HelloKitty (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

VTCollection

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References

2023-12-13 ⋅ cocomelonc ⋅ cocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer

2023-02-14 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec
Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin

2023-01-04 ⋅ cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty

2022-09-20 ⋅ vmware ⋅ Dana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty

2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-01 ⋅ BushidoToken ⋅ BushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti

2022-04-25 ⋅ Medium proferosec-osm ⋅ Brenton Morris
Static unpacker and decoder for Hello Kitty Packer
HelloKitty

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2021-11-02 ⋅ SpearTip ⋅ Chris Swagler
FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty

2021-10-28 ⋅ FBI ⋅ FBI
CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty

2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit

2021-07-17 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty

2021-06-28 ⋅ CrowdStrike ⋅ Alexandru Ghita
New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty

2021-05-31 ⋅ DataBreaches.net ⋅ Dissent
Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty

2021-04-29 ⋅ FireEye ⋅ Justin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty

2021-03-18 ⋅ Malwarebytes ⋅ Jovi Umawing
HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty

2021-03-08 ⋅ Sentinel LABS ⋅ Jim Walter
HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty

2021-02-10 ⋅ Cado Security ⋅ Christopher Doman
Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty

2021-02-09 ⋅ Twitter (@fwosar) ⋅ Fabian Wosar
Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty

2020-11-13 ⋅ ID Ransomware ⋅ Andrew Ivanov
HelloKitty Ransomware
HelloKitty

Yara Rules

[TLP:WHITE] win_hellokitty_auto (20260504 | Detects win.hellokitty.)

rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 50 e8???????? 8b75d0 668b570e }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b75d0               | mov                 esi, dword ptr [ebp - 0x30]
            //   668b570e             | mov                 dx, word ptr [edi + 0xe]

        $sequence_1 = { 0bc1 8b4de0 03c6 8b7594 03c2 8bd1 }
            // n = 6, score = 100
            //   0bc1                 | or                  eax, ecx
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   03c6                 | add                 eax, esi
            //   8b7594               | mov                 esi, dword ptr [ebp - 0x6c]
            //   03c2                 | add                 eax, edx
            //   8bd1                 | mov                 edx, ecx

        $sequence_2 = { 6a00 51 e8???????? 8a751c 83c40c 8b4dec 0fb6c3 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8a751c               | mov                 dh, byte ptr [ebp + 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   0fb6c3               | movzx               eax, bl

        $sequence_3 = { 8bd3 6a21 e8???????? 59 85c0 0f85fe000000 }
            // n = 6, score = 100
            //   8bd3                 | mov                 edx, ebx
            //   6a21                 | push                0x21
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f85fe000000         | jne                 0x104

        $sequence_4 = { 807e0103 7575 53 33d2 57 8bca bf???????? }
            // n = 7, score = 100
            //   807e0103             | cmp                 byte ptr [esi + 1], 3
            //   7575                 | jne                 0x77
            //   53                   | push                ebx
            //   33d2                 | xor                 edx, edx
            //   57                   | push                edi
            //   8bca                 | mov                 ecx, edx
            //   bf????????           |                     

        $sequence_5 = { 8b75fc c1e80a 33d0 8bc6 03d1 8bce 0355cc }
            // n = 7, score = 100
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   c1e80a               | shr                 eax, 0xa
            //   33d0                 | xor                 edx, eax
            //   8bc6                 | mov                 eax, esi
            //   03d1                 | add                 edx, ecx
            //   8bce                 | mov                 ecx, esi
            //   0355cc               | add                 edx, dword ptr [ebp - 0x34]

        $sequence_6 = { c1c105 33c6 c1cf02 0345c0 81c6d6c162ca 03c2 }
            // n = 6, score = 100
            //   c1c105               | rol                 ecx, 5
            //   33c6                 | xor                 eax, esi
            //   c1cf02               | ror                 edi, 2
            //   0345c0               | add                 eax, dword ptr [ebp - 0x40]
            //   81c6d6c162ca         | add                 esi, 0xca62c1d6
            //   03c2                 | add                 eax, edx

        $sequence_7 = { 8b34cd70b34100 8b4d08 6a5a 2bce 5b 0fb70431 663bc7 }
            // n = 7, score = 100
            //   8b34cd70b34100       | mov                 esi, dword ptr [ecx*8 + 0x41b370]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a5a                 | push                0x5a
            //   2bce                 | sub                 ecx, esi
            //   5b                   | pop                 ebx
            //   0fb70431             | movzx               eax, word ptr [ecx + esi]
            //   663bc7               | cmp                 ax, di

        $sequence_8 = { 33148d60554200 3316 83c604 8b4df8 c1e910 8955d4 8955c4 }
            // n = 7, score = 100
            //   33148d60554200       | xor                 edx, dword ptr [ecx*4 + 0x425560]
            //   3316                 | xor                 edx, dword ptr [esi]
            //   83c604               | add                 esi, 4
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c1e910               | shr                 ecx, 0x10
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx
            //   8955c4               | mov                 dword ptr [ebp - 0x3c], edx

        $sequence_9 = { 0fb64208 c165fc08 0945fc 8b45fc 8945dc 8975f4 3306 }
            // n = 7, score = 100
            //   0fb64208             | movzx               eax, byte ptr [edx + 8]
            //   c165fc08             | shl                 dword ptr [ebp - 4], 8
            //   0945fc               | or                  dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   3306                 | xor                 eax, dword ptr [esi]

    condition:
        7 of them and filesize < 319488
}

Download all Yara Rules

HelloKitty Propose Change

References

Yara Rules

HelloKitty