SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pay2key (Back to overview)

Pay2Key

aka: Cobalt

There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2020-12-17ClearSkyClearSky Research Team
@techreport{team:20201217:pay2kitten:2298e19, author = {ClearSky Research Team}, title = {{Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten}}, date = {2020-12-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf}, language = {English}, urldate = {2020-12-17} } Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten
Pay2Key
2020-12-13Bleeping ComputerLawrence Abrams
@online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } Intel's Habana Labs hacked by Pay2Key ransomware, data stolen
Pay2Key
2020-11-06CheckpointCheck Point Research
@online{research:20201106:ransomware:a394f4b, author = {Check Point Research}, title = {{Ransomware Alert: Pay2Key}}, date = {2020-11-06}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/ransomware-alert-pay2key/}, language = {English}, urldate = {2020-11-06} } Ransomware Alert: Pay2Key
Pay2Key
Yara Rules
[TLP:WHITE] win_pay2key_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_pay2key_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4d88 e9???????? 8d4dd8 e9???????? 8d8d2cffffff e9???????? 8b4d80 }
            // n = 7, score = 200
            //   8d4d88               | lea                 ecx, [ebp - 0x78]
            //   e9????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e9????????           |                     
            //   8d8d2cffffff         | lea                 ecx, [ebp - 0xd4]
            //   e9????????           |                     
            //   8b4d80               | mov                 ecx, dword ptr [ebp - 0x80]

        $sequence_1 = { 7202 8b36 33c0 668906 8d771c 8b4614 83f808 }
            // n = 7, score = 200
            //   7202                 | jb                  4
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   33c0                 | xor                 eax, eax
            //   668906               | mov                 word ptr [esi], ax
            //   8d771c               | lea                 esi, [edi + 0x1c]
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   83f808               | cmp                 eax, 8

        $sequence_2 = { 0f85e3feffff 8b559c 8bc3 2bc2 7553 8d45af c645afff }
            // n = 7, score = 200
            //   0f85e3feffff         | jne                 0xfffffee9
            //   8b559c               | mov                 edx, dword ptr [ebp - 0x64]
            //   8bc3                 | mov                 eax, ebx
            //   2bc2                 | sub                 eax, edx
            //   7553                 | jne                 0x55
            //   8d45af               | lea                 eax, [ebp - 0x51]
            //   c645afff             | mov                 byte ptr [ebp - 0x51], 0xff

        $sequence_3 = { ff15???????? 85c0 7507 8bcf e8???????? 8b4e1c e8???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   e8????????           |                     

        $sequence_4 = { c745dc07000000 6aff 50 56 8d4dc8 c745d800000000 668945c8 }
            // n = 7, score = 200
            //   c745dc07000000       | mov                 dword ptr [ebp - 0x24], 7
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   56                   | push                esi
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0
            //   668945c8             | mov                 word ptr [ebp - 0x38], ax

        $sequence_5 = { 8b7714 8b36 90 837f1400 7517 68d8020000 68???????? }
            // n = 7, score = 200
            //   8b7714               | mov                 esi, dword ptr [edi + 0x14]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   90                   | nop                 
            //   837f1400             | cmp                 dword ptr [edi + 0x14], 0
            //   7517                 | jne                 0x19
            //   68d8020000           | push                0x2d8
            //   68????????           |                     

        $sequence_6 = { c645fc01 c70300000000 c7430400000000 8b750c 8b4508 8975f0 8945ec }
            // n = 7, score = 200
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   c70300000000         | mov                 dword ptr [ebx], 0
            //   c7430400000000       | mov                 dword ptr [ebx + 4], 0
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_7 = { 837f4400 0f86b5010000 83ec18 8d45a8 8bcc 50 e8???????? }
            // n = 7, score = 200
            //   837f4400             | cmp                 dword ptr [edi + 0x44], 0
            //   0f86b5010000         | jbe                 0x1bb
            //   83ec18               | sub                 esp, 0x18
            //   8d45a8               | lea                 eax, [ebp - 0x58]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 8bbd24ffffff 8b952cffffff 299384000000 8b37 837e0800 7517 68d8020000 }
            // n = 7, score = 200
            //   8bbd24ffffff         | mov                 edi, dword ptr [ebp - 0xdc]
            //   8b952cffffff         | mov                 edx, dword ptr [ebp - 0xd4]
            //   299384000000         | sub                 dword ptr [ebx + 0x84], edx
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   7517                 | jne                 0x19
            //   68d8020000           | push                0x2d8

        $sequence_9 = { 8b4d14 5f 5e f30f7e00 660fd601 8b4008 894108 }
            // n = 7, score = 200
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   f30f7e00             | movq                xmm0, qword ptr [eax]
            //   660fd601             | movq                qword ptr [ecx], xmm0
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   894108               | mov                 dword ptr [ecx + 8], eax

    condition:
        7 of them and filesize < 2113536
}
Download all Yara Rules