SYMBOLCOMMON_NAMEaka. SYNONYMS
win.epsilon_red (Back to overview)

Epsilon Red

aka: BlackCocaine

There is no description at this point.

References
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-06-04The RecordCatalin Cimpanu
@online{cimpanu:20210604:epsilonred:62073f1, author = {Catalin Cimpanu}, title = {{EpsilonRed ransomware group hits one of India’s financial software powerhouses}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/}, language = {English}, urldate = {2021-06-06} } EpsilonRed ransomware group hits one of India’s financial software powerhouses
Epsilon Red
2021-06-03cyblecybleinc
@online{cybleinc:20210603:deep:0077231, author = {cybleinc}, title = {{Deep Dive into BlackCocaine Ransomware}}, date = {2021-06-03}, organization = {cyble}, url = {https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/}, language = {English}, urldate = {2021-06-07} } Deep Dive into BlackCocaine Ransomware
Epsilon Red
2021-05-28SophosLabs UncutAndrew Brandt
@online{brandt:20210528:new:4d0e375, author = {Andrew Brandt}, title = {{A new ransomware enters the fray: Epsilon Red}}, date = {2021-05-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/28/epsilonred/}, language = {English}, urldate = {2021-06-07} } A new ransomware enters the fray: Epsilon Red
Epsilon Red
Yara Rules
[TLP:WHITE] win_epsilon_red_auto (20221125 | Detects win.epsilon_red.)
rule win_epsilon_red_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.epsilon_red."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4889d7 e8???????? 4c89cf e8???????? e9???????? 4889542460 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   4889d7               | lea                 eax, [0x70a3e]
            //   e8????????           |                     
            //   4c89cf               | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   4889542460           | lea                 ecx, [esp + 0xa0]

        $sequence_1 = { 488bb42430020000 4889cb 4889d1 4889da 488b9c2418020000 4c39c8 0f8d77020000 }
            // n = 7, score = 200
            //   488bb42430020000     | mov                 dword ptr [edi + 0x38], eax
            //   4889cb               | jne                 0x405
            //   4889d1               | dec                 eax
            //   4889da               | mov                 eax, dword ptr [esp + 0x1e8]
            //   488b9c2418020000     | dec                 eax
            //   4c39c8               | mov                 dword ptr [edi + 0x30], eax
            //   0f8d77020000         | dec                 eax

        $sequence_2 = { c3 48894c2450 48895c2438 88442437 48893424 89542408 e8???????? }
            // n = 7, score = 200
            //   c3                   | dec                 eax
            //   48894c2450           | mov                 eax, dword ptr [esp + 8]
            //   48895c2438           | dec                 eax
            //   88442437             | mov                 dword ptr [eax + 8], 0x2d
            //   48893424             | dec                 eax
            //   89542408             | lea                 ecx, [0x5f1dc]
            //   e8????????           |                     

        $sequence_3 = { c744246801000000 488d842408010000 48890424 488d8c24a8000000 48894c2408 488d542448 4889542410 }
            // n = 7, score = 200
            //   c744246801000000     | dec                 eax
            //   488d842408010000     | lea                 eax, [0xc937c]
            //   48890424             | dec                 eax
            //   488d8c24a8000000     | lea                 eax, [0x119e9d]
            //   48894c2408           | dec                 eax
            //   488d542448           | mov                 dword ptr [esp], eax
            //   4889542410           | dec                 eax

        $sequence_4 = { ff81d8000000 c680b700000001 48c74010defaffff 488b4830 488b91a0000000 8b5214 899174020000 }
            // n = 7, score = 200
            //   ff81d8000000         | mov                 dword ptr [esp + 0x28], 0
            //   c680b700000001       | dec                 eax
            //   48c74010defaffff     | mov                 eax, dword ptr [edx + 0x98]
            //   488b4830             | dec                 eax
            //   488b91a0000000       | mov                 dword ptr [esp + 0x28], eax
            //   8b5214               | mov                 byte ptr [esp], 0x26
            //   899174020000         | dec                 eax

        $sequence_5 = { f20f10442430 0f57c9 660f2ec8 0f82e9000000 0f1f4000 4885c9 0f847c010000 }
            // n = 7, score = 200
            //   f20f10442430         | dec                 eax
            //   0f57c9               | mov                 eax, dword ptr [esp + 0x20]
            //   660f2ec8             | mov                 byte ptr [eax], 1
            //   0f82e9000000         | dec                 eax
            //   0f1f4000             | lea                 eax, [0xdc573]
            //   4885c9               | dec                 eax
            //   0f847c010000         | mov                 dword ptr [esp], eax

        $sequence_6 = { f30f5ac0 f20f100d???????? 660f2ec8 766a f2480f2cc0 48f7c160000000 b900000000 }
            // n = 7, score = 200
            //   f30f5ac0             | dec                 eax
            //   f20f100d????????     |                     
            //   660f2ec8             | mov                 ecx, dword ptr [esp + 0x50]
            //   766a                 | nop                 
            //   f2480f2cc0           | nop                 
            //   48f7c160000000       | dec                 eax
            //   b900000000           | mov                 dword ptr [esp + 0x20], 0

        $sequence_7 = { c60201 8b9340020000 488b742440 8916 ff8344020000 c7834002000000000000 90 }
            // n = 7, score = 200
            //   c60201               | dec                 eax
            //   8b9340020000         | mov                 dword ptr [esp + 8], 4
            //   488b742440           | dec                 eax
            //   8916                 | lea                 eax, [0x11ae5c]
            //   ff8344020000         | dec                 eax
            //   c7834002000000000000     | mov    dword ptr [esp], eax
            //   90                   | dec                 eax

        $sequence_8 = { 488b8900000000 483b6110 0f860a010000 4883ec50 48896c2448 488d6c2448 488b442468 }
            // n = 7, score = 200
            //   488b8900000000       | lea                 edi, [edi - 0x20]
            //   483b6110             | dec                 eax
            //   0f860a010000         | mov                 dword ptr [esp], esi
            //   4883ec50             | call                ecx
            //   48896c2448           | dec                 eax
            //   488d6c2448           | lea                 eax, [0x5b68e]
            //   488b442468           | dec                 eax

        $sequence_9 = { 8d4801 833d????????01 0f45c1 8b4c2430 39c1 7380 90 }
            // n = 7, score = 200
            //   8d4801               | dec                 eax
            //   833d????????01       |                     
            //   0f45c1               | lea                 eax, [esp + 0xe8]
            //   8b4c2430             | dec                 eax
            //   39c1                 | mov                 dword ptr [esp], eax
            //   7380                 | dec                 eax
            //   90                   | mov                 ecx, dword ptr [esp + 0x1e8]

    condition:
        7 of them and filesize < 5075968
}
Download all Yara Rules