SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pay2key (Back to overview)

Pay2Key

aka: Cobalt

There is no description at this point.

References
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-04Twitter (@TrendMicroRSRCH)Trend Micro Research
@online{research:20210504:n3tw0rm:626085f, author = {Trend Micro Research}, title = {{Tweet on N3tw0rm ransomware, that has started affecting users in Israel.}}, date = {2021-05-04}, organization = {Twitter (@TrendMicroRSRCH)}, url = {https://twitter.com/TrendMicroRSRCH/status/1389422784808378370}, language = {English}, urldate = {2021-05-04} } Tweet on N3tw0rm ransomware, that has started affecting users in Israel.
Pay2Key
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-17ClearSkyClearSky Research Team
@techreport{team:20201217:pay2kitten:2298e19, author = {ClearSky Research Team}, title = {{Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten}}, date = {2020-12-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf}, language = {English}, urldate = {2020-12-17} } Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten
Pay2Key
2020-12-13Bleeping ComputerLawrence Abrams
@online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } Intel's Habana Labs hacked by Pay2Key ransomware, data stolen
Pay2Key
2020-11-06CheckpointCheck Point Research
@online{research:20201106:ransomware:a394f4b, author = {Check Point Research}, title = {{Ransomware Alert: Pay2Key}}, date = {2020-11-06}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/ransomware-alert-pay2key/}, language = {English}, urldate = {2020-11-06} } Ransomware Alert: Pay2Key
Pay2Key
Yara Rules
[TLP:WHITE] win_pay2key_auto (20230715 | Detects win.pay2key.)
rule win_pay2key_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pay2key."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c645fc06 8b4d08 54 8b11 ff5204 8d8d74ffffff }
            // n = 7, score = 300
            //   e8????????           |                     
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   54                   | push                esp
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   ff5204               | call                dword ptr [edx + 4]
            //   8d8d74ffffff         | lea                 ecx, [ebp - 0x8c]

        $sequence_1 = { c745bc0f000000 c745b800000000 c645a800 e8???????? c645fc03 8d4dc0 6a02 }
            // n = 7, score = 300
            //   c745bc0f000000       | mov                 dword ptr [ebp - 0x44], 0xf
            //   c745b800000000       | mov                 dword ptr [ebp - 0x48], 0
            //   c645a800             | mov                 byte ptr [ebp - 0x58], 0
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   6a02                 | push                2

        $sequence_2 = { ff7538 e8???????? 8b4df4 64890d00000000 59 5f 5e }
            // n = 7, score = 300
            //   ff7538               | push                dword ptr [ebp + 0x38]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { c745fc00000000 8b0e 50 e8???????? c645fc02 8b08 85c9 }
            // n = 7, score = 300
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { c7869400000000000000 5e 5d c20800 8b7008 57 8b7908 }
            // n = 7, score = 300
            //   c7869400000000000000     | mov    dword ptr [esi + 0x94], 0
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   8b7008               | mov                 esi, dword ptr [eax + 8]
            //   57                   | push                edi
            //   8b7908               | mov                 edi, dword ptr [ecx + 8]

        $sequence_5 = { e8???????? 83c408 8bf0 8d4520 3bc6 7432 8b4534 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8bf0                 | mov                 esi, eax
            //   8d4520               | lea                 eax, [ebp + 0x20]
            //   3bc6                 | cmp                 eax, esi
            //   7432                 | je                  0x34
            //   8b4534               | mov                 eax, dword ptr [ebp + 0x34]

        $sequence_6 = { ff750c ff7508 e8???????? 8bf0 8d4608 85c0 }
            // n = 6, score = 300
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d4608               | lea                 eax, [esi + 8]
            //   85c0                 | test                eax, eax

        $sequence_7 = { ffd7 85c0 7517 68a0000000 68???????? 68???????? e8???????? }
            // n = 7, score = 300
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7517                 | jne                 0x19
            //   68a0000000           | push                0xa0
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_8 = { ff7604 ff15???????? 6a0c 56 e8???????? 83c408 c787d400000000000000 }
            // n = 7, score = 300
            //   ff7604               | push                dword ptr [esi + 4]
            //   ff15????????         |                     
            //   6a0c                 | push                0xc
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c787d400000000000000     | mov    dword ptr [edi + 0xd4], 0

        $sequence_9 = { 8d9798000000 83c40c 66c7041eabba 83c302 837a1410 7204 8b02 }
            // n = 7, score = 300
            //   8d9798000000         | lea                 edx, [edi + 0x98]
            //   83c40c               | add                 esp, 0xc
            //   66c7041eabba         | mov                 word ptr [esi + ebx], 0xbaab
            //   83c302               | add                 ebx, 2
            //   837a1410             | cmp                 dword ptr [edx + 0x14], 0x10
            //   7204                 | jb                  6
            //   8b02                 | mov                 eax, dword ptr [edx]

    condition:
        7 of them and filesize < 2252800
}
Download all Yara Rules