SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pay2key (Back to overview)

Pay2Key

aka: Cobalt

There is no description at this point.

References
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-04Twitter (@TrendMicroRSRCH)Trend Micro Research
@online{research:20210504:n3tw0rm:626085f, author = {Trend Micro Research}, title = {{Tweet on N3tw0rm ransomware, that has started affecting users in Israel.}}, date = {2021-05-04}, organization = {Twitter (@TrendMicroRSRCH)}, url = {https://twitter.com/TrendMicroRSRCH/status/1389422784808378370}, language = {English}, urldate = {2021-05-04} } Tweet on N3tw0rm ransomware, that has started affecting users in Israel.
Pay2Key
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-17ClearSkyClearSky Research Team
@techreport{team:20201217:pay2kitten:2298e19, author = {ClearSky Research Team}, title = {{Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten}}, date = {2020-12-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf}, language = {English}, urldate = {2020-12-17} } Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten
Pay2Key
2020-12-13Bleeping ComputerLawrence Abrams
@online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } Intel's Habana Labs hacked by Pay2Key ransomware, data stolen
Pay2Key
2020-11-06CheckpointCheck Point Research
@online{research:20201106:ransomware:a394f4b, author = {Check Point Research}, title = {{Ransomware Alert: Pay2Key}}, date = {2020-11-06}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/ransomware-alert-pay2key/}, language = {English}, urldate = {2020-11-06} } Ransomware Alert: Pay2Key
Pay2Key
Yara Rules
[TLP:WHITE] win_pay2key_auto (20221125 | Detects win.pay2key.)
rule win_pay2key_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.pay2key."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745fc06000000 8b750c 85f6 7421 83cfff 8bc7 f00fc14604 }
            // n = 7, score = 300
            //   c745fc06000000       | mov                 dword ptr [ebp - 4], 6
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   85f6                 | test                esi, esi
            //   7421                 | je                  0x23
            //   83cfff               | or                  edi, 0xffffffff
            //   8bc7                 | mov                 eax, edi
            //   f00fc14604           | lock xadd           dword ptr [esi + 4], eax

        $sequence_1 = { 8b7508 85f6 7433 33c0 c7461407000000 c7461000000000 8bce }
            // n = 7, score = 300
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   85f6                 | test                esi, esi
            //   7433                 | je                  0x35
            //   33c0                 | xor                 eax, eax
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   8bce                 | mov                 ecx, esi

        $sequence_2 = { 8d4dd0 e9???????? 8d4dbc e9???????? 8b542408 8d420c 8b4ac4 }
            // n = 7, score = 300
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e9????????           |                     
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8b4ac4               | mov                 ecx, dword ptr [edx - 0x3c]

        $sequence_3 = { b9???????? e8???????? 68???????? e8???????? 83c404 6a00 8d45e8 }
            // n = 7, score = 300
            //   b9????????           |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6a00                 | push                0
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_4 = { c7470800000000 c7470c00000000 8b4710 894650 8bc6 8b4df4 64890d00000000 }
            // n = 7, score = 300
            //   c7470800000000       | mov                 dword ptr [edi + 8], 0
            //   c7470c00000000       | mov                 dword ptr [edi + 0xc], 0
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]
            //   894650               | mov                 dword ptr [esi + 0x50], eax
            //   8bc6                 | mov                 eax, esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_5 = { 8bec 83ec08 56 8bf1 c745f800000000 8bca 8975fc }
            // n = 7, score = 300
            //   8bec                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   8bca                 | mov                 ecx, edx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi

        $sequence_6 = { ff5008 c745fc01000000 8b1f 8b7708 83c604 837b0800 7517 }
            // n = 7, score = 300
            //   ff5008               | call                dword ptr [eax + 8]
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   8b1f                 | mov                 ebx, dword ptr [edi]
            //   8b7708               | mov                 esi, dword ptr [edi + 8]
            //   83c604               | add                 esi, 4
            //   837b0800             | cmp                 dword ptr [ebx + 8], 0
            //   7517                 | jne                 0x19

        $sequence_7 = { c645fc09 8bcc ff7508 e8???????? 8bcf c645fc01 e8???????? }
            // n = 7, score = 300
            //   c645fc09             | mov                 byte ptr [ebp - 4], 9
            //   8bcc                 | mov                 ecx, esp
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     

        $sequence_8 = { 6a23 68???????? 68???????? e8???????? 83c40c 6a04 56 }
            // n = 7, score = 300
            //   6a23                 | push                0x23
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a04                 | push                4
            //   56                   | push                esi

        $sequence_9 = { f30f7e4020 83c028 660fd64120 83c128 50 e8???????? 8bce }
            // n = 7, score = 300
            //   f30f7e4020           | movq                xmm0, qword ptr [eax + 0x20]
            //   83c028               | add                 eax, 0x28
            //   660fd64120           | movq                qword ptr [ecx + 0x20], xmm0
            //   83c128               | add                 ecx, 0x28
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi

    condition:
        7 of them and filesize < 2252800
}
Download all Yara Rules