SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

There is no description at this point.

References
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-04-25Medium proferosec-osmBrenton Morris
@online{morris:20220425:static:ae1f9c2, author = {Brenton Morris}, title = {{Static unpacker and decoder for Hello Kitty Packer}}, date = {2022-04-25}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7}, language = {English}, urldate = {2022-04-29} } Static unpacker and decoder for Hello Kitty Packer
HelloKitty
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2021-11-02SpearTipChris Swagler
@online{swagler:20211102:fbi:6fe349f, author = {Chris Swagler}, title = {{FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal}}, date = {2021-11-02}, organization = {SpearTip}, url = {https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/}, language = {English}, urldate = {2021-11-03} } FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty
2021-10-28FBIFBI
@techreport{fbi:20211028:cu000154mw:086d032, author = {FBI}, title = {{CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware}}, date = {2021-10-28}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211029.pdf}, language = {English}, urldate = {2021-11-03} } CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-17Bleeping ComputerSergiu Gatlan
@online{gatlan:20210717:hellokitty:96a6fe5, author = {Sergiu Gatlan}, title = {{HelloKitty ransomware is targeting vulnerable SonicWall devices}}, date = {2021-07-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/}, language = {English}, urldate = {2021-07-20} } HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty
2021-06-28CrowdStrikeAlexandru Ghita
@online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-04-29FireEyeTyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2022-03-07} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-03-18MalwarebytesJovi Umawing
@online{umawing:20210318:hellokitty:1527547, author = {Jovi Umawing}, title = {{HelloKitty: When Cyberpunk met cy-purr-crime}}, date = {2021-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/}, language = {English}, urldate = {2021-03-19} } HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty
2021-03-08Sentinel LABSJim Walter
@online{walter:20210308:hellokitty:e063f92, author = {Jim Walter}, title = {{HelloKitty Ransomware Lacks Stealth, But Still Strikes Home}}, date = {2021-03-08}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/}, language = {English}, urldate = {2021-03-11} } HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty
2021-02-10Cado SecurityChristopher Doman
@online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty
2021-02-09Twitter (@fwosar)Fabian Wosar
@online{wosar:20210209:cd:5b066a6, author = {Fabian Wosar}, title = {{Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group}}, date = {2021-02-09}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1359167108727332868}, language = {English}, urldate = {2021-02-17} } Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty
2020-11-13ID RansomwareAndrew Ivanov
@online{ivanov:20201113:hellokitty:d65136d, author = {Andrew Ivanov}, title = {{HelloKitty Ransomware}}, date = {2020-11-13}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html}, language = {English}, urldate = {2021-02-10} } HelloKitty Ransomware
HelloKitty
Yara Rules
[TLP:WHITE] win_hellokitty_auto (20220516 | Detects win.hellokitty.)
rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89b898000000 8bcf 334df0 894de8 89889c000000 0fb6c9 0fb689303b4200 }
            // n = 7, score = 100
            //   89b898000000         | mov                 dword ptr [eax + 0x98], edi
            //   8bcf                 | mov                 ecx, edi
            //   334df0               | xor                 ecx, dword ptr [ebp - 0x10]
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   89889c000000         | mov                 dword ptr [eax + 0x9c], ecx
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689303b4200       | movzx               ecx, byte ptr [ecx + 0x423b30]

        $sequence_1 = { 33c8 03ca 8b55f8 03f1 8bc2 c1c007 8bca }
            // n = 7, score = 100
            //   33c8                 | xor                 ecx, eax
            //   03ca                 | add                 ecx, edx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   03f1                 | add                 esi, ecx
            //   8bc2                 | mov                 eax, edx
            //   c1c007               | rol                 eax, 7
            //   8bca                 | mov                 ecx, edx

        $sequence_2 = { 0f849b000000 391d???????? 0f848f000000 391d???????? 0f8483000000 6a42 8d45a8 }
            // n = 7, score = 100
            //   0f849b000000         | je                  0xa1
            //   391d????????         |                     
            //   0f848f000000         | je                  0x95
            //   391d????????         |                     
            //   0f8483000000         | je                  0x89
            //   6a42                 | push                0x42
            //   8d45a8               | lea                 eax, [ebp - 0x58]

        $sequence_3 = { 75ed 8b7510 8b5518 33ff 663bce 7324 }
            // n = 6, score = 100
            //   75ed                 | jne                 0xffffffef
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   33ff                 | xor                 edi, edi
            //   663bce               | cmp                 cx, si
            //   7324                 | jae                 0x26

        $sequence_4 = { 8945e4 33da 8b45a8 3345fc 8b55ac 33c2 335dc4 }
            // n = 7, score = 100
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   33da                 | xor                 ebx, edx
            //   8b45a8               | mov                 eax, dword ptr [ebp - 0x58]
            //   3345fc               | xor                 eax, dword ptr [ebp - 4]
            //   8b55ac               | mov                 edx, dword ptr [ebp - 0x54]
            //   33c2                 | xor                 eax, edx
            //   335dc4               | xor                 ebx, dword ptr [ebp - 0x3c]

        $sequence_5 = { 8975cc c1c90b 8bd6 0355b0 33c8 8bc3 8955cc }
            // n = 7, score = 100
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi
            //   c1c90b               | ror                 ecx, 0xb
            //   8bd6                 | mov                 edx, esi
            //   0355b0               | add                 edx, dword ptr [ebp - 0x50]
            //   33c8                 | xor                 ecx, eax
            //   8bc3                 | mov                 eax, ebx
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx

        $sequence_6 = { 33c9 8b75dc 33ff 895dfc 41 8b45d8 2bf0 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   33ff                 | xor                 edi, edi
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   41                   | inc                 ecx
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   2bf0                 | sub                 esi, eax

        $sequence_7 = { 50 68???????? 51 51 ff15???????? 8945fc 8bcf }
            // n = 7, score = 100
            //   50                   | push                eax
            //   68????????           |                     
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bcf                 | mov                 ecx, edi

        $sequence_8 = { 83c404 85db 7512 0f1045d4 83c710 0f1106 }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   85db                 | test                ebx, ebx
            //   7512                 | jne                 0x14
            //   0f1045d4             | movups              xmm0, xmmword ptr [ebp - 0x2c]
            //   83c710               | add                 edi, 0x10
            //   0f1106               | movups              xmmword ptr [esi], xmm0

        $sequence_9 = { 8b049d20364200 0fb6440828 83e001 7469 56 e8???????? 59 }
            // n = 7, score = 100
            //   8b049d20364200       | mov                 eax, dword ptr [ebx*4 + 0x423620]
            //   0fb6440828           | movzx               eax, byte ptr [eax + ecx + 0x28]
            //   83e001               | and                 eax, 1
            //   7469                 | je                  0x6b
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules