SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pay2key (Back to overview)

Pay2Key

aka: Cobalt

There is no description at this point.

References
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-04Twitter (@TrendMicroRSRCH)Trend Micro Research
@online{research:20210504:n3tw0rm:626085f, author = {Trend Micro Research}, title = {{Tweet on N3tw0rm ransomware, that has started affecting users in Israel.}}, date = {2021-05-04}, organization = {Twitter (@TrendMicroRSRCH)}, url = {https://twitter.com/TrendMicroRSRCH/status/1389422784808378370}, language = {English}, urldate = {2021-05-04} } Tweet on N3tw0rm ransomware, that has started affecting users in Israel.
Pay2Key
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-17ClearSkyClearSky Research Team
@techreport{team:20201217:pay2kitten:2298e19, author = {ClearSky Research Team}, title = {{Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten}}, date = {2020-12-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf}, language = {English}, urldate = {2020-12-17} } Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten
Pay2Key
2020-12-13Bleeping ComputerLawrence Abrams
@online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } Intel's Habana Labs hacked by Pay2Key ransomware, data stolen
Pay2Key
2020-11-06CheckpointCheck Point Research
@online{research:20201106:ransomware:a394f4b, author = {Check Point Research}, title = {{Ransomware Alert: Pay2Key}}, date = {2020-11-06}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/ransomware-alert-pay2key/}, language = {English}, urldate = {2020-11-06} } Ransomware Alert: Pay2Key
Pay2Key
Yara Rules
[TLP:WHITE] win_pay2key_auto (20210616 | Detects win.pay2key.)
rule win_pay2key_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.pay2key."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 668908 898f88030000 898f8c030000 898f90030000 8d8f94030000 e8???????? }
            // n = 7, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   668908               | mov                 word ptr [eax], cx
            //   898f88030000         | mov                 dword ptr [edi + 0x388], ecx
            //   898f8c030000         | mov                 dword ptr [edi + 0x38c], ecx
            //   898f90030000         | mov                 dword ptr [edi + 0x390], ecx
            //   8d8f94030000         | lea                 ecx, dword ptr [edi + 0x394]
            //   e8????????           |                     

        $sequence_1 = { 6a00 894604 ffd7 894608 6a00 68ffffff7f 85c0 }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   ffd7                 | call                edi
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   6a00                 | push                0
            //   68ffffff7f           | push                0x7fffffff
            //   85c0                 | test                eax, eax

        $sequence_2 = { 85db 7414 83ec0c 8bcc ff75f0 e8???????? 8bcb }
            // n = 7, score = 300
            //   85db                 | test                ebx, ebx
            //   7414                 | je                  0x16
            //   83ec0c               | sub                 esp, 0xc
            //   8bcc                 | mov                 ecx, esp
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx

        $sequence_3 = { c60100 8d4d74 6a00 51 8d4f70 e8???????? 8d8788000000 }
            // n = 7, score = 300
            //   c60100               | mov                 byte ptr [ecx], 0
            //   8d4d74               | lea                 ecx, dword ptr [ebp + 0x74]
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   8d4f70               | lea                 ecx, dword ptr [edi + 0x70]
            //   e8????????           |                     
            //   8d8788000000         | lea                 eax, dword ptr [edi + 0x88]

        $sequence_4 = { f00fc14608 7507 8b06 8bce ff5004 8b4dec 8b45f0 }
            // n = 7, score = 300
            //   f00fc14608           | lock xadd           dword ptr [esi + 8], eax
            //   7507                 | jne                 9
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bce                 | mov                 ecx, esi
            //   ff5004               | call                dword ptr [eax + 4]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_5 = { 83c10c e9???????? e8???????? c3 8b4dd4 83c114 e9???????? }
            // n = 7, score = 300
            //   83c10c               | add                 ecx, 0xc
            //   e9????????           |                     
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   83c114               | add                 ecx, 0x14
            //   e9????????           |                     

        $sequence_6 = { 8d4d20 e8???????? 32c0 eb16 b8???????? c3 8d4d08 }
            // n = 7, score = 300
            //   8d4d20               | lea                 ecx, dword ptr [ebp + 0x20]
            //   e8????????           |                     
            //   32c0                 | xor                 al, al
            //   eb16                 | jmp                 0x18
            //   b8????????           |                     
            //   c3                   | ret                 
            //   8d4d08               | lea                 ecx, dword ptr [ebp + 8]

        $sequence_7 = { c7461000000000 7202 8b36 33c0 668906 8db758030000 8b4614 }
            // n = 7, score = 300
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   7202                 | jb                  4
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   33c0                 | xor                 eax, eax
            //   668906               | mov                 word ptr [esi], ax
            //   8db758030000         | lea                 esi, dword ptr [edi + 0x358]
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]

        $sequence_8 = { ff75f0 51 51 e8???????? 83c410 8b4df4 64890d00000000 }
            // n = 7, score = 300
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_9 = { c745d000000000 c745d40f000000 83fb10 720f 8d4301 50 }
            // n = 6, score = 300
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c745d40f000000       | mov                 dword ptr [ebp - 0x2c], 0xf
            //   83fb10               | cmp                 ebx, 0x10
            //   720f                 | jb                  0x11
            //   8d4301               | lea                 eax, dword ptr [ebx + 1]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 2252800
}
Download all Yara Rules