For emule0.60c downloaded from emule-project.net on 6/16/2021 at 2:20 PM EST:
MD5 = DFC5AA9FA35F09CE858EAE9DDDCF4DE8
SHA3_256 = F42FADFF190F1E5108A5A7FF3652168B79CA5EC69E0462B6EB264C0781E3EFBC
Virustotal.com gives a very strong indication that this is ransomware.
Note that you must be logged into virustotal.com to get ransomware rule matches.
The emule forum won't allow me to insert a hyperlink--the tool lets me try, but any time I add a hyperlink to the above text, the entire post gets reverted to the prior version after I click "Save Changes".
Crowdsourced Sigma Rule flags:
CRITICAL 53
HIGH 264
MEDIUM 8
LOW 50
1 match for rule TAIDOOR - Chinese RAT by Ariel Millahuel from SOC Prime Threat Detection Marketplace
This RAT was discovered by CISA. Taidoor is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).
52 matches for rule Nibiru detection (Registry event and CommandLine parameters) by Ariel Millahuel from SOC Prime Threat Detection Marketplace
The NIBIRU ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back. It's seems to be that a new variant family of NIBIRU ransomware [NIBIRU.RSM] is actively spreading in the wild.
2 matches for rule Disable of ETW Trace by @neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
262 matches for rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
1 match for rule Root Certificate Installed by oscd.community, @redcanary, Zach Stanford @svch0st from Sigma Integrated Rule Set (GitHub)
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
2 matches for rule Netsh Port or Application Allowed by Markus Neis, Sander Wiebing from Sigma Integrated Rule Set (GitHub)
Allow Incoming Connections by Port or Application on Windows Firewall
1 match for rule Always Install Elevated Windows Installer by Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community from Sigma Integrated Rule Set (GitHub)
This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege
2 matches for rule Non Interactive PowerShell by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) from Sigma Integrated Rule Set (GitHub)
Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
2 matches for rule Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects modification of autostart extensibility point (ASEP) in registry.
2 matches for rule Discovery of a System Time by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community from Sigma Integrated Rule Set (GitHub)
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
20 matches for rule Net.exe Execution by Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) from Sigma Integrated Rule Set (GitHub)
Detects execution of Net.exe, whether suspicious or benign.
20 matches for rule Stop Windows Service by Jakob Weinzettl, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects a windows service to be stopped
8 matches for rule Service Execution by Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects manual service execution (start) via system utilities
This post has been edited by fragbark: 19 June 2021 - 08:11 PM