HelloKitty (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

VTCollection

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References

2023-12-13 ⋅ cocomelonc ⋅ cocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer

2023-02-14 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec
Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin

2023-01-04 ⋅ cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty

2022-09-20 ⋅ vmware ⋅ Dana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty

2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-01 ⋅ BushidoToken ⋅ BushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti

2022-04-25 ⋅ Medium proferosec-osm ⋅ Brenton Morris
Static unpacker and decoder for Hello Kitty Packer
HelloKitty

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2021-11-02 ⋅ SpearTip ⋅ Chris Swagler
FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty

2021-10-28 ⋅ FBI ⋅ FBI
CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty

2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit

2021-07-17 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty

2021-06-28 ⋅ CrowdStrike ⋅ Alexandru Ghita
New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty

2021-05-31 ⋅ DataBreaches.net ⋅ Dissent
Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty

2021-04-29 ⋅ FireEye ⋅ Justin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty

2021-03-18 ⋅ Malwarebytes ⋅ Jovi Umawing
HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty

2021-03-08 ⋅ Sentinel LABS ⋅ Jim Walter
HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty

2021-02-10 ⋅ Cado Security ⋅ Christopher Doman
Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty

2021-02-09 ⋅ Twitter (@fwosar) ⋅ Fabian Wosar
Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty

2020-11-13 ⋅ ID Ransomware ⋅ Andrew Ivanov
HelloKitty Ransomware
HelloKitty

Yara Rules

[TLP:WHITE] win_hellokitty_auto (20251219 | Detects win.hellokitty.)

rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89542414 3d00010000 0f8f27010000 8bcb e8???????? 8bf0 }
            // n = 6, score = 100
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   3d00010000           | cmp                 eax, 0x100
            //   0f8f27010000         | jg                  0x12d
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { 6a08 58 75a4 5b 5f 5e c9 }
            // n = 7, score = 100
            //   6a08                 | push                8
            //   58                   | pop                 eax
            //   75a4                 | jne                 0xffffffa6
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               

        $sequence_2 = { 50 ffd6 8bd8 8945fc 83c8ff 3bd8 0f846b020000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bd8                 | mov                 ebx, eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   83c8ff               | or                  eax, 0xffffffff
            //   3bd8                 | cmp                 ebx, eax
            //   0f846b020000         | je                  0x271

        $sequence_3 = { 8b45fc 8b4048 f00fc118 4b 7515 8b45fc 817848c0044200 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4048               | mov                 eax, dword ptr [eax + 0x48]
            //   f00fc118             | lock xadd           dword ptr [eax], ebx
            //   4b                   | dec                 ebx
            //   7515                 | jne                 0x17
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   817848c0044200       | cmp                 dword ptr [eax + 0x48], 0x4204c0

        $sequence_4 = { 03c8 8b45f0 03ce 8b75fc 894df8 c1c105 8b4034 }
            // n = 7, score = 100
            //   03c8                 | add                 ecx, eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   03ce                 | add                 ecx, esi
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   c1c105               | rol                 ecx, 5
            //   8b4034               | mov                 eax, dword ptr [eax + 0x34]

        $sequence_5 = { 8d4c242c e8???????? 837c243c08 8d442428 0f43442428 33ff 57 }
            // n = 7, score = 100
            //   8d4c242c             | lea                 ecx, [esp + 0x2c]
            //   e8????????           |                     
            //   837c243c08           | cmp                 dword ptr [esp + 0x3c], 8
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   0f43442428           | cmovae              eax, dword ptr [esp + 0x28]
            //   33ff                 | xor                 edi, edi
            //   57                   | push                edi

        $sequence_6 = { 8b7508 2bdf ba10000000 660f1f440000 8a0c06 8d4001 3248ff }
            // n = 7, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   2bdf                 | sub                 ebx, edi
            //   ba10000000           | mov                 edx, 0x10
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   8a0c06               | mov                 cl, byte ptr [esi + eax]
            //   8d4001               | lea                 eax, [eax + 1]
            //   3248ff               | xor                 cl, byte ptr [eax - 1]

        $sequence_7 = { 0fb689303b4200 33f9 333d???????? 33fa 8bd7 89b880000000 33d6 }
            // n = 7, score = 100
            //   0fb689303b4200       | movzx               ecx, byte ptr [ecx + 0x423b30]
            //   33f9                 | xor                 edi, ecx
            //   333d????????         |                     
            //   33fa                 | xor                 edi, edx
            //   8bd7                 | mov                 edx, edi
            //   89b880000000         | mov                 dword ptr [eax + 0x80], edi
            //   33d6                 | xor                 edx, esi

        $sequence_8 = { c1c806 33c8 8b45dc 3345e8 034dac 23f0 3375dc }
            // n = 7, score = 100
            //   c1c806               | ror                 eax, 6
            //   33c8                 | xor                 ecx, eax
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   3345e8               | xor                 eax, dword ptr [ebp - 0x18]
            //   034dac               | add                 ecx, dword ptr [ebp - 0x54]
            //   23f0                 | and                 esi, eax
            //   3375dc               | xor                 esi, dword ptr [ebp - 0x24]

        $sequence_9 = { c1c10e 33c8 8bc2 8b55cc 8bf2 c1e803 33c8 }
            // n = 7, score = 100
            //   c1c10e               | rol                 ecx, 0xe
            //   33c8                 | xor                 ecx, eax
            //   8bc2                 | mov                 eax, edx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   8bf2                 | mov                 esi, edx
            //   c1e803               | shr                 eax, 3
            //   33c8                 | xor                 ecx, eax

    condition:
        7 of them and filesize < 319488
}

Download all Yara Rules

HelloKitty Propose Change

References

Yara Rules

HelloKitty