Ironcat (Malware Family)

win.ironcat (Back to overview)
Ironcat

VTCollection
There is no description at this point.
References

2020-09-26 ⋅ Aaron Rosenmund
Ironcat Ransomware
Ironcat
2020-09-23 ⋅ Twitter (@demonslay335) ⋅ Michael Gillespie
Tweet on Ironcat (Sodinokibi imposter)
Ironcat
Yara Rules

[TLP:WHITE] win_ironcat_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ironcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironcat"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c60001 488d05ac4c0800 48890424 488b442428 4889442408 488d0daed30c00 48894c2410 }
            // n = 7, score = 100
            //   c60001               | mov                 dword ptr [esp + 8], eax
            //   488d05ac4c0800       | nop                 
            //   48890424             | dec                 eax
            //   488b442428           | lea                 eax, [0xf798f]
            //   4889442408           | dec                 eax
            //   488d0daed30c00       | mov                 dword ptr [esp], eax
            //   48894c2410           | dec                 eax

        $sequence_1 = { ba01000000 ebb0 48898424e8000000 888c24f0000000 488bac24d8000000 4881c4e0000000 c3 }
            // n = 7, score = 100
            //   ba01000000           | dec                 eax
            //   ebb0                 | lea                 eax, [0x207925]
            //   48898424e8000000     | dec                 eax
            //   888c24f0000000       | mov                 dword ptr [esp + 8], eax
            //   488bac24d8000000     | dec                 eax
            //   4881c4e0000000       | mov                 dword ptr [esp + 0x10], 8
            //   c3                   | dec                 eax

        $sequence_2 = { b803000000 b903000000 31ff e9???????? 4883f812 751e 488b5c2460 }
            // n = 7, score = 100
            //   b803000000           | dec                 eax
            //   b903000000           | lea                 eax, [ecx + 5]
            //   31ff                 | dec                 eax
            //   e9????????           |                     
            //   4883f812             | mov                 dword ptr [esp + 0x50], eax
            //   751e                 | dec                 eax
            //   488b5c2460           | mov                 dword ptr [esp + 0x10], eax

        $sequence_3 = { 90 488d05fab34300 48890424 e8???????? 488b442430 488b88000e0000 4885c9 }
            // n = 7, score = 100
            //   90                   | mov                 esi, dword ptr [esp + 0xa8]
            //   488d05fab34300       | dec                 eax
            //   48890424             | mov                 edi, dword ptr [esp + 0x1e0]
            //   e8????????           |                     
            //   488b442430           | dec                 esp
            //   488b88000e0000       | mov                 eax, dword ptr [esp + 0xc8]
            //   4885c9               | dec                 esp

        $sequence_4 = { f00fb1be68010000 400f94c7 4c8d8e68010000 4084ff 0f848b010000 c78424c000000008000000 488d050c230c00 }
            // n = 7, score = 100
            //   f00fb1be68010000     | dec                 eax
            //   400f94c7             | mov                 edx, dword ptr [esp + 0x18]
            //   4c8d8e68010000       | jne                 0xc1a
            //   4084ff               | dec                 eax
            //   0f848b010000         | mov                 dword ptr [eax], 0
            //   c78424c000000008000000     | dec    eax
            //   488d050c230c00       | lea                 edi, [eax + 8]

        $sequence_5 = { b810000000 eb93 833d????????00 0f8433090000 65488b1c2528000000 488b9b00000000 488b7330 }
            // n = 7, score = 100
            //   b810000000           | lea                 eax, [0x182b15]
            //   eb93                 | dec                 eax
            //   833d????????00       |                     
            //   0f8433090000         | mov                 dword ptr [esp], eax
            //   65488b1c2528000000     | dec    eax
            //   488b9b00000000       | mov                 eax, dword ptr [esp + 8]
            //   488b7330             | dec                 eax

        $sequence_6 = { c3 b80f000000 e8???????? 4c89c9 90 e8???????? 4c89c9 }
            // n = 7, score = 100
            //   c3                   | dec                 eax
            //   b80f000000           | cmp                 eax, ecx
            //   e8????????           |                     
            //   4c89c9               | jne                 0x1f68
            //   90                   | dec                 eax
            //   e8????????           |                     
            //   4c89c9               | mov                 eax, dword ptr [esp + 0x38]

        $sequence_7 = { c3 48894c2440 48890424 e8???????? 488b542408 488b4c2440 488d052a402600 }
            // n = 7, score = 100
            //   c3                   | dec                 eax
            //   48894c2440           | mov                 dword ptr [esp + 0x18], ebx
            //   48890424             | dec                 eax
            //   e8????????           |                     
            //   488b542408           | mov                 dword ptr [esp + 0x20], esi
            //   488b4c2440           | dec                 eax
            //   488d052a402600       | lea                 eax, [0x1aa153]

        $sequence_8 = { b800400000 480f4fc8 48894c2470 488b6c2450 4883c458 c3 488d051a020e00 }
            // n = 7, score = 100
            //   b800400000           | dec                 eax
            //   480f4fc8             | lea                 edx, [0x232b18]
            //   48894c2470           | dec                 eax
            //   488b6c2450           | mov                 dword ptr [esp + 0x10], edx
            //   4883c458             | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x18], 2
            //   488d051a020e00       | dec                 eax

        $sequence_9 = { ebc6 83fe02 0f8445feffff 31ff e9???????? 90 90 }
            // n = 7, score = 100
            //   ebc6                 | dec                 eax
            //   83fe02               | lea                 edi, [edx + 8]
            //   0f8445feffff         | jmp                 0x2a3
            //   31ff                 | dec                 eax
            //   e9????????           |                     
            //   90                   | lea                 eax, [0xba741]
            //   90                   | dec                 eax

    condition:
        7 of them and filesize < 13769728
}
Download all Yara Rules
Ironcat Propose Change

References

Yara Rules

Ironcat
