SYMBOLCOMMON_NAMEaka. SYNONYMS
win.epsilon_red (Back to overview)

Epsilon Red

aka: BlackCocaine

There is no description at this point.

References
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-06-04The RecordCatalin Cimpanu
@online{cimpanu:20210604:epsilonred:62073f1, author = {Catalin Cimpanu}, title = {{EpsilonRed ransomware group hits one of India’s financial software powerhouses}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/}, language = {English}, urldate = {2021-06-06} } EpsilonRed ransomware group hits one of India’s financial software powerhouses
Epsilon Red
2021-06-03cyblecybleinc
@online{cybleinc:20210603:deep:0077231, author = {cybleinc}, title = {{Deep Dive into BlackCocaine Ransomware}}, date = {2021-06-03}, organization = {cyble}, url = {https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/}, language = {English}, urldate = {2021-06-07} } Deep Dive into BlackCocaine Ransomware
Epsilon Red
2021-05-28SophosLabs UncutAndrew Brandt
@online{brandt:20210528:new:4d0e375, author = {Andrew Brandt}, title = {{A new ransomware enters the fray: Epsilon Red}}, date = {2021-05-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/28/epsilonred/}, language = {English}, urldate = {2021-06-07} } A new ransomware enters the fray: Epsilon Red
Epsilon Red
Yara Rules
[TLP:WHITE] win_epsilon_red_auto (20220516 | Detects win.epsilon_red.)
rule win_epsilon_red_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.epsilon_red."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ebdf 48898c2480000000 4889442440 488b8c2490000000 48890c24 488b942488000000 4889542408 }
            // n = 7, score = 200
            //   ebdf                 | dec                 eax
            //   48898c2480000000     | cmp                 dword ptr [esp + 0x30], 0
            //   4889442440           | jge                 0x1aa7
            //   488b8c2490000000     | dec                 eax
            //   48890c24             | mov                 eax, dword ptr [esp + 0xd0]
            //   488b942488000000     | dec                 eax
            //   4889542408           | mov                 ecx, dword ptr [esp + 0xb0]

        $sequence_1 = { 7e11 460fb60c06 440fb61432 4538d1 74e2 7303 48ffcf }
            // n = 7, score = 200
            //   7e11                 | dec                 eax
            //   460fb60c06           | cmp                 edx, eax
            //   440fb61432           | dec                 esp
            //   4538d1               | mov                 dword ptr [esp + 0x30], ecx
            //   74e2                 | dec                 eax
            //   7303                 | mov                 dword ptr [esp + 0x38], eax
            //   48ffcf               | dec                 eax

        $sequence_2 = { e8???????? c68424a800000000 c68424a900000000 488bac2480000000 4881c488000000 c3 65488b042528000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c68424a800000000     | dec                 eax
            //   c68424a900000000     | mov                 eax, dword ptr [esp]
            //   488bac2480000000     | nop                 dword ptr [eax]
            //   4881c488000000       | nop                 
            //   c3                   | dec                 eax
            //   65488b042528000000     | lea    eax, [0x20c88d]

        $sequence_3 = { 488b8900000000 483b6110 0f86ac000000 4883ec40 48896c2438 488d6c2438 488b442448 }
            // n = 7, score = 200
            //   488b8900000000       | mov                 ecx, dword ptr [eax]
            //   483b6110             | dec                 eax
            //   0f86ac000000         | mov                 edx, dword ptr [eax + 8]
            //   4883ec40             | dec                 eax
            //   48896c2438           | mov                 dword ptr [esp], 0
            //   488d6c2438           | dec                 eax
            //   488b442448           | mov                 dword ptr [esp + 8], ecx

        $sequence_4 = { e8???????? 488b542420 488b5c2418 eb8a c644244000 488b6c2428 4883c430 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488b542420           | dec                 eax
            //   488b5c2418           | mov                 edx, eax
            //   eb8a                 | dec                 eax
            //   c644244000           | sar                 eax, 0x3f
            //   488b6c2428           | dec                 eax
            //   4883c430             | and                 ecx, eax

        $sequence_5 = { e8???????? 488b842498000000 488b4858 488b5050 488b4060 8b9c24a0000000 0f1f840000000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488b842498000000     | dec                 eax
            //   488b4858             | mov                 edx, dword ptr [esp + 0xc8]
            //   488b5050             | dec                 eax
            //   488b4060             | mov                 ecx, eax
            //   8b9c24a0000000       | dec                 eax
            //   0f1f840000000000     | mov                 dword ptr [esp + 0x30], ecx

        $sequence_6 = { 766e 4883ec28 48896c2420 488d6c2420 31c0 eb09 488b4c2418 }
            // n = 7, score = 200
            //   766e                 | dec                 ecx
            //   4883ec28             | cmp                 eax, ebx
            //   48896c2420           | ja                  0xb23
            //   488d6c2420           | dec                 eax
            //   31c0                 | mov                 eax, ecx
            //   eb09                 | nop                 
            //   488b4c2418           | dec                 esp

        $sequence_7 = { e9???????? 31c9 ebf4 4883f802 7519 8b8c2480000000 2b0d???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   31c9                 | nop                 
            //   ebf4                 | jmp                 0x6ce
            //   4883f802             | dec                 eax
            //   7519                 | mov                 ecx, dword ptr [ebx + 0x40]
            //   8b8c2480000000       | dec                 eax
            //   2b0d????????         |                     

        $sequence_8 = { 4889c7 4889d8 f0480fb132 400f94c6 4084f6 0f8596000000 31c0 }
            // n = 7, score = 200
            //   4889c7               | mov                 dword ptr [esp + 8], ecx
            //   4889d8               | xor                 eax, eax
            //   f0480fb132           | dec                 eax
            //   400f94c6             | mov                 dword ptr [esp], edx
            //   4084f6               | dec                 eax
            //   0f8596000000         | mov                 eax, dword ptr [esp + 8]
            //   31c0                 | dec                 eax

        $sequence_9 = { 6690 4839ca 0f82c4020000 4889842418010000 48898c2420010000 4889942428010000 488bac24d8000000 }
            // n = 7, score = 200
            //   6690                 | mov                 dword ptr [esp + 8], 7
            //   4839ca               | dec                 eax
            //   0f82c4020000         | mov                 eax, dword ptr [esp + 0x10]
            //   4889842418010000     | dec                 eax
            //   48898c2420010000     | mov                 ecx, dword ptr [esp + 0x18]
            //   4889942428010000     | dec                 eax
            //   488bac24d8000000     | mov                 dword ptr [esp], eax

    condition:
        7 of them and filesize < 5075968
}
Download all Yara Rules