MegaCortex (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.megacortex (Back to overview)

MegaCortex

VTCollection

Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References

2023-01-05 ⋅ Bleeping Computer ⋅ Bill Toulas
Bitdefender releases free MegaCortex ransomware decryptor
MegaCortex

2021-10-29 ⋅ ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2020-11-27 ⋅ PTSecurity ⋅ Alexey Vishnyakov, Denis Goydenko
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2019-12-24 ⋅ Dev Kundaliya
Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex

2019-12-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex

2019-11-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex

2019-08-05 ⋅ Threatpost ⋅ Tara Seals
MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex

2019-07-19 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex

2019-05-10 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
MegaCortex, deconstructed: mysteries mount as analysis continues
MegaCortex

2019-05-07 ⋅ Trend Micro ⋅ Trendmicro
MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex

2019-05-03 ⋅ Sophos ⋅ Andrew Brandt
“MegaCortex” ransomware wants to be The One
MegaCortex

2019-01-01 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Ransom.Megacortex
MegaCortex

Yara Rules

[TLP:WHITE] win_megacortex_auto (20260504 | Detects win.megacortex.)

rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.megacortex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b00 8be5 5d c3 8d4df0 e8???????? 68???????? }
            // n = 7, score = 400
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_1 = { f7df 1bff 2bd8 23fa 03f9 8d46ff f7d8 }
            // n = 7, score = 400
            //   f7df                 | neg                 edi
            //   1bff                 | sbb                 edi, edi
            //   2bd8                 | sub                 ebx, eax
            //   23fa                 | and                 edi, edx
            //   03f9                 | add                 edi, ecx
            //   8d46ff               | lea                 eax, [esi - 1]
            //   f7d8                 | neg                 eax

        $sequence_2 = { ff75c4 ff15???????? 85c0 740a ff15???????? 85c0 742b }
            // n = 7, score = 400
            //   ff75c4               | push                dword ptr [ebp - 0x3c]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742b                 | je                  0x2d

        $sequence_3 = { ff75b8 e8???????? 0175b8 8d430f 83c40c 8d5320 297510 }
            // n = 7, score = 400
            //   ff75b8               | push                dword ptr [ebp - 0x48]
            //   e8????????           |                     
            //   0175b8               | add                 dword ptr [ebp - 0x48], esi
            //   8d430f               | lea                 eax, [ebx + 0xf]
            //   83c40c               | add                 esp, 0xc
            //   8d5320               | lea                 edx, [ebx + 0x20]
            //   297510               | sub                 dword ptr [ebp + 0x10], esi

        $sequence_4 = { 894604 8901 8b85349cffff 8b00 50 8d4808 51 }
            // n = 7, score = 400
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b85349cffff         | mov                 eax, dword ptr [ebp - 0x63cc]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   50                   | push                eax
            //   8d4808               | lea                 ecx, [eax + 8]
            //   51                   | push                ecx

        $sequence_5 = { eb21 83bdac9cffff10 8d85989cffff 52 0f4385989cffff 8d8de09cffff 50 }
            // n = 7, score = 400
            //   eb21                 | jmp                 0x23
            //   83bdac9cffff10       | cmp                 dword ptr [ebp - 0x6354], 0x10
            //   8d85989cffff         | lea                 eax, [ebp - 0x6368]
            //   52                   | push                edx
            //   0f4385989cffff       | cmovae              eax, dword ptr [ebp - 0x6368]
            //   8d8de09cffff         | lea                 ecx, [ebp - 0x6320]
            //   50                   | push                eax

        $sequence_6 = { 8db378020000 56 e8???????? ff7508 57 53 68???????? }
            // n = 7, score = 400
            //   8db378020000         | lea                 esi, [ebx + 0x278]
            //   56                   | push                esi
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   57                   | push                edi
            //   53                   | push                ebx
            //   68????????           |                     

        $sequence_7 = { ff75e8 56 6a18 eb0f 83f807 7538 }
            // n = 6, score = 400
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   56                   | push                esi
            //   6a18                 | push                0x18
            //   eb0f                 | jmp                 0x11
            //   83f807               | cmp                 eax, 7
            //   7538                 | jne                 0x3a

        $sequence_8 = { f7d8 895dfc 1bc0 23c1 8b10 2bc6 83e2fd }
            // n = 7, score = 400
            //   f7d8                 | neg                 eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   1bc0                 | sbb                 eax, eax
            //   23c1                 | and                 eax, ecx
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   2bc6                 | sub                 eax, esi
            //   83e2fd               | and                 edx, 0xfffffffd

        $sequence_9 = { e8???????? 8bf0 83c40c 85f6 0f85b0000000 6a01 ff750c }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f85b0000000         | jne                 0xb6
            //   6a01                 | push                1
            //   ff750c               | push                dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 1556480
}

Download all Yara Rules

MegaCortex Propose Change

References

Yara Rules

MegaCortex