SYMBOLCOMMON_NAMEaka. SYNONYMS
win.suncrypt (Back to overview)

SunCrypt


There is no description at this point.

References
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Ransomware Egregor LockBit Maze RagnarLocker Ryuk SunCrypt
2021-03-28PC's Xcetra SupportDavid Ledbetter
@online{ledbetter:20210328:suncrypt:121d53e, author = {David Ledbetter}, title = {{SunCrypt, PowerShell obfuscation, shellcode and more yara}}, date = {2021-03-28}, organization = {PC's Xcetra Support}, url = {https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/}, language = {English}, urldate = {2021-03-31} } SunCrypt, PowerShell obfuscation, shellcode and more yara
SunCrypt
2021-03-02IntezerJoakim Kennedy
@online{kennedy:20210302:when:b33af31, author = {Joakim Kennedy}, title = {{When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?}}, date = {2021-03-02}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt}, language = {English}, urldate = {2021-03-04} } When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
QNAPCrypt SunCrypt
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-04ChainanalysisChainalysis Team
@online{team:20210204:blockchain:4e63b2f, author = {Chainalysis Team}, title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}}, date = {2021-02-04}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer}, language = {English}, urldate = {2021-02-06} } Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-12Medium Sapphirex00Sapphire
@online{sapphire:20201112:diving:6b388eb, author = {Sapphire}, title = {{Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia}}, date = {2020-11-12}, organization = {Medium Sapphirex00}, url = {https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83}, language = {English}, urldate = {2020-11-23} } Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia
SunCrypt
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-08-26Bleeping ComputerLawrence Abrams
@online{abrams:20200826:suncrypt:426964e, author = {Lawrence Abrams}, title = {{SunCrypt Ransomware sheds light on the Maze ransomware cartel}}, date = {2020-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/}, language = {English}, urldate = {2020-08-27} } SunCrypt Ransomware sheds light on the Maze ransomware cartel
SunCrypt
Yara Rules
[TLP:WHITE] win_suncrypt_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_suncrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40 83f801 72f4 b001 5e 5d c3 }
            // n = 7, score = 200
            //   40                   | inc                 eax
            //   83f801               | cmp                 eax, 1
            //   72f4                 | jb                  0xfffffff6
            //   b001                 | mov                 al, 1
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_1 = { 8345e810 0f28d4 8945f8 0f110f 8b7dfc 0f288d10feffff 660ffe8d00ffffff }
            // n = 7, score = 200
            //   8345e810             | add                 dword ptr [ebp - 0x18], 0x10
            //   0f28d4               | movaps              xmm2, xmm4
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   0f110f               | movups              xmmword ptr [edi], xmm1
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   0f288d10feffff       | movaps              xmm1, xmmword ptr [ebp - 0x1f0]
            //   660ffe8d00ffffff     | paddd               xmm1, xmmword ptr [ebp - 0x100]

        $sequence_2 = { 85c9 741f 50 57 51 e8???????? 83c40c }
            // n = 7, score = 200
            //   85c9                 | test                ecx, ecx
            //   741f                 | je                  0x21
            //   50                   | push                eax
            //   57                   | push                edi
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 8b4580 0345cc 898d58ffffff 8b4dd0 33c8 8b55f8 c1c110 }
            // n = 7, score = 200
            //   8b4580               | mov                 eax, dword ptr [ebp - 0x80]
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]
            //   898d58ffffff         | mov                 dword ptr [ebp - 0xa8], ecx
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]
            //   33c8                 | xor                 ecx, eax
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   c1c110               | rol                 ecx, 0x10

        $sequence_4 = { ff750c ff7508 e8???????? 83c40c 5d c3 a804 }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   a804                 | test                al, 4

        $sequence_5 = { 56 ffd7 6808020000 6a00 68???????? a3???????? e8???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   68????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_6 = { 8945b0 8b45fc 038534ffffff 33f8 c1c710 03cf 8bd1 }
            // n = 7, score = 200
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   038534ffffff         | add                 eax, dword ptr [ebp - 0xcc]
            //   33f8                 | xor                 edi, eax
            //   c1c710               | rol                 edi, 0x10
            //   03cf                 | add                 ecx, edi
            //   8bd1                 | mov                 edx, ecx

        $sequence_7 = { 8845e1 8b45dc 0402 83f06c 8845e2 8b45dc 0403 }
            // n = 7, score = 200
            //   8845e1               | mov                 byte ptr [ebp - 0x1f], al
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   0402                 | add                 al, 2
            //   83f06c               | xor                 eax, 0x6c
            //   8845e2               | mov                 byte ptr [ebp - 0x1e], al
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   0403                 | add                 al, 3

        $sequence_8 = { 83c601 742c 8b0f 85c9 7426 8b470c 8d1430 }
            // n = 7, score = 200
            //   83c601               | add                 esi, 1
            //   742c                 | je                  0x2e
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   85c9                 | test                ecx, ecx
            //   7426                 | je                  0x28
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   8d1430               | lea                 edx, [eax + esi]

        $sequence_9 = { 8b1d???????? 56 57 c745fc00000000 c745f800000000 c745f400000000 }
            // n = 6, score = 200
            //   8b1d????????         |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0

    condition:
        7 of them and filesize < 172032
}
Download all Yara Rules