SYMBOLCOMMON_NAMEaka. SYNONYMS
win.conti (Back to overview)

Conti

VTCollection    

Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.

References
2023-10-03Luca Mella
Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)
LockBit LockBit Conti LockBit
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-09-07Department of JusticeOffice of Public Affairs
Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies
Conti Conti TrickBot
2023-07-26Arctic WolfAkshay Suthar, Connor Belfiore, Steven Campbell
Conti and Akira: Chained Together
Akira Conti
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-17Github (EmissarySpider)EmissarySpider
ransomware-descendants
Babuk Conti LockBit
2023-06-08VMRayPatrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-02-10cocomelonccocomelonc
Malware analysis: part 8. Yara rule example for MurmurHash2. MurmurHash2 in Conti ransomware
Conti
2023-02-01Security AffairsPierluigi Paganini
New LockBit Green ransomware variant borrows code from Conti ransomware
Conti LockBit
2023-01-04cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-11-21Palo Alto Networks Unit 42Kristopher Russo
Threat Assessment: Luna Moth Callback Phishing Campaign
BazarBackdoor Conti
2022-09-20vmwareDana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty
2022-09-07BlackberryAnuj Soni, Ryan Chapman
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
Conti MimiKatz Veeam Dumper
2022-09-07Intel 471Intel 471
Conti vs. Monti: A Reinvention or Just a Simple Rebranding?
Conti
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-10Avast DecodedThreat Research Team
Avast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer, and more Ransomware Attacks
Conti Raccoon RecordBreaker Zloader
2022-08-03Palo Alto Networks Unit 42Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-20KasperskyDmitry Galov, Jornt van der Wiel, Marc Rivero López, Sergey Lozhkin
Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23TrellixChristiaan Beek
The Sound of Malware
Conti VHD Ransomware
2022-06-15ThreatStopOfir Ashman
First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive
2022-06-15AttackIQAttackIQ Adversary Research Team, Jackson Wells
Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot
2022-06-02EclypsiumEclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-24The Hacker NewsFlorian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-23Trend MicroMatsugaya Shingo
LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit
2022-05-23Trend MicroTrend Micro Research
LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)
BlackCat Conti LockBit
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18PRODAFT Threat IntelligencePRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti WIZARD SPIDER
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-05YouTube (The Vertex Project)Ryan Hallbeck
Contileaks: Identifying, Extracting, & Modeling Bitcoin Addresses
Conti
2022-05-03CiscoJAIME FILSON, Kendall McKay, Paul Eubanks.
Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive
2022-05-03Talos IntelligenceJON MUNSHAW
Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive
2022-05-02Cisco TalosJAIME FILSON, Kendall McKay, Paul Eubanks
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-29NCC GroupMike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis
Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-21SecureworksCounter Threat Unit ResearchTeam
GOLD ULRICK Continues Conti Operations Despite Public Disclosures
Conti Conti
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18TrellixAlexandre Mundo, Jambul Tologonov, Marc Elias
Conti Group Targets ESXi Hypervisors With its Linux Variant
Conti Conti
2022-04-17BushidoToken BlogBushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Arctic WolfArctic Wolf
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot
2022-04-15Bleeping ComputerIonut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2022-04-12ConnectWiseConnectWise CRU
Threat Profile: Conti
Conti
2022-04-11cocomelonc
Conti ransomware source code investigation - part 2
Conti
2022-04-09Bleeping ComputerLawrence Abrams
Hackers use Conti's leaked ransomware to attack Russian companies
Conti
2022-04-08ReversingLabsPaul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot
2022-04-06TRM LabsTRM Labs
TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider
Conti Ryuk
2022-04-04The DFIR Report@0xtornado, @MettalicHack, @yatinwad, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-04-02Github (cocomelonc)cocomelonc
Malware development tricks. Find kernel32.dll base: asm style. C++ example.
Conti
2022-03-31nccgroupAlex Jessop, Nikolaos Pantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-27cocomelonc
Conti ransomware source code investigation - part 1
Conti
2022-03-25ZscalerBrett Stone-Gross
Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
Conti
2022-03-23Intel 471Intel 471
Conti puts the ‘organized’ in organized crime
Conti
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-23SecureworksCounter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-22ThreatStopOfir Ashman
Conti ransomware leaks - what happens when hackers support Russia
Conti
2022-03-21Threat PostLisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-18eSentireeSentire Threat Response Unit (TRU)
Analysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)
Conti Conti
2022-03-17GoogleBenoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-17GoogleBenoit Sevens, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
2022-03-16DragosJosh Hanrahan
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Conti Emotet
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-15PrevailionMatt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti
2022-03-10Check Point Research
Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of
Conti
2022-03-09Bleeping ComputerIonut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-08Github (whichbuffer)Arda Büyükkaya
Conti-Ransomware-IOC
Conti
2022-03-08The RecordDina Temple-Raston
Inside Conti leaks: The Panama Papers of ransomware
Conti
2022-03-08YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Conti Ransomware source code: a well-designed COTS ransomware
Conti
2022-03-08MBSDMBSD
ContiLeaks
Conti
2022-03-07CyberScoopSuzanne Smalley
Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say
Conti
2022-03-03Trend MicroTrend Micro Research
IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate
2022-03-03Trend MicroTrend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-02CyberArkCyberArk Labs
Conti Group Leaked!
TeamTNT Conti TrickBot
2022-03-02elDiarioCarlos del Castillo
Cybercrime bosses warn that they will "fight back" if Russia is hacked
Conti Ryuk
2022-03-02Cluster25Cluster25
Conti's Source Code: Deep-Dive Into
Conti
2022-03-02ThreatpostLisa Vaas
Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot
2022-03-02KrebsOnSecurityBrian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-03-02Youtube (OALabs)Sean Wilson, Sergei Frankoff
Botleggers Exposed - Analysis of The Conti Leaks Malware
Conti
2022-03-01Medium whickey000Wade Hickey
How I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File
Conti
2022-03-01Twitter (@TheDFIRReport)The DFIR Report
Twitter thread with highlights from conti leaks
Conti
2022-03-01VX-Underground
Leaks: Conti / Trickbot
Conti TrickBot
2022-03-01Bleeping ComputerLawrence Abrams
Conti Ransomware source code leaked by Ukrainian researcher
Conti
2022-03-01Arctic WolfArctic Wolf
Conti Ransomware: An Analysis of Key Findings
Conti
2022-02-28Github (TheParmak)TheParmak
conti-leaks-englished
Conti
2022-02-28Medium arnozobecArnaud Zobec
Analyzing conti-leaks without speaking russian — only methodology
Conti
2022-02-28SophosSean Gallagher
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma
2022-02-27The RecordCatalin Cimpanu
Conti ransomware gang chats leaked by pro-Ukraine member
Conti LockBit
2022-02-27Bleeping ComputerLawrence Abrams
Conti ransomware's internal chats leaked after siding with Russia
Conti
2022-02-25Red Hot CyberRed Hot Cyber
Il ransomware Conti si schiera a favore della Russia.
Conti
2022-02-23AdvIntelVitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-22Bankinfo SecurityMatthew J. Schwartz
Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot
2022-02-22SophosChester Wisniewski
Cyberthreats during Russian-Ukrainian tensions: what can we learn from history to be prepared?
Conti
2022-02-20Security AffairsPierluigi Paganini
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot
2022-02-18Bleeping ComputerIonut Ilascu
Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot
2022-02-14Cyware
Ransomware Becomes Deadlier, Conti Makes the Most Money
Conti
2022-02-09DragosAnna Skelton
Dragos ICS/OT Ransomware Analysis: Q4 2021
LockBit Conti LockBit
2022-02-04Bleeping ComputerSergiu Gatlan
HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems
Conti
2022-01-27BleepingComputerSergiu Gatlan
Taiwanese Apple and Tesla contractor hit by Conti ransomware
Conti
2022-01-27CoveWare
Ransomware as a Service Innovation Curve
Conti LockBit
2022-01-24CyCraftCyCraft AI
The Road to Ransomware Resilience, Part 2: Behavior Analysis
Conti Prometheus WastedLocker
2022-01-01Silent PushSilent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti
2022-01-01Symposium on Electronic Crime ResearchBenjamin Brown, Damon McCoy, Ian W. Gray, Jack Cable, Vlad Cuiujuclu
Money Over Morals: A Business Analysis of Conti Ransomware
Conti Conti
2021-12-23SymantecSiddhesh Chandrayan
Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass
2021-12-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement
Conti
2021-12-13The DFIR ReportThe DFIR Report
Diavol Ransomware
BazarBackdoor Conti Diavol
2021-12-08DarktraceJustin Fier
The double extortion business: Conti Ransomware Gang finds new avenues of negotiation
Conti
2021-12-03HSEHSE
Conti cyber attack on the HSE
Conti
2021-12-01Trend MicroTrend Micro
Ransomware Spotlight: Conti
Conti
2021-11-29The DFIR ReportThe DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-18EllipticElliptic Intel
Conti Ransomware Nets at Least $25.5 Million in Four Months
Conti
2021-11-18PRODAFT Threat IntelligencePRODAFT
Conti Ransomware Group In-Depth Analysis
Conti
2021-11-18Red CanaryThe Red Canary Team
Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-18QualysGhanshyam More
Conti Ransomware
Conti
2021-11-16IronNetIronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-15TRUESECFabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-10AT&TJosh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti
2021-11-09CybereasonAleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti
2021-11-07Marco Ramilli's BlogMarco Ramilli
CONTI Ransomware: Cheat Sheet
Conti
2021-11-02Intel 471Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti
2021-11-02unh4ckCyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti
2021-10-26unh4ckHamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti
2021-10-25KrebsOnSecurityBrian Krebs
Conti Ransom Gang Starts Selling Access to Victims
Conti
2021-10-22HUNT & HACKETTKrijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-10-04The DFIR ReportThe DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-09-29Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti
2021-09-22CISAUS-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-13The DFIR ReportThe DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-03SophosAnand Ajjan, Andrew Ludgate, Gabor Szappanos, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-09-02TalosAzim Khodjibaev, Caitlin Huey, David Liebenberg, Dmytro Korzhevin
Translated: Talos' insights from the recently leaked Conti ransomware playbook
Conti
2021-08-19Sekoiasekoia
An insider insights into Conti operations – Part two
Cobalt Strike Conti
2021-08-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti
2021-08-17Sekoiasekoia
An insider insights into Conti operations – Part one
Cobalt Strike Conti
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-11Advanced IntelligenceVitali Kremez
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti
2021-08-10Youtube (OALabs)OALabs
Leaked Conti Ransomware Playbook - Red Team Reacts
Conti
2021-08-10LIFARSVlad Pasca
A Detailed Analysis of The Last Version of Conti Ransomware
Conti
2021-08-06Threat PostElizabeth Montalbano
Angry Affiliate Leaks Conti Ransomware Gang Playbook
Conti
2021-08-06Sophos Naked SecurityPaul Ducklin
Conti ransomware affiliate goes rogue, leaks “gang data”
Conti
2021-08-05Bleeping ComputerLawrence Abrams
Angry Conti ransomware affiliate leaks gang's attack playbook
Conti
2021-08-05The RecordCatalin Cimpanu
Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals
Conti
2021-08-05Twitter (@AltShiftPrtScn)Peter Mackenzie
Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access
Conti
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-01The DFIR ReportThe DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-21Twitter (@AltShiftPrtScn)Peter Mackenzie
Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment
Conti
2021-07-08SentinelOneAntonio Pirozzi, Idan Weizman
Conti Unpacked: Understanding Ransomware Development as a Response to Detection - A Detailed Technical Analysis
Conti
2021-07-01DomainToolsChad Anderson
The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-07-01FortinetAsaf Rubinfeld, Dor Neemani
Diavol - A New Ransomware Used By Wizard Spider?
Conti Diavol
2021-06-30CynetMax Malyutin
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID
2021-06-18Palo Alto Networks Unit 42Richard Hickman
Conti Ransomware Gang: An Overview
Conti
2021-06-15Trend MicroByron Gelera, Earle Earnshaw, Janus Agcaoili, Miguel Ang, Nikko Tamana
Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil
2021-06-02CrowdStrikeHeather Smith, Josh Dalman
Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil
2021-05-20FBIFBI
Alert Number CP-000147-MW: Conti Ransomware Attacks Impact Healthcare and First Responder Networks
Conti
2021-05-16NCSC IrelandNCSC Ireland
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti
2021-05-12The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-29The Institute for Security and TechnologyThe Institute for Security and Technology
Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
Conti EternalPetya
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-13MBSDKei Sugawara, Takashi Yoshikawa
Unraveling the internal structure of the Conti Ransomware
Conti
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25ANSSICERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-16SophosLabs UncutMichael Heller
A Conti ransomware attack day-by-day
Conti
2021-02-16SophosLabs UncutAnand Ajjan, Andrew Brandt
Conti ransomware: Evasive by nature
Conti
2021-02-16SophosLabs UncutPeter Mackenzie, Tilly Travers
What to expect when you’ve been hit with Conti ransomware
Conti
2021-02-11CTI LEAGUECTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-04ClearSkyClearSky Research Team
CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2021-01-12CybereasonLior Rochberger
Cybereason vs. Conti Ransomware
BazarBackdoor Conti
2020-12-15Medium 0xthreatintel0xthreatintel
Reversing Conti Ransomware
Conti
2020-12-15Chuongdong blogChuong Dong
Conti Ransomware v2
Conti
2020-12-12Github (cdong1012)Chuong Dong
ContiUnpacker: An automatic unpacker for Conti rasnomware
Conti
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18KELAVictoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-25BleepingComputerLawrence Abrams
Ryuk successor Conti Ransomware releases data leak site
Conti
2020-08-18AreteArete Incident Response
Is Conti the New Ryuk?
Conti Ryuk
2020-07-08VMWare Carbon BlackBrian Baskin
TAU Threat Discovery: Conti Ransomware
Conti
Yara Rules
[TLP:WHITE] win_conti_auto (20230808 | Detects win.conti.)
rule win_conti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.conti."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 bf0e000000 8d7101 }
            // n = 4, score = 600
            //   56                   | push                esi
            //   57                   | push                edi
            //   bf0e000000           | mov                 edi, 0xe
            //   8d7101               | lea                 esi, [ecx + 1]

        $sequence_1 = { 8d7f01 0fb6c0 b978000000 2bc8 }
            // n = 4, score = 600
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b978000000           | mov                 ecx, 0x78
            //   2bc8                 | sub                 ecx, eax

        $sequence_2 = { 57 bf0a000000 8d7101 8d5f75 8a06 8d7601 0fb6c0 }
            // n = 7, score = 600
            //   57                   | push                edi
            //   bf0a000000           | mov                 edi, 0xa
            //   8d7101               | lea                 esi, [ecx + 1]
            //   8d5f75               | lea                 ebx, [edi + 0x75]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8d7601               | lea                 esi, [esi + 1]
            //   0fb6c0               | movzx               eax, al

        $sequence_3 = { 8d7f01 0fb6c0 b96c000000 2bc8 }
            // n = 4, score = 600
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b96c000000           | mov                 ecx, 0x6c
            //   2bc8                 | sub                 ecx, eax

        $sequence_4 = { 0f1f4000 8a07 8d7f01 0fb6c0 b948000000 }
            // n = 5, score = 600
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b948000000           | mov                 ecx, 0x48

        $sequence_5 = { 8975fc 803e00 7541 53 bb0a000000 }
            // n = 5, score = 600
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7541                 | jne                 0x43
            //   53                   | push                ebx
            //   bb0a000000           | mov                 ebx, 0xa

        $sequence_6 = { 8975fc 803e00 7542 53 bb0e000000 }
            // n = 5, score = 600
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7542                 | jne                 0x44
            //   53                   | push                ebx
            //   bb0e000000           | mov                 ebx, 0xe

        $sequence_7 = { 8d7f01 0fb6c0 b909000000 2bc8 }
            // n = 4, score = 600
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b909000000           | mov                 ecx, 9
            //   2bc8                 | sub                 ecx, eax

        $sequence_8 = { e8???????? 8bb6007d0000 85f6 75ef 6aff }
            // n = 5, score = 400
            //   e8????????           |                     
            //   8bb6007d0000         | mov                 esi, dword ptr [esi + 0x7d00]
            //   85f6                 | test                esi, esi
            //   75ef                 | jne                 0xfffffff1
            //   6aff                 | push                -1

        $sequence_9 = { 50 6a20 ff15???????? 68???????? ff15???????? 68???????? }
            // n = 6, score = 400
            //   50                   | push                eax
            //   6a20                 | push                0x20
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_10 = { 780e 7f07 3d00005000 7605 }
            // n = 4, score = 400
            //   780e                 | js                  0x10
            //   7f07                 | jg                  9
            //   3d00005000           | cmp                 eax, 0x500000
            //   7605                 | jbe                 7

        $sequence_11 = { 8bec 8b4d08 e8???????? 6a00 ff15???????? }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_12 = { 50 8b4508 ff7004 ff15???????? 85c0 7508 6a01 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1

        $sequence_13 = { 6810660000 ff7508 ff15???????? 85c0 }
            // n = 4, score = 400
            //   6810660000           | push                0x6610
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_14 = { 85ff 7408 57 56 ff15???????? ff75f8 56 }
            // n = 7, score = 400
            //   85ff                 | test                edi, edi
            //   7408                 | je                  0xa
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   56                   | push                esi

        $sequence_15 = { 7411 a801 740d 83f001 50 ff7608 }
            // n = 6, score = 400
            //   7411                 | je                  0x13
            //   a801                 | test                al, 1
            //   740d                 | je                  0xf
            //   83f001               | xor                 eax, 1
            //   50                   | push                eax
            //   ff7608               | push                dword ptr [esi + 8]

        $sequence_16 = { 48894c2430 4c8d45ff 488d4d0f 418bd6 48894c2428 488d4d07 48894c2420 }
            // n = 7, score = 300
            //   48894c2430           | dec                 eax
            //   4c8d45ff             | mov                 dword ptr [esp + 0x30], ecx
            //   488d4d0f             | dec                 esp
            //   418bd6               | lea                 eax, [ebp - 1]
            //   48894c2428           | dec                 eax
            //   488d4d07             | lea                 ecx, [ebp + 0xf]
            //   48894c2420           | inc                 ecx

        $sequence_17 = { 42884c0500 49ffc0 4983f80d 72af 44884d0f }
            // n = 5, score = 300
            //   42884c0500           | xor                 eax, eax
            //   49ffc0               | dec                 eax
            //   4983f80d             | mov                 dword ptr [esp + 0x40], ecx
            //   72af                 | dec                 eax
            //   44884d0f             | mov                 dword ptr [esp + 0x48], ecx

        $sequence_18 = { 33d2 ffd0 897c2450 b856555555 }
            // n = 4, score = 300
            //   33d2                 | dec                 eax
            //   ffd0                 | mov                 dword ptr [esp + 0x48], ecx
            //   897c2450             | dec                 eax
            //   b856555555           | lea                 edx, [ebp - 0x20]

        $sequence_19 = { 0fb64500 0fb645ff 84c0 755c }
            // n = 4, score = 300
            //   0fb64500             | xor                 eax, eax
            //   0fb645ff             | dec                 eax
            //   84c0                 | mov                 dword ptr [esp + 0x40], ecx
            //   755c                 | xor                 ecx, ecx

        $sequence_20 = { 488b4f30 488b4738 4885c9 7406 }
            // n = 4, score = 300
            //   488b4f30             | dec                 eax
            //   488b4738             | lea                 ecx, [esp + 0x70]
            //   4885c9               | inc                 ebp
            //   7406                 | xor                 eax, eax

        $sequence_21 = { 48894c2448 488d55e0 488d4c2470 4533c0 }
            // n = 4, score = 300
            //   48894c2448           | mov                 edx, esi
            //   488d55e0             | dec                 eax
            //   488d4c2470           | mov                 dword ptr [esp + 0x28], ecx
            //   4533c0               | dec                 eax

        $sequence_22 = { 42884c0501 49ffc0 4983f80c 72af }
            // n = 4, score = 300
            //   42884c0501           | test                ecx, ecx
            //   49ffc0               | je                  0x13
            //   4983f80c             | dec                 eax
            //   72af                 | mov                 ecx, dword ptr [edi + 0x30]

        $sequence_23 = { 41b801000000 488bd3 8bcf ffd0 4d85f6 }
            // n = 5, score = 300
            //   41b801000000         | dec                 eax
            //   488bd3               | lea                 edx, [ebp - 0x20]
            //   8bcf                 | dec                 eax
            //   ffd0                 | lea                 ecx, [esp + 0x70]
            //   4d85f6               | inc                 ebp

    condition:
        7 of them and filesize < 520192
}
[TLP:WHITE] win_conti_w0   (20220318 | Detect the Conti ransomware (x64))
rule win_conti_w0 {
   meta:
        author = "Arkbird_SOLG"
        description = "Detect the Conti ransomware (x64)"
        reference = "Internal Research"
        date = "2022-02-25"
        hash1 = "930ec6d08e9d29fa23805ff9784cb0d78b1dc4cc4d58daa0e653dfe478c45d3a"
        hash2 = "ea524e8b0dd046561b59a8d4da5a122aeff02036c87bb03056437a1d0f584039"
        hash3 = "ed4afa874e75b7bac665b9bcbf1d8e1324d4f9263c862755101cd79bb087ad45"
        hash4 = "1dea453e5344898c9a66309bd6d1cf6e21c56eb1427c026aac84b14a6b23f7fc"
        tlp = "White"
        adversary = "RAAS"
        source = "https://github.com/StrangerealIntel/Orion/blob/main/Ransomware/RAN_Conti_Feb_2022_1.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
        malpedia_version = "20220318"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
        $s1 = { f7 e9 03 d1 c1 fa 06 8b c2 c1 e8 1f 03 d0 6b c2 7f 2b c8 b8 09 04 02 81 83 c1 7f f7 e9 03 d1 c1 fa 06 8b c2 c1 e8 1f 03 d0 6b c2 7f 2b c8 88 4c 3c 39 48 ff c7 48 83 ff 24 72 ?? 0f b7 44 24 7c 48 8d 54 24 39 44 0f b7 4c 24 7a 48 8d 4d 80 44 0f b7 44 24 78 89 44 24 20 ff 15 [2] 01 00 8b d8 85 c0 74 32 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 44 8d 04 1b 4c 89 74 24 20 4c 8d 4c 24 68 48 8b cf 48 8d 55 80 ff d0 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 4c 8d 4c 24 68 4c 89 74 24 20 44 8b c6 48 8d 95 80 00 00 00 48 8b cf ff d0 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 4c 8d 4c 24 68 4c 89 74 24 20 41 b8 04 }
        $s2 = { 48 89 5c 24 08 48 89 74 24 18 57 48 83 ec 20 40 8a f1 8b 05 [2] 01 00 33 db 85 c0 7f 12 33 c0 48 8b 5c 24 30 48 8b 74 24 40 48 83 c4 20 5f c3 ff c8 89 05 [2] 01 00 e8 73 fa ff ff 40 8a f8 88 44 24 38 83 3d [2] 01 00 02 75 35 e8 86 fb ff ff e8 25 06 00 00 e8 9c 06 00 00 89 1d [2] 01 00 e8 a1 fb ff ff 40 8a cf e8 6d fd ff ff 33 d2 40 8a ce e8 87 fd ff ff 84 c0 0f 95 c3 8b c3 eb }
        $s3 = { 48 8b 0d [2] 01 00 4c 8b c3 33 d2 ff 15 [2] 00 00 48 85 c0 74 d4 eb 0d e8 60 08 00 00 c7 00 0c 00 00 00 33 c0 48 83 c4 20 5b c3 cc cc 48 85 c9 74 37 53 48 83 ec 20 4c 8b c1 33 d2 48 8b 0d [2] 01 00 ff 15 [2] 00 00 85 c0 75 17 e8 2b 08 00 00 48 8b d8 ff 15 [2] 00 00 8b c8 e8 63 07 00 00 89 03 48 83 c4 20 5b c3 cc cc cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b d9 49 }
        $s4 = { 48 83 c0 27 48 83 e0 e0 48 89 48 f8 eb 11 48 85 d2 74 0a 48 8b ca e8 [2] 00 00 eb 02 33 c0 4c 8d 04 5d 02 00 00 00 48 89 45 c0 48 8b d6 48 8b c8 e8 [2] 00 00 48 89 7d d8 48 c7 c7 ff ff ff ff 4c 8d 45 40 48 89 5d d0 48 8d 55 c0 48 8d 8d 20 04 00 00 e8 ?? dd ff ff 48 81 bd 30 04 00 00 04 01 00 00 0f 87 b2 00 00 00 48 83 bd 38 04 00 00 08 48 8d 8d 20 04 00 00 48 0f 43 8d 20 04 00 00 ff 15 [2] 01 00 85 c0 0f 84 8d 00 00 00 48 8d 8d ec 04 00 00 e8 ?? e0 ff ff }
    condition:
        uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 
}
Download all Yara Rules