Skip to content

Latest commit

 

History

History

Qilin

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
samples
samples
 
 
README.md
README.md
 
 

README.md

Qilin

  • First seen: July 2022
  • Aliases: Agenda
  • Samples:
    • 55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1 | windows | ransom | pe
    • 55ee6bb3deb3385052d7f57e6a48c3c5bba0f558f0d17653908550ffe37e1bea | linux | ransom | elf
    • e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527 | windows | ransom | pe

Qilin Windows Payload (Golang)

Basic Properties

Property Value
Size 1642496 bytes
CRC32 0xd0435359
MD5 334fd98ab462edc1274fecdb89fb0791
SHA1 e3496a341c96d77c0ef9bdeec333dd98e2215527
SHA256 55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1
SHA512 150ff915ace0253dded6ed6ae860bcf2f3a43295cf434ceddf61554597665a159135011694321622d40ca1df3142afb1c6bed8ed61abf244799d820068ae4961
Ssdeep 24576:pBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khCkyITnoXlIEvXX:px6Rvik2VUKnzhQ4IkWXUy
Magic PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Packer PE: linker: unknown(2.35)[EXE32,console]
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4504/4/1)

Antivirus Scan

+ Avast: clean
+ Avira: clean
- Bitdefender: Gen:Variant.Ransom.Agenda.1
- Clamav: Win.Ransomware.Agenda-9982534-0
+ Comodo: clean
- Drweb: Trojan.Encoder.36987
- Eset: Win32/Agent_AGen.AAC
+ Fsecure: clean
+ Kaspersky: clean
+ Mcafee: clean
+ Sophos: clean
+ Trendmicro: clean
+ Windefender: clean

Qilin Linux Payload (Golang)

Basic Properties

Property Value
Size 3227364 bytes
CRC32 0xdc476da0
MD5 315ddef29f64ce2f9ccc39d206882240
SHA1 31bedd04a2b375842e74d641d9246458113afbc7
SHA256 55ee6bb3deb3385052d7f57e6a48c3c5bba0f558f0d17653908550ffe37e1bea
SHA512 b21b986a32ef22f9cd615011638d94c7e9ede51ecfb89994948df5e295e989696e15e792e0e90e1cec27055c158d7d9aad83a6bb5a9abf9e9162550b8f72c599
Ssdeep 49152:3DCHoUHyicPJhUWBjMQ35u5voVpMAl/ZFy:TkSUWBjY5voVFl/X
Magic ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, with debug_info, not stripped
Packer ELF: compiler: gcc((GNU) 3.3.2 20031005 (Debian prerelease))[executable ARM-32]
TrID 100.0% (.O) ELF Executable and Linkable format (generic) (4000/1)

Antivirus Scan

+ Avast: clean
- Avira: Android/AVE.FileCoder.rxdad
- Bitdefender: Trojan.Linux.Generic.327693
+ Clamav: clean
- Comodo: Malware
+ Drweb: clean
- Eset: Linux/Filecoder.CL
+ Fsecure: clean
+ Kaspersky: clean
+ Mcafee: clean
+ Sophos: clean
+ Trendmicro: clean
+ Windefender: clean

Qilin Linux Payload (Rust)

Basic Properties

Property Value
Size 1642496 bytes
CRC32 0xfccf2f57
MD5 6a93e618e467ed13f98819172e24fffa
SHA1 d34550ebc2bee47c708c8e048eb78881468e6bca
SHA256 e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
SHA512 ac78fcd5ab3340fa691eb9941c729a58291ae58372ed8f535ae2a7ac23b99b0f57448343a020b4e889a7b7a822d116df32c8c5c14a4def0720987c2d6b966192
Ssdeep 24576:KBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khwkyITnoXlIEvXX:Kx6Rvik2VUKnzhQ4akWXUy
Magic PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Packer PE: linker: unknown(2.35)[EXE32,console]
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4504/4/1)

Antivirus Scan

+ Avast: clean
+ Avira: clean
- Bitdefender: Gen:Variant.Ransom.Agenda.1
- Clamav: Win.Ransomware.Agenda-9982534-0
+ Comodo: clean
- Drweb: Trojan.Encoder.36987
- Eset: Win32/Agent_AGen.AAC
+ Fsecure: clean
+ Kaspersky: clean
+ Mcafee: clean
+ Sophos: clean
+ Trendmicro: clean
+ Windefender: clean

References