Malware

Qilin

IoCs CSV 1 YARA rule

Qilin ransomware, initially observed in July 2022 under the name “Agenda,” operates on a Ransomware-as-a-Service (RaaS) model. This model allows core developers to provide their malicious software and infrastructure to affiliates in exchange for a percentage of the profits generated from attacks. The name “Qilin” references a Chinese mythological creature symbolizing power and prosperity, a fitting metaphor for the group’s perceived influence and financial objectives. Despite the Chinese name, the group is linked to Russian-speaking cybercriminals, often recruiting affiliates on Russian-language forums and notably excluding Commonwealth of Independent States (CIS) countries from its targets.

Indicators of Compromise 12

YARA Detection Rules

Qilin_YARA_Detection
yara ai_generated
rule Qilin_Detection {
    meta:
        description = "Detects Qilin malware based on known indicators and behavioral patterns"
        author = "AI Generated"

    strings:
        $filename1 = "VID001.exe" wide ascii
        $filename2 = "d4aa3e7010220ad1b458fac17039c274_63_Exe.exe" wide ascii
        $filename3 = "d4aa3e7010220ad1b458fac17039c274_62_Exe.exe" wide ascii
        $filename4 = "sample.exe" wide ascii

        $hash1_md5 = "2915b3f8b703eb744fc54c81f4a9c67f" wide ascii
        $hash2_md5 = "aac3165ece2959f39ff98334618d10d9" wide ascii
        $hash3_md5 = "7bdbd180c081fa63ca94f9c22c457376" wide ascii
        $hash4_md5 = "38de5b216c33833af710e88f7f64fc98" wide ascii

        $hash1_sha256 = "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507" wide ascii
        $hash2_sha256 = "96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974" wide ascii
        $hash3_sha256 = "a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91" wide ascii
        $hash4_sha256 = "9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f" wide ascii

        $behavior1 = "qilin" nocase wide ascii
        $behavior2 = "decryptor" nocase wide ascii
        $behavior3 = "DECRYPT" nocase wide ascii
        $behavior4 = "README" nocase wide ascii
        $behavior5 = "extension" nocase wide ascii
        $behavior6 = "failed" nocase wide ascii
        $behavior7 = "error" nocase wide ascii
        $behavior8 = "contact" nocase wide ascii
        $behavior9 = "restore" nocase wide ascii
        $behavior10 = "key" nocase wide ascii

    condition:
        uint32(0) == 0x5A4D and
        (1 of ($filename*) or 1 of ($hash*_md5) or 1 of ($hash*_sha256)) and
        (any of ($behavior*) at entrypoint or $behavior1 in (0..1024) or $behavior4 in (0..1024))
}

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles