SYMBOLCOMMON_NAMEaka. SYNONYMS
win.epsilon_red (Back to overview)

Epsilon Red

aka: BlackCocaine
VTCollection    

According to PCrisk, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.

References
2025-07-25CloudsekCloudsek
Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware
Epsilon Red
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-06-04The RecordCatalin Cimpanu
EpsilonRed ransomware group hits one of India’s financial software powerhouses
Epsilon Red
2021-06-03cyblecybleinc
Deep Dive into BlackCocaine Ransomware
Epsilon Red
2021-05-28SophosLabs UncutAndrew Brandt
A new ransomware enters the fray: Epsilon Red
Epsilon Red
Yara Rules
[TLP:WHITE] win_epsilon_red_auto (20260504 | Detects win.epsilon_red.)
rule win_epsilon_red_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.epsilon_red."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b91e000000 4883f920 0f8719050000 4889ca 31db 4531c0 eb12 }
            // n = 7, score = 200
            //   b91e000000           | dec                 eax
            //   4883f920             | mov                 dword ptr [esp], ecx
            //   0f8719050000         | dec                 eax
            //   4889ca               | mov                 dword ptr [esp + 8], eax
            //   31db                 | dec                 esp
            //   4531c0               | mov                 edx, eax
            //   eb12                 | dec                 eax

        $sequence_1 = { 488b4c2430 488b542438 eb99 488b6c2448 }
            // n = 4, score = 200
            //   488b4c2430           | dec                 eax
            //   488b542438           | mov                 ecx, dword ptr [esp + 0x30]
            //   eb99                 | dec                 eax
            //   488b6c2448           | mov                 edx, dword ptr [esp + 0x38]

        $sequence_2 = { 4c89c2 4889d9 b80d000000 31db e9???????? 488b05???????? 488b0d???????? }
            // n = 7, score = 200
            //   4c89c2               | dec                 eax
            //   4889d9               | lea                 ecx, [edx + ecx*8]
            //   b80d000000           | dec                 eax
            //   31db                 | lea                 ecx, [ecx + 0x58]
            //   e9????????           |                     
            //   488b05????????       |                     
            //   488b0d????????       |                     

        $sequence_3 = { e9???????? 83f864 0f855cfeffff b90a000000 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   83f864               | mov                 ecx, ebx
            //   0f855cfeffff         | mov                 eax, 0xd
            //   b90a000000           | xor                 ebx, ebx

        $sequence_4 = { b901000000 880d???????? 90 c705????????ffffffff c705????????ffffffff }
            // n = 5, score = 200
            //   b901000000           | dec                 eax
            //   880d????????         |                     
            //   90                   | add                 dword ptr [edx + edi*8], esi
            //   c705????????ffffffff     |     
            //   c705????????ffffffff     |     

        $sequence_5 = { 833d????????00 7515 488b8424c0000000 488907 0f1f440000 }
            // n = 5, score = 200
            //   833d????????00       |                     
            //   7515                 | mov                 ecx, dword ptr [esp + 0x4028]
            //   488b8424c0000000     | dec                 eax
            //   488907               | mov                 edi, esp
            //   0f1f440000           | rep movsb           byte ptr es:[edi], byte ptr [esi]

        $sequence_6 = { 488d0c89 488d0cca 488d4958 48890c24 4889442408 e8???????? }
            // n = 6, score = 200
            //   488d0c89             | jmp                 0xffffff9b
            //   488d0cca             | dec                 eax
            //   488d4958             | mov                 ebp, dword ptr [esp + 0x48]
            //   48890c24             | dec                 eax
            //   4889442408           | lea                 ecx, [ecx + ecx*4]
            //   e8????????           |                     

        $sequence_7 = { 488b8c24a0000000 488bb42408010000 4c8b8424e0000000 e9???????? }
            // n = 4, score = 200
            //   488b8c24a0000000     | dec                 eax
            //   488bb42408010000     | mov                 edx, dword ptr [esp + 0x4018]
            //   4c8b8424e0000000     | dec                 eax
            //   e9????????           |                     

    condition:
        7 of them and filesize < 5075968
}
Download all Yara Rules