SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atomsilo (Back to overview)

ATOMSILO


There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-10-15ZscalerRajdeepsinh Dodia
@online{dodia:20211015:atomsilo:81b4ff1, author = {Rajdeepsinh Dodia}, title = {{AtomSilo Ransomware Enters the League of Double Extortion}}, date = {2021-10-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion}, language = {English}, urldate = {2021-11-03} } AtomSilo Ransomware Enters the League of Double Extortion
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:d3abf78, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-01-25} } AtomSilo Ransomware
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:9d4ce80, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-02-02} } AtomSilo Ransomware
ATOMSILO
2021-10-04SophosSean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979, author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah}, title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}}, date = {2021-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/}, language = {English}, urldate = {2021-10-11} } Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-09-14Twitter (@siri_urz)S!Ri
@online{sri:20210914:atomsilo:7b746d4, author = {S!Ri}, title = {{Tweet on ATOMSILO ransomware}}, date = {2021-09-14}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1437664046556274694?s=20}, language = {English}, urldate = {2021-10-11} } Tweet on ATOMSILO ransomware
ATOMSILO
Yara Rules
[TLP:WHITE] win_atomsilo_auto (20230125 | Detects win.atomsilo.)
rule win_atomsilo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.atomsilo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f348ab 488bca e8???????? 90 488d4d20 e8???????? 488bc6 }
            // n = 7, score = 100
            //   f348ab               | dec                 eax
            //   488bca               | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488d4d20             | mov                 edx, dword ptr [esp + 0x40]
            //   e8????????           |                     
            //   488bc6               | dec                 esp

        $sequence_1 = { 57 4156 4157 488d6c24d0 4881ec30010000 48c7442438feffffff 48899c2470010000 }
            // n = 7, score = 100
            //   57                   | mov                 ebp, edx
            //   4156                 | dec                 esp
            //   4157                 | mov                 esi, ecx
            //   488d6c24d0           | dec                 eax
            //   4881ec30010000       | lea                 eax, [0x33e12]
            //   48c7442438feffffff     | dec    eax
            //   48899c2470010000     | mov                 dword ptr [ecx], eax

        $sequence_2 = { e8???????? 90 b9c0010000 bab8010000 488b83c0010000 483983b8010000 0f42ca }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   b9c0010000           | lea                 edx, [0x22e40]
            //   bab8010000           | vsubsd              xmm4, xmm1, xmm2
            //   488b83c0010000       | les                 eax, ptr [ecx - 0x3ef3a6a5]
            //   483983b8010000       | vmovapd             xmm5, xmm1
            //   0f42ca               | dec                 esp

        $sequence_3 = { 4e8b5401f8 4d85d2 4e897439f8 4d8937 440f44e8 4b8d0c2f 493bc8 }
            // n = 7, score = 100
            //   4e8b5401f8           | mov                 ebx, eax
            //   4d85d2               | dec                 eax
            //   4e897439f8           | mov                 dword ptr [ecx + 8], ebx
            //   4d8937               | dec                 ecx
            //   440f44e8             | mov                 ecx, eax
            //   4b8d0c2f             | dec                 esp
            //   493bc8               | mov                 esi, dword ptr [esp + 0x88]

        $sequence_4 = { ff5008 0fb6e8 488b542440 4883fa10 7232 48ffc2 488b4c2428 }
            // n = 7, score = 100
            //   ff5008               | test                eax, eax
            //   0fb6e8               | nop                 
            //   488b542440           | dec                 eax
            //   4883fa10             | mov                 ecx, dword ptr [ebp + 0x30]
            //   7232                 | dec                 eax
            //   48ffc2               | cmp                 dword ptr [ebp + 0x28], ecx
            //   488b4c2428           | dec                 eax

        $sequence_5 = { 4c8d34cd00000000 488b4b08 4a833c3100 7516 b910000000 e8???????? 488b4b08 }
            // n = 7, score = 100
            //   4c8d34cd00000000     | cmp                 edx, eax
            //   488b4b08             | dec                 esp
            //   4a833c3100           | mov                 ecx, ecx
            //   7516                 | dec                 esp
            //   b910000000           | cmovb               eax, edx
            //   e8????????           |                     
            //   488b4b08             | dec                 ebp

        $sequence_6 = { f30f7f442468 4885ff 7410 488b07 4885c0 7408 488b00 }
            // n = 7, score = 100
            //   f30f7f442468         | mov                 ecx, eax
            //   4885ff               | dec                 esp
            //   7410                 | mov                 eax, dword ptr [ebp + 0x88]
            //   488b07               | dec                 eax
            //   4885c0               | mov                 edx, dword ptr [ebp + 0x28]
            //   7408                 | dec                 eax
            //   488b00               | mov                 ecx, dword ptr [ebp + 0x78]

        $sequence_7 = { 4055 4883ec20 488bea 8b8590010000 83e004 85c0 7410 }
            // n = 7, score = 100
            //   4055                 | dec                 eax
            //   4883ec20             | mov                 eax, esi
            //   488bea               | add                 al, 0xd
            //   8b8590010000         | xor                 eax, 0x4d
            //   83e004               | mov                 byte ptr [esp + 0x61], al
            //   85c0                 | mov                 eax, dword ptr [esp + 0x50]
            //   7410                 | add                 al, 0xe

        $sequence_8 = { 896f48 48c74758ffffffff 48896f60 48896f68 488bd3 488bcf e8???????? }
            // n = 7, score = 100
            //   896f48               | dec                 eax
            //   48c74758ffffffff     | sub                 eax, 1
            //   48896f60             | jne                 0x1298
            //   48896f68             | dec                 eax
            //   488bd3               | mov                 ecx, dword ptr [esp + 0x58]
            //   488bcf               | dec                 eax
            //   e8????????           |                     

        $sequence_9 = { 4584ff 0f44c3 4c8d9c2490000000 498b5b20 498b6b30 498b7338 }
            // n = 6, score = 100
            //   4584ff               | dec                 eax
            //   0f44c3               | lea                 ecx, [esp + 0x28]
            //   4c8d9c2490000000     | nop                 
            //   498b5b20             | dec                 eax
            //   498b6b30             | lea                 edx, [0x66e13]
            //   498b7338             | dec                 eax

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules