Shares tag: H0lyGh0st • Shares 4 IOCs
H0lyGh0st (SiennaPurple) Ransomware
2024-03-17 • Cyberpoking •
https://cyberpoking.com/2024/03/17/100daysofyara-2024-day-77-h0lygh0st-siennapurple/
Cyberpoking publishes a YARA rule for the SiennaPurple variant of H0lyGh0st ransomware, an actor and malware family described as having ties to the DPRK-nexus Lazarus group. The rule matches strings from SiennaPurple binaries, including a PDB path, ransom note text, an onion service address, and the contact address [email protected]. It references SHA-256 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd and requires a Windows PE header plus six matching strings. The source is a detection-focused post, so it is useful for hunting SiennaPurple samples but does not document a new victim intrusion.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | blogs.blackberry.com | 2021-02-28 | 2024-04-11 |
| YARA | MAL_H0lyGh0st_SiennaPurple_stri… | 2024-03-17 | 2024-03-17 |
| HASH | 99fc54786a72f32fd44c7391c2171ca… | 2022-07-14 | 2024-03-17 |
| [email protected] | 2022-07-14 | 2024-03-17 | |
| DOMAIN | mail2tor.com | 2022-07-14 | 2024-03-17 |
| DOMAIN | matmq3z3hiovia3voe2tix2x54sghc3… | 2022-07-14 | 2024-03-17 |
Related Reports
Shares tag: H0lyGh0st • Shares 4 IOCs
Shares tag: YARA • Published within a month
2024-03-14 •
40% Match
#YARA
Shares tag: YARA • Published within a week
Shares tag: YARA • Published within a week
Shares tag: YARA • Published within a month