SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt
VTCollection    

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2023-02-14IntrinsecCTI Intrinsec, Intrinsec
Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin
2023-01-04cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty
2022-09-20vmwareDana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty
2022-09-06CISACISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-01BushidoTokenBushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-04-25Medium proferosec-osmBrenton Morris
Static unpacker and decoder for Hello Kitty Packer
HelloKitty
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2021-11-02SpearTipChris Swagler
FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty
2021-10-28FBIFBI
CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty
2021-08-24Palo Alto Networks Unit 42Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-17Bleeping ComputerSergiu Gatlan
HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty
2021-06-28CrowdStrikeAlexandru Ghita
New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-05-31DataBreaches.netDissent
Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-04-29FireEyeJustin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-03-18MalwarebytesJovi Umawing
HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty
2021-03-08Sentinel LABSJim Walter
HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty
2021-02-10Cado SecurityChristopher Doman
Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty
2021-02-09Twitter (@fwosar)Fabian Wosar
Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty
2020-11-13ID RansomwareAndrew Ivanov
HelloKitty Ransomware
HelloKitty
Yara Rules
[TLP:WHITE] win_hellokitty_auto (20230808 | Detects win.hellokitty.)
rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8975fc 8d4e08 c706???????? e8???????? 6818010000 8d86d0030000 6a00 }
            // n = 7, score = 100
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8d4e08               | lea                 ecx, [esi + 8]
            //   c706????????         |                     
            //   e8????????           |                     
            //   6818010000           | push                0x118
            //   8d86d0030000         | lea                 eax, [esi + 0x3d0]
            //   6a00                 | push                0

        $sequence_1 = { 23df 234df0 8bc7 c1c802 0bd9 33d0 03de }
            // n = 7, score = 100
            //   23df                 | and                 ebx, edi
            //   234df0               | and                 ecx, dword ptr [ebp - 0x10]
            //   8bc7                 | mov                 eax, edi
            //   c1c802               | ror                 eax, 2
            //   0bd9                 | or                  ebx, ecx
            //   33d0                 | xor                 edx, eax
            //   03de                 | add                 ebx, esi

        $sequence_2 = { 7509 0fb64702 3a4604 7411 83c32c 41 83c72c }
            // n = 7, score = 100
            //   7509                 | jne                 0xb
            //   0fb64702             | movzx               eax, byte ptr [edi + 2]
            //   3a4604               | cmp                 al, byte ptr [esi + 4]
            //   7411                 | je                  0x13
            //   83c32c               | add                 ebx, 0x2c
            //   41                   | inc                 ecx
            //   83c72c               | add                 edi, 0x2c

        $sequence_3 = { 33d2 8b45ec 8bf1 0fa4c11e c1ee02 0bd1 c1e01e }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8bf1                 | mov                 esi, ecx
            //   0fa4c11e             | shld                ecx, eax, 0x1e
            //   c1ee02               | shr                 esi, 2
            //   0bd1                 | or                  edx, ecx
            //   c1e01e               | shl                 eax, 0x1e

        $sequence_4 = { 8b048520364200 56 8b7508 57 8b4c0818 8b4514 832600 }
            // n = 7, score = 100
            //   8b048520364200       | mov                 eax, dword ptr [eax*4 + 0x423620]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b4c0818             | mov                 ecx, dword ptr [eax + ecx + 0x18]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   832600               | and                 dword ptr [esi], 0

        $sequence_5 = { 33ca 8bd1 894dec 8988a8000000 33d3 }
            // n = 5, score = 100
            //   33ca                 | xor                 ecx, edx
            //   8bd1                 | mov                 edx, ecx
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8988a8000000         | mov                 dword ptr [eax + 0xa8], ecx
            //   33d3                 | xor                 edx, ebx

        $sequence_6 = { 8b759c 03c2 8bd1 8945f8 8bc1 c1c807 c1c20e }
            // n = 7, score = 100
            //   8b759c               | mov                 esi, dword ptr [ebp - 0x64]
            //   03c2                 | add                 eax, edx
            //   8bd1                 | mov                 edx, ecx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8bc1                 | mov                 eax, ecx
            //   c1c807               | ror                 eax, 7
            //   c1c20e               | rol                 edx, 0xe

        $sequence_7 = { 8b45c0 3175c4 8bf0 0facc81c c1e604 0bd0 c1e91c }
            // n = 7, score = 100
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   3175c4               | xor                 dword ptr [ebp - 0x3c], esi
            //   8bf0                 | mov                 esi, eax
            //   0facc81c             | shrd                eax, ecx, 0x1c
            //   c1e604               | shl                 esi, 4
            //   0bd0                 | or                  edx, eax
            //   c1e91c               | shr                 ecx, 0x1c

        $sequence_8 = { 8bf8 83c020 59 f3a5 8b7508 83ee20 89450c }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   83c020               | add                 eax, 0x20
            //   59                   | pop                 ecx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83ee20               | sub                 esi, 0x20
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax

        $sequence_9 = { c1ce02 8b45d0 03cf 3345ec 3345c4 3345f0 8b7df4 }
            // n = 7, score = 100
            //   c1ce02               | ror                 esi, 2
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   03cf                 | add                 ecx, edi
            //   3345ec               | xor                 eax, dword ptr [ebp - 0x14]
            //   3345c4               | xor                 eax, dword ptr [ebp - 0x3c]
            //   3345f0               | xor                 eax, dword ptr [ebp - 0x10]
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules