Qilin
Qilin ransomware, initially observed in July 2022 under the name “Agenda,” operates on a Ransomware-as-a-Service (RaaS) model. This model allows core developers to provide their malicious software and infrastructure to affiliates in exchange for a percentage of the profits generated from attacks. The name “Qilin” references a Chinese mythological creature symbolizing power and prosperity, a fitting metaphor for the group’s perceived influence and financial objectives. Despite the Chinese name, the group is linked to Russian-speaking cybercriminals, often recruiting affiliates on Russian-language forums and notably excluding Commonwealth of Independent States (CIS) countries from its targets.
Indicators of Compromise 12
YARA Detection Rules
rule Qilin_Detection {
meta:
description = "Detects Qilin malware based on known indicators and behavioral patterns"
author = "AI Generated"
strings:
$filename1 = "VID001.exe" wide ascii
$filename2 = "d4aa3e7010220ad1b458fac17039c274_63_Exe.exe" wide ascii
$filename3 = "d4aa3e7010220ad1b458fac17039c274_62_Exe.exe" wide ascii
$filename4 = "sample.exe" wide ascii
$hash1_md5 = "2915b3f8b703eb744fc54c81f4a9c67f" wide ascii
$hash2_md5 = "aac3165ece2959f39ff98334618d10d9" wide ascii
$hash3_md5 = "7bdbd180c081fa63ca94f9c22c457376" wide ascii
$hash4_md5 = "38de5b216c33833af710e88f7f64fc98" wide ascii
$hash1_sha256 = "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507" wide ascii
$hash2_sha256 = "96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974" wide ascii
$hash3_sha256 = "a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91" wide ascii
$hash4_sha256 = "9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f" wide ascii
$behavior1 = "qilin" nocase wide ascii
$behavior2 = "decryptor" nocase wide ascii
$behavior3 = "DECRYPT" nocase wide ascii
$behavior4 = "README" nocase wide ascii
$behavior5 = "extension" nocase wide ascii
$behavior6 = "failed" nocase wide ascii
$behavior7 = "error" nocase wide ascii
$behavior8 = "contact" nocase wide ascii
$behavior9 = "restore" nocase wide ascii
$behavior10 = "key" nocase wide ascii
condition:
uint32(0) == 0x5A4D and
(1 of ($filename*) or 1 of ($hash*_md5) or 1 of ($hash*_sha256)) and
(any of ($behavior*) at entrypoint or $behavior1 in (0..1024) or $behavior4 in (0..1024))
} ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.