = 100
            //   7505                 | add                 ebx, edx
            //   4d85e4               | dec                 esp
            //   744f                 | cmp                 ebx, edx
            //   48894c2448           | dec                 eax
            //   4533c9               | adc                 ebx, 0
            //   4889542450           | dec                 ecx
            //   488d4c2450           | mul                 dword ptr [edx + 0x50]

        $sequence_5 = { 4c13df 49f7e2 448bd7 4903c0 493bc0 498906 488b4678 }
            // n = 7, score = 100
            //   4c13df               | add                 edx, edx
            //   49f7e2               | dec                 esp
            //   448bd7               | cmp                 edx, edx
            //   4903c0               | dec                 ecx
            //   493bc0               | adc                 ecx, 0
            //   498906               | dec                 ecx
            //   488b4678             | mul                 dword ptr [esp + 0x50]

        $sequence_6 = { 448bc6 eb0b 418b4124 448bc0 89442408 418bc6 8d4f09 }
            // n = 7, score = 100
            //   448bc6               | dec                 eax
            //   eb0b                 | lea                 eax, [0x2a53]
            //   418b4124             | dec                 ecx
            //   448bc0               | mov                 ecx, dword ptr [ebx]
            //   89442408             | dec                 eax
            //   418bc6               | mov                 dword ptr [esp + 0x50], eax
            //   8d4f09               | dec                 eax

        $sequence_7 = { 498bf0 4c8bf2 4c8be1 4c3bcb 7531 4c8b4828 4d3bc1 }
            // n = 7, score = 100
            //   498bf0               | cmovle              edx, eax
            //   4c8bf2               | dec                 eax
            //   4c8be1               | lea                 edx, [0x616f9]
            //   4c3bcb               | dec                 eax
            //   7531                 | lea                 ecx, [ebp - 0x20]
            //   4c8b4828             | dec                 eax
            //   4d3bc1               | lea                 ecx, [ebp - 0x20]

        $sequence_8 = { 0f89e7000000 e8???????? 488bd0 498d8ee0feffff e8???????? 85c0 0f8ecb000000 }
            // n = 7, score = 100
            //   0f89e7000000         | dec                 eax
            //   e8????????           |                     
            //   488bd0               | mov                 ebx, dword ptr [esp + 0x30]
            //   498d8ee0feffff       | mov                 edx, 0xc8
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f8ecb000000         | mov                 ecx, ebx

        $sequence_9 = { 8b4d9b d3e7 03fe 488d147f 48c1e204 480355af 488d4ddf }
            // n = 7, score = 100
            //   8b4d9b               | dec                 eax
            //   d3e7                 | lea                 ecx, [esp + 0x50]
            //   03fe                 | dec                 esp
            //   488d147f             | mov                 ecx, ebx
            //   48c1e204             | dec                 esp
            //   480355af             | lea                 eax, [0x9852b]
            //   488d4ddf             | dec                 eax

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules