Epsilon Red (Malware Family)

Epsilon Red

aka: BlackCocaine

VTCollection

According to PCrisk, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.

References

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2021-06-04 ⋅ The Record ⋅ Catalin Cimpanu
EpsilonRed ransomware group hits one of India’s financial software powerhouses
Epsilon Red

2021-06-03 ⋅ cyble ⋅ cybleinc
Deep Dive into BlackCocaine Ransomware
Epsilon Red

2021-05-28 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
A new ransomware enters the fray: Epsilon Red
Epsilon Red

Yara Rules

[TLP:WHITE] win_epsilon_red_auto (20230808 | Detects win.epsilon_red.)

rule win_epsilon_red_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.epsilon_red."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 65488b0c2528000000 488b8100000000 488b1c24 48895840 488d5c2408 48895838 48894048 }
            // n = 7, score = 200
            //   65488b0c2528000000     | dec    eax
            //   488b8100000000       | mov                 edx, dword ptr [esp + 0x88]
            //   488b1c24             | dec                 eax
            //   48895840             | mov                 ebx, dword ptr [esp + 0xa0]
            //   488d5c2408           | dec                 eax
            //   48895838             | mov                 esi, dword ptr [esp + 0x40]
            //   48894048             | dec                 eax

        $sequence_1 = { f00fb15140 0f94c0 84c0 740a 488b442458 e9???????? e8???????? }
            // n = 7, score = 200
            //   f00fb15140           | mov                 ecx, dword ptr [esp + 0x40]
            //   0f94c0               | dec                 eax
            //   84c0                 | mov                 edx, dword ptr [ecx + 0x48]
            //   740a                 | nop                 word ptr [eax + eax]
            //   488b442458           | je                  0x125a
            //   e9????????           |                     
            //   e8????????           |                     

        $sequence_2 = { c644247801 488b6c2420 4883c428 c3 c644247800 488b6c2420 4883c428 }
            // n = 7, score = 200
            //   c644247801           | mov                 dword ptr [esp + 0x68], 0
            //   488b6c2420           | dec                 eax
            //   4883c428             | lea                 esi, [0xfffffcd0]
            //   c3                   | dec                 eax
            //   c644247800           | mov                 dword ptr [esp + 0x58], esi
            //   488b6c2420           | dec                 eax
            //   4883c428             | mov                 dword ptr [esp + 0x60], ebx

        $sequence_3 = { c644244801 488b6c2418 4883c420 c3 488b4c2428 0fb75152 488d1410 }
            // n = 7, score = 200
            //   c644244801           | dec                 eax
            //   488b6c2418           | mov                 dword ptr [esp + 0x58], 0xb
            //   4883c420             | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x58], 0xb
            //   488b4c2428           | dec                 eax
            //   0fb75152             | mov                 ebp, dword ptr [esp + 0x38]
            //   488d1410             | dec                 eax

        $sequence_4 = { 74a0 ebb6 488b842490000000 48890424 4529cd 418d45fe 4889442408 }
            // n = 7, score = 200
            //   74a0                 | mov                 eax, dword ptr [esp + 0x78]
            //   ebb6                 | dec                 eax
            //   488b842490000000     | mov                 dword ptr [esp + 0x10], eax
            //   48890424             | dec                 eax
            //   4529cd               | lea                 eax, [0xc0323]
            //   418d45fe             | dec                 eax
            //   4889442408           | mov                 dword ptr [esp], eax

        $sequence_5 = { ebed 4c890c24 4889442408 48c1e104 48894c2410 e8???????? 488b5c2460 }
            // n = 7, score = 200
            //   ebed                 | mov                 edx, dword ptr [edx + 0x30]
            //   4c890c24             | je                  0x20d3
            //   4889442408           | dec                 eax
            //   48c1e104             | mov                 ecx, dword ptr [esp + 0x878]
            //   48894c2410           | nop                 dword ptr [eax + eax]
            //   e8????????           |                     
            //   488b5c2460           | dec                 eax

        $sequence_6 = { 83fa01 7511 80b8b100000000 7408 48c74010defaffff 8b842480000000 488b4c2478 }
            // n = 7, score = 200
            //   83fa01               | mov                 byte ptr [esp + 0x46], bl
            //   7511                 | dec                 eax
            //   80b8b100000000       | lea                 edx, [esi + 0x18]
            //   7408                 | dec                 eax
            //   48c74010defaffff     | mov                 ebx, eax
            //   8b842480000000       | dec                 eax
            //   488b4c2478           | mov                 eax, dword ptr [esp + 0x108]

        $sequence_7 = { eb93 4889c1 31d2 e9???????? 8b542424 488b5c2458 488b442428 }
            // n = 7, score = 200
            //   eb93                 | dec                 eax
            //   4889c1               | mov                 ecx, dword ptr [ecx]
            //   31d2                 | dec                 eax
            //   e9????????           |                     
            //   8b542424             | cmp                 esp, dword ptr [ecx + 0x10]
            //   488b5c2458           | jbe                 0x12be
            //   488b442428           | dec                 eax

        $sequence_8 = { e8???????? 4889f0 b924000000 0f1f4000 e8???????? 4889f0 b941000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4889f0               | movzx               eax, byte ptr [edx + esi]
            //   b924000000           | nop                 dword ptr [eax]
            //   0f1f4000             | inc                 ecx
            //   e8????????           |                     
            //   4889f0               | cmp                 al, 0x22
            //   b941000000           | dec                 eax

        $sequence_9 = { e9???????? 4d89cb 4889cb 4d89c1 e9???????? 48895c2428 48891424 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   4d89cb               | test                cl, cl
            //   4889cb               | je                  0x2e3
            //   4d89c1               | dec                 eax
            //   e9????????           |                     
            //   48895c2428           | mov                 dword ptr [esp + 0x58], eax
            //   48891424             | dec                 ebp

    condition:
        7 of them and filesize < 5075968
}

Download all Yara Rules

Epsilon Red Propose Change

References

Yara Rules

Epsilon Red