Agenda/Qilin (Rust) Active

Rust-based variant of Qilin/Agenda ransomware.
PDF Report Back to Groups
0
Total Victims
2022-12-01
First Seen
N/A
Last Seen
0
Known TTPs
3.5d
Avg Delay
0
Negotiations
ONION URLS
oicw5u2mcmlpvp6y2sh3gh6okgefuzsyz4vmxqhfj63ukzqyqkwrfbzg.onion
TOOLS
Atera SystemBC PsExec 7-Zip
FILE EXTENSIONS
.help
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

Agenda/Qilin_(Rust)_rule_1 InQuest 
rule Agenda_Qilin_(Rust)_ransomware_1 {
    meta:
        description = "Detects Agenda/Qilin (Rust) ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "aee441e242d9712e77cd72ac8791b6c3bfc04c46832861116bb8ffde41127eff"

    strings:
        $r0 = /README\..{3,10}/i
        $h1 = { 4A FB EC 7C 9D 18 0F 85 C2 10 BE DE D3 FD 3A 7D 36 A4 77 D3 2A 36 1F 9 }
        $s2 = "AES-256" nocase
        $h3 = { 20 C6 2D AA D1 81 94 88 CA F9 1A }
        $s4 = ".agenda_qilin_(rust)" nocase
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
TypeValueDescriptionCopy
btc bc1qpvtsmipi00mlokfgq77s5177l3qhbajjglg4ny Associated with Agenda/Qilin (Rust) ransomware
btc bc1qlm0j8eblokohyuzqnf8dtxihptnv7hgiii1nr5 Associated with Agenda/Qilin (Rust) ransomware
sha1 fe5f797274d05928c96d264bc46b553b412e081a Infrastructure linked to Agenda/Qilin (Rust)
ip 135.133.222.165 Associated with Agenda/Qilin (Rust) ransomware
btc bc1qpzuf3o1clg4w441n6fi87fukhrffc1m8znd93a Associated with Agenda/Qilin (Rust) ransomware
email help306@firemail.cc Contact email observed in Agenda/Qilin (Rust) attacks
sha256 ccbe105721fa849fe3850c417f086eaa7892f2755d7540331175b265c1680c07 Ransomware binary hash observed in Agenda/Qilin (Rust) attacks
md5 e996ba71b0f3f1d7271e5138e92b2180 Associated with Agenda/Qilin (Rust) ransomware
sha256 9f56cc039375e745be0734dee4354f9acf13d6582dab8202b21a8da5cc46480d Ransomware binary hash observed in Agenda/Qilin (Rust) attacks
tox F4D49EF966A153459C95DDE2CEF8CBB4C6ED2A271FAFAE558C27A440D99CE1B2C8DC84DD5EA2 Tox messenger ID - Agenda/Qilin (Rust) campaign
sha256 f3862277b50b5798e1949ed1eb8bf78699d001723671dc80acf3c2710a5f9add Infrastructure linked to Agenda/Qilin (Rust)

No ransom notes