{ "type": "bundle", "id": "bundle--6f1dcafe-c913-449e-b949-4c88e8b7c885", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--1849f3c5-7d2b-48a8-be2c-48f74d35e102", "created": "2024-03-18T12:23:38.492736Z", "modified": "2024-03-18T12:23:38.492784Z", "name": "Cyberpoking", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a2d66d3f-4891-4d7b-b9b7-7d2dd6df9681", "value": "blogs.blackberry.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bf50d39c-ed58-4649-8558-0c380fae3592", "created": "2026-06-24T18:42:18.241669Z", "modified": "2026-06-24T18:42:18.241669Z", "name": "YARA Rule", "pattern": "rule MAL_H0lyGh0st_SiennaPurple_strings { meta: description = \"Matches strings found in SiennaPurple variant of H0lyGh0st ransomware binaries.\" last_modified = \"2024-03-17\" author = \"@petermstewart\" DaysofYara = \"77/100\" sha256 = \"99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd\" ref = \"https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware\" strings: $pdb = \"M:\\\\ForOP\\\\attack(utils)\\\\attack tools\\\\Backdoor\\\\powershell\\\\btlc_C\\\\Release\\\\btlc_C.pdb\" $a1 = \"matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion\" $a2 = \"H0lyGh0st@mail2tor.com\" $b1 = \"We are \" $b2 = \"All your important files are stored and encrypted\" $b3 = \"Do not try to decrypt using third party software, it may cause permanent data lose\" $b4 = \"To Decrypt all device, Contact us\" $b5 = \"or install tor browser and visit\" condition: uint16(0) == 0x5a4d and 6 of them }", "pattern_type": "yara", "valid_from": "2024-03-17T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--60febf53-8f73-491e-8247-fc41b39817b4", "hashes": { "SHA-256": "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd" } }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--726afad5-d37d-4c03-a5b2-4cc6493e48a0", "value": "H0lyGh0st@mail2tor.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--4b3bf79d-b2f1-4f85-8f05-087db0ce15eb", "value": "mail2tor.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--3de8b058-bbe7-4a2c-ae4f-68133174893e", "value": "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion" }, { "type": "report", "spec_version": "2.1", "id": "report--496e05ed-d56b-4fc5-8da9-d3c46d947604", "created_by_ref": "identity--1849f3c5-7d2b-48a8-be2c-48f74d35e102", "created": "2026-06-24T18:42:18.24886Z", "modified": "2026-06-24T18:42:18.24886Z", "name": "H0lyGh0st (SiennaPurple) Ransomware", "published": "2024-03-17T00:00:00Z", "object_refs": [ "identity--1849f3c5-7d2b-48a8-be2c-48f74d35e102", "domain-name--a2d66d3f-4891-4d7b-b9b7-7d2dd6df9681", "indicator--bf50d39c-ed58-4649-8558-0c380fae3592", "file--60febf53-8f73-491e-8247-fc41b39817b4", "email-addr--726afad5-d37d-4c03-a5b2-4cc6493e48a0", "domain-name--4b3bf79d-b2f1-4f85-8f05-087db0ce15eb", "domain-name--3de8b058-bbe7-4a2c-ae4f-68133174893e" ], "external_references": [ { "source_name": "source", "url": "https://cyberpoking.com/2024/03/17/100daysofyara-2024-day-77-h0lygh0st-siennapurple/" } ] } ] }