{ "id": "746655d7-2bde-4488-8025-2f920e707e63", "created_at": "2026-04-16T02:22:29.417414Z", "updated_at": "2026-04-18T02:21:38.597099Z", "deleted_at": null, "sha1_hash": "1a55926bde2b5740c0399b974ae2f8ed7740c660", "title": "Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102252, "plain_text": "Agrius Deploys Moneybird in Targeted Attacks Against Israeli\r\nOrganizations\r\nBy etal\r\nPublished: 2023-05-24 · Archived: 2026-04-16 02:13:23 UTC\r\nKey Points\r\nIranian threat actor Agrius continues to operate against Israeli targets, masking destructive influence\r\noperations as ransomware attacks.\r\nIn recent attacks the group deployed Moneybird, a previously unseen ransomware written in C++.\r\nDespite presenting themselves as a new group with the name– Moneybird, this is yet another Agrius alias.\r\nThe data was eventually leaked through one of Agrius previous aliases.\r\nAs demonstrated in the Moneybird attacks, Agrius’s techniques, tactics and procedures (TTP) remain\r\nlargely unchanged.\r\nIntroduction\r\nWhile responding to a ransomware attack against an Israeli organization, the Check Point Incident Response Team\r\n(CPIRT) and CPR identified a new strain of ransomware called Moneybird. Although the payload itself was\r\nunique, the TTPs demonstrated in the attack had clear overlaps with a threat actor known as Agrius. The data was\r\neventually leaked by an entity with one of the group’s known aliases.\r\nFirst introduced in 2021, Agrius is an Iran-aligned threat actor that operates mostly in the Middle-East. The actor\r\nhas been tied to several ransomware and wiper attacks, with a major focus on Israeli institutions. The group’s\r\naffiliation within Iran is not clear, although recent reports have tied it to the Iranian Ministry of Intelligence and\r\nSecurity (MOIS).\r\nThe newly discovered ransomware used by the group, Moneybird, was used to target organizations in Israel. This\r\ncorrelates with Agrius past activities against other organizations in Israel, most notably Shirbit and Bar Ilan\r\nUniversity. The group has used a wide set of aliases for its extortion entities. BlackShadow, the name used by the\r\ngroup to extort Shirbit, was the first known alias Agrius has taken and is still commonly associated with it.\r\nAgrius ransomware operations have been mostly tied to a custom ransomware called Apostle, which was\r\noriginally a wiper. The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group’s\r\nexpanding capabilities and ongoing effort in developing new tools.\r\nActivity Analysis\r\nAgrius’s actions leading to the deployment of Moneybird correlates to previous reports of the group’s activity.\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 1 of 11\n\nFigure 1 - High-level overview of Agrius activities leading to the deployment of Moneybird\r\nransomware.\r\nFigure 1 – High-level overview of Agrius activities leading to the deployment of Moneybird\r\nransomware.\r\nAgrius’ first foothold was established by exploiting vulnerabilities within public-facing web servers, leading to the\r\ndeployment of unique variants of ASPXSpy. The exploitation and the post-exploitation activities were carried out\r\nusing public VPN services nodes, most prominently ProtonVPN nodes in Israel.\r\nThe ASPXSpy webshells were deployed in a unique fashion, hidden inside “Certificate” text files. This method is\r\ntied to past observed group activities. To use the webshell, the actor decoded the content of the file into a separate\r\nASPX file.\r\nFigure 2 - Webshell encoded within a fake certificate text file.\r\nFigure 2 – Webshell encoded within a fake certificate text file.\r\nFollowing the deployment of webshells, the threat actor was observed utilizing several publicly available tools to\r\nperform recon, move laterally, harvest credentials, and exfiltrate data. The tools include:\r\nSoftPerfect Network Scanner – Scan internal networks.\r\nPlink – RDP tunnel traffic from a VPS owned by the actor.\r\nProcDump – Dump LSASS and harvest credentials. ****\r\nFileZilla – Exfiltrate compressed files.\r\nInterestingly enough, the actor performed most of the activity while manually connected through RDP. To\r\ndownload some of the payloads, the actor opened a browser and connected to the legitimate file sharing\r\nservices  ufile[.]io  and  easyupload[.]io  that hosted the malicious files.\r\nOne of the files the threat actor downloaded was the ransomware executable stored within an archive –\r\nMoneybird.\r\nMoneybird Ransomware – Technical Analysis\r\nMoneybird is written in C++ and contains an indicative PDB\r\npath:  C:\\Users\\user\\Desktop\\moneybird\\x64\\Release\\moneybird.pdb . The name embedded within the\r\nransomware sample reveals that the encryptor shares the same name that appears in the attack ransom note for the\r\nattack: Moneybird.\r\nFigure 3 - Moneybird ransom note.\r\nFigure 3 – Moneybird ransom note.\r\nMany recent ransomware strains typically support command-line parameters that enable attackers to customize\r\nmalware functionality on top of the malware’s embedded configuration. This specific threat lacks any command-line parsing capability. Instead, it includes a configuration blob embedded within the tool itself, which makes it\r\nless suitable for mass campaigns with different environments.\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 2 of 11\n\nFigure 4 - Moneybird configuration.\r\nFigure 4 – Moneybird configuration.\r\nThis configuration contains several key elements that are used when the malware is executed. The sample ignores\r\nthe first DWORD. The second one contains an integer value representing the number of milliseconds the malware\r\nwaits before executing.\r\nAfter these initial values, the configuration includes four additional DWORDs.\r\nThe first DWORD in this sequence acts as a flag, which determines whether the ransomware should take\r\ninto account its embedded list of 194 extensions to target. The extension list includes the most common\r\ndocument formats, database formats, certificates, etc. A value of “1” means the list is consulted, while a\r\nvalue of “2” causes the ransomware to ignore the list and encrypt all files in the targeted paths\r\nindiscriminately, except for those kept in a narrow list of file extensions that are never encrypted:  exe,\r\ndll, sys, msi, lnk .\r\nThe second DWORD in the sequence contains the maximum number of threads that are created to encrypt\r\nevery targeted file.\r\nThe third DWORD contains the number of threads assigned to the routine that is executed before the\r\nencryption. This ensures that the targeted files are not marked as “SYSTEM” elements to be avoided.\r\nIt is noteworthy to mention that the drawback of this approach is its lack of effectiveness in comparison\r\nto other ransomware strains that utilize the WIN API  GetSystemInfo  or directly\r\naccess  PEB→dwNumberOfProcessors . By using these methods, they can dynamically determine the\r\nnumber of CPUs per system and assign the encryption logic an appropriate number of threads based on\r\nthis number.\r\nThe final DWORD in the sequence specifies the size of an ASCII string that comes next. This string\r\ncontains the base64-encoded public key that is used to encrypt the symmetric encryption keys that are\r\ngenerated per file.\r\nImmediately following the public key, the configuration contains an integer value that determines the number of\r\nnull-terminated strings that come next. These strings indicate the paths on the target machine that the sample\r\nencrypts, which is somewhat unusual as these malware usually try to cipher as much data as possible. In this\r\nparticular case, there is only one path  F:\\User Shares , resulting in all other system paths being omitted. The\r\nremaining space in the configuration (up to 1024 bytes, including the previous elements) is reserved for possible\r\nadditional system path entries. If no more entries are added, the remaining space is filled with the character “A”,\r\nas in this sample.\r\nIf there is no path entry in the configuration, the malware behaves in a more generic fashion and uses the WIN\r\nAPI function  GetLogicalDrives  to obtain a list of currently available disk drives on the targeted machine and\r\nthen starts to process it.\r\nThe configuration structure in decompiled C form:\r\nPlain text\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 3 of 11\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct mb_config\r\n{\r\nDWORD start_sleep_delay;\r\nDWORD ignore_extension_flag;\r\nDWORD num_of_ciphering_threads;\r\nDWORD num_of_check_threads;\r\nDWORD sizeof_b64_public_key;\r\nchar b64_public_key[124];\r\nDWORD num_off_paths;\r\nchar first_path[15];\r\nchar room_for_paths[860];\r\n};\r\nstruct mb_config { DWORD start_sleep_delay; DWORD ignore_extension_flag; DWORD\r\nnum_of_ciphering_threads; DWORD num_of_check_threads; DWORD sizeof_b64_public_key; char\r\nb64_public_key[124]; DWORD num_off_paths; char first_path[15]; char room_for_paths[860]; };\r\nstruct mb_config\r\n{\r\n DWORD start_sleep_delay;\r\n DWORD ignore_extension_flag;\r\n DWORD num_of_ciphering_threads;\r\n DWORD num_of_check_threads;\r\n DWORD sizeof_b64_public_key;\r\n char b64_public_key[124];\r\n DWORD num_off_paths;\r\n char first_path[15];\r\n char room_for_paths[860];\r\n};\r\nThe encryption logic of this ransomware sample depends on several embedded libraries, including “libgcrypt”,\r\nwhich is easily identifiable in the sample strings.\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 4 of 11\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n...\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\mac.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\mpi\\mpi-pow.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\src\\fips.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\primegen.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\mpi\\mpicoder.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\dsa.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\random\\random-drbg.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\elgamal.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\blake2.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\keccak.c\r\n...\r\n... C:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\mac.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\mpi\\mpi-pow.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\src\\fips.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\primegen.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\mpi\\mpicoder.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\dsa.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\random\\random-drbg.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\elgamal.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\blake2.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\keccak.c ...\r\n...\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\mac.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\mpi\\mpi-pow.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\src\\fips.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\primegen.c\r\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\mpi\\mpicoder.c\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 5 of 11\n\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\dsa.c\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\random\\random-drbg.c\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\elgamal.c\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\blake2.c\nC:\\Users\\user\\Desktop\\moneybird\\Shiftlibgcrypt\\cipher\\keccak.c\n...\nLooking at the folder name inside the strings, it is likely that the library was compiled from this GitHub\nrepository. Basically, the repository contains an “unofficial” version of “libgcrypt”, which the authors tried to\nmake easier to include in Visual Studio projects.The malware also uses “libpgp-error”, a library that libgcrypt\nrequires as a dependency.\nFinally, the malware is also linked with a copy of the “cryptopp” library. This library can be easily identified by\nstrings that directly reference its name, as well as a distinctive test string that is used as text to encrypt in many\nversions of this library.\nFigure 5 - cryptopp use in Moneybird.\nFigure 5 – cryptopp use in Moneybird.\nThe ransomware uses the functions provided by the libraries to perform encryption using AES-256 with GCM mode. The definition of both constants can be obtained from the source code of the library at\nthe following link.\nFigure 6 - Ransomware encryption using AES-256.\nFigure 6 – Ransomware encryption using AES-256.\nAs you can see in the image above, the IV 012345678901255 for AES-256-GCM is hardcoded inside the\nciphering function while the key is passed as the last parameter to the function.\nThe code responsible for the generation of the key:\nFigure 7 - Key generation code.\nFigure 7 – Key generation code.\nThis code is executed for each file, so each one is assigned a unique encryption key. To generate a key, the sample\nconcatenates a GUID (marked in red) obtained through the WIN API CoCreateGuid with a random\nnumber (marked in green) generated using the rand() function. The seed for the rand() function is based on\nthe system time. Then, 8 bytes of the file content (marked in blue) to be encrypted is concatenated. Finally, the\nfull path for the target file (marked in purple) is added, but only 4 bytes of it are used as the last part of\nthe key as it completes the 32-byte chunk.\nFigure 8 - Encryption key structure.\n\nAs a result, this is what the key structure looks like:\nFigure 8 – Encryption key structure.As a result, this is what the key structure looks like:\nPlain text\nCopy to clipboard\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\nPage 6 of 11\n\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct aes_key\r\n{\r\nchar guid[16];\r\nint rand_val;\r\nchar file_content[8];\r\nchar file_path_start[4];\r\n};\r\nstruct aes_key { char guid[16]; int rand_val; char file_content[8]; char file_path_start[4]; };\r\nstruct aes_key\r\n{\r\n char guid[16];\r\n int rand_val;\r\n char file_content[8];\r\n char file_path_start[4];\r\n};\r\nThe utilization of a GUID obtained through the WIN API  CoCreateGuid  makes it very difficult to obtain the\r\nencryption key, as it is generated by making an RPC call to “UuidCreate”, which gets its randomness by\r\ncalling  ProcessPrng  from  bcryptPrimitives.dll , as this function is cryptographically secured to generate\r\nrandom bytes.\r\nAfter the full path of the target file that overflows the 32-byte  aes_key , the malware adds the length of the path,\r\ncreating a kind of secondary structure:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct meta_info\r\n{\r\nchar guid[16];\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 7 of 11\n\nint rand_val;\r\nchar file_content[8];\r\nchar file_path[file_path_length];\r\nint file_path_length;\r\n};\r\nstruct meta_info { char guid[16]; int rand_val; char file_content[8]; char file_path[file_path_length]; int\r\nfile_path_length; };\r\nstruct meta_info\r\n{\r\n char guid[16];\r\n int rand_val;\r\n char file_content[8];\r\n char file_path[file_path_length];\r\n int file_path_length;\r\n};\r\nThis structure is encrypted by the hybrid encryption system “Elliptic Curve Integrated Encryption Scheme” –\r\n CryptoPP ECIES – using the embedded public key shown previously inside the sample’s configuration. After the\r\nfile encryption, this encrypted  meta_info  structure is appended at the end of the final file, resulting in the struct\r\nbelow:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct encrypted_file\r\n{\r\nchar enc_file_content[file_content_length];\r\nchar enc_meta_info[enc_meta_info_length];\r\nint enc_meta_info_length;\r\n};\r\nstruct encrypted_file { char enc_file_content[file_content_length]; char enc_meta_info[enc_meta_info_length];\r\nint enc_meta_info_length; };\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 8 of 11\n\nstruct encrypted_file\r\n{\r\n char enc_file_content[file_content_length];\r\n char enc_meta_info[enc_meta_info_length];\r\n int enc_meta_info_length;\r\n};\r\nConclusion\r\nOur analysis of incidents involving Moneybird reveals the ongoing effort of Agrius to utilize ransomware to make\r\nan impact. Although Agrius has used different aliases in the past, public reports up to now have tied most of their\r\ndestructive activities to variants of Apostle, which acted as wipers or ransomware. The use of a new ransomware\r\ndemonstrates the actor’s additional efforts to enhance capabilities, as well as hardening attribution and detection\r\nefforts.\r\nDespite these new “covers”, the group continues to follow its usual behavior and utilize similar tools and\r\ntechniques as before. Moneybird, like many other ransomware, is a grim reminder of the importance of good\r\nnetwork hygiene, as significant parts of the activity could have been prevented early on.\r\nMoneybird itself, although not particularly complex, has a number of intriguing features that appear to have been\r\ndesigned for specific targets. Some of these specialty features make the malware less practical for use in multiple\r\nunrelated campaigns. This emphasizes the malware’s targeted nature, including the use of “targeted paths” which,\r\nin the specific sample we analyzed, makes the ransomware ignore most of the files on the target machine.\r\nCheck Point customers remain protected from the threats described in this research.\r\nCheck Point Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating\r\nsystems, and has developed and deployed a signature named “Ransomware.Wins.MoneyBird” to detect and\r\nprotect our customers against Moneybird.\r\nYARA\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule ransomware_moneybird {\r\nmeta:\r\nauthor = \"Marc Salinas @ Check Point Research\"\r\ndescription = \"Detects a ransomware sample named Moneybird based on its pdb string.\"\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 9 of 11\n\nmalware_family = \"MoneyBird\"\r\ndate = \"11/05/2023\"\r\nsample = \"aa19839b1b6a846a847c5f4f2a2e8e634caeebeeff7af59865aecca1d7d9f43c\"\r\nstrings:\r\n$ran1 = \"WE ARE MONEYBIRD!\"\r\n$ran2 = \"All of your data encrypted!\"\r\n$ran3 = \"ok.ru/profile\"\r\n$ext1 = \"Shiftlibgcrypt\"\r\n$ext2 = \"come to the aide of their\"\r\n$ext3 = \"stopmarker\" wide\r\n$code1 = {44 89 4C 24 20 4C 89 44 24 18 48 89 54 24 10 89 4C 24 08 56 57 48 83 EC 78 48 8B 05 68 FE 1A 00\r\n48 33 C4 48 89 44 24 60 48 8D 44 24 50 48 8D 0D DC 68 15 00 48 8B F8 48 8B F1 B9 10 00 00 00 F3 A4 45 33\r\nC9 41 B8 09 00 00 00 BA 09 00 00 00 48 8D 4C 24 48 ?? ?? ?? ?? ?? 41 B8 20 00 00 00 48 8B 94 24 A0 00 00 00\r\n48 8B 4C 24 48 ?? ?? ?? ?? ?? 48 8D 44 24 50 48 89 44 24 40 48 C7 44 24 30 FF FF FF FF}\r\n$code2 = {48 FF 44 24 30 48 8B 44 24 40 48 8B 4C 24 30 80 3C 08 00}\r\n$code3 = {48 8B 44 24 30 4C 8B C0 48 8D 54 24 50 48 8B 4C 24 48 ?? ?? ?? ?? ?? 8B 84 24 90 00 00 00 48 C7\r\n44 24 20 00 00 00 00 45 33 C9 44 8B C0 48 8B 94 24 98 00 00 00 48 8B 4C 24 48 ?? ?? ?? ?? ?? 89 44 24 38 48\r\n8B 4C 24 48 ?? ?? ?? ?? ?? 48 8B 4C 24 60 48 33 CC ?? ?? ?? ?? ?? 48 83 C4 78 5F 5E C3}\r\ncondition:\r\nuint16(0) == 0x5A4D and (2 of ($ran*) or all of ($code*) or all of ($ext*))\r\nrule ransomware_moneybird { meta: author = \"Marc Salinas @ Check Point Research\" description = \"Detects a\r\nransomware sample named Moneybird based on its pdb string.\" malware_family = \"MoneyBird\" date =\r\n\"11/05/2023\" sample = \"aa19839b1b6a846a847c5f4f2a2e8e634caeebeeff7af59865aecca1d7d9f43c\" strings: $ran1\r\n= \"WE ARE MONEYBIRD!\" $ran2 = \"All of your data encrypted!\" $ran3 = \"ok.ru/profile\" $ext1 =\r\n\"Shiftlibgcrypt\" $ext2 = \"come to the aide of their\" $ext3 = \"stopmarker\" wide $code1 = {44 89 4C 24 20 4C 89\r\n44 24 18 48 89 54 24 10 89 4C 24 08 56 57 48 83 EC 78 48 8B 05 68 FE 1A 00 48 33 C4 48 89 44 24 60 48 8D\r\n44 24 50 48 8D 0D DC 68 15 00 48 8B F8 48 8B F1 B9 10 00 00 00 F3 A4 45 33 C9 41 B8 09 00 00 00 BA 09 00\r\n00 00 48 8D 4C 24 48 ?? ?? ?? ?? ?? 41 B8 20 00 00 00 48 8B 94 24 A0 00 00 00 48 8B 4C 24 48 ?? ?? ?? ?? ??\r\n48 8D 44 24 50 48 89 44 24 40 48 C7 44 24 30 FF FF FF FF} $code2 = {48 FF 44 24 30 48 8B 44 24 40 48 8B\r\n4C 24 30 80 3C 08 00} $code3 = {48 8B 44 24 30 4C 8B C0 48 8D 54 24 50 48 8B 4C 24 48 ?? ?? ?? ?? ?? 8B 84\r\n24 90 00 00 00 48 C7 44 24 20 00 00 00 00 45 33 C9 44 8B C0 48 8B 94 24 98 00 00 00 48 8B 4C 24 48 ?? ?? ??\r\n?? ?? 89 44 24 38 48 8B 4C 24 48 ?? ?? ?? ?? ?? 48 8B 4C 24 60 48 33 CC ?? ?? ?? ?? ?? 48 83 C4 78 5F 5E C3}\r\ncondition: uint16(0) == 0x5A4D and (2 of ($ran*) or all of ($code*) or all of ($ext*))\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 10 of 11\n\nrule ransomware_moneybird {\r\n meta:\r\n author = \"Marc Salinas @ Check Point Research\"\r\n description = \"Detects a ransomware sample named Moneybird based on its pdb string.\"\r\n malware_family = \"MoneyBird\"\r\n date = \"11/05/2023\"\r\n sample = \"aa19839b1b6a846a847c5f4f2a2e8e634caeebeeff7af59865aecca1d7d9f43c\"\r\n strings:\r\n $ran1 = \"WE ARE MONEYBIRD!\"\r\n $ran2 = \"All of your data encrypted!\"\r\n $ran3 = \"ok.ru/profile\"\r\n $ext1 = \"Shiftlibgcrypt\"\r\n $ext2 = \"come to the aide of their\"\r\n $ext3 = \"stopmarker\" wide\r\n $code1 = {44 89 4C 24 20 4C 89 44 24 18 48 89 54 24 10 89 4C 24 08 56 57 48 83 EC 78 48 8B 05 68\r\n $code2 = {48 FF 44 24 30 48 8B 44 24 40 48 8B 4C 24 30 80 3C 08 00}\r\n $code3 = {48 8B 44 24 30 4C 8B C0 48 8D 54 24 50 48 8B 4C 24 48 ?? ?? ?? ?? ?? 8B 84 24 90 00 00\r\n condition:\r\n uint16(0) == 0x5A4D and (2 of ($ran*) or all of ($code*) or all of ($ext*))\r\nSource: https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nhttps://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/\r\nPage 11 of 11\n\n$ext2 = \"come $ext3 = \"stopmarker\" to the aide of wide their\" \n$code1 = {44 89 4C 24 20 4C 89 44 24 18 48 89 54 24 10 89 4C 24 08 56 57 48 83 EC 78 48 8B 05 68 FE 1A 00\n48 33 C4 48 89 44 24 60 48 8D 44 24 50 48 8D 0D DC 68 15 00 48 8B F8 48 8B F1 B9 10 00 00 00 F3 A4 45 33\nC9 41 B8 09 00 00 00 BA 09 00 00 00 48 8D 4C 24 48 ?? ?? ?? ?? ?? 41 B8 20 00 00 00 48 8B 94 24 A0 00 00 00\n48 8B 4C 24 48 ?? ?? ?? ?? ?? 48 8D 44 24 50 48 89 44 24 40 48 C7 44 24 30 FF FF FF FF} \n$code2 = {48 FF 44 24 30 48 8B 44 24 40 48 8B 4C 24 30 80 3C 08 00} \n$code3 = {48 8B 44 24 30 4C 8B C0 48 8D 54 24 50 48 8B 4C 24 48 ?? ?? ?? ?? ?? 8B 84 24 90 00 00 00 48 C7\n44 24 20 00 00 00 00 45 33 C9 44 8B C0 48 8B 94 24 98 00 00 00 48 8B 4C 24 48 ?? ?? ?? ?? ?? 89 44 24 38 48\n8B 4C 24 48 ?? ?? ?? ?? ?? 48 8B 4C 24 60 48 33 CC ?? ?? ?? ?? ?? 48 83 C4 78 5F 5E C3} \ncondition: \nuint16(0) == 0x5A4D and (2 of ($ran*) or all of ($code*) or all of ($ext*)) \nrule ransomware_moneybird { meta: author = \"Marc Salinas @ Check Point Research\" description = \"Detects a\nransomware sample named Moneybird based on its pdb string.\" malware_family = \"MoneyBird\" date = \n\"11/05/2023\" sample = \"aa19839b1b6a846a847c5f4f2a2e8e634caeebeeff7af59865aecca1d7d9f43c\" strings: $ran1\n= \"WE ARE MONEYBIRD!\" $ran2 = \"All of your data encrypted!\" $ran3 = \"ok.ru/profile\" $ext1 = \n\"Shiftlibgcrypt\" $ext2 = \"come to the aide of their\" $ext3 = \"stopmarker\" wide $code1 = {44 89 4C 24 20 4C 89\n44 24 18 48 89 54 24 10 89 4C 24 08 56 57 48 83 EC 78 48 8B 05 68 FE 1A 00 48 33 C4 48 89 44 24 60 48 8D\n44 24 50 48 8D 0D DC 68 15 00 48 8B F8 48 8B F1 B9 10 00 00 00 F3 A4 45 33 C9 41 B8 09 00 00 00 BA 09 00\n00 00 48 8D 4C 24 48 ?? ?? ?? ?? ?? 41 B8 20 00 00 00 48 8B 94 24 A0 00 00 00 48 8B 4C 24 48 ?? ?? ?? ?? ??\n48 8D 44 24 50 48 89 44 24 40 48 C7 44 24 30 FF FF FF FF} $code2 = {48 FF 44 24 30 48 8B 44 24 40 48 8B\n4C 24 30 80 3C 08 00} $code3 = {48 8B 44 24 30 4C 8B C0 48 8D 54 24 50 48 8B 4C 24 48 ?? ?? ?? ?? ?? 8B 84\n24 90 00 00 00 48 C7 44 24 20 00 00 00 00 45 33 C9 44 8B C0 48 8B 94 24 98 00 00 00 48 8B 4C 24 48 ?? ?? ??\n?? ?? 89 44 24 38 48 8B 4C 24 48 ?? ?? ?? ?? ?? 48 8B 4C 24 60 48 33 CC ?? ?? ?? ?? ?? 48 83 C4 78 5F 5E C3}\ncondition: uint16(0) == 0x5A4D and (2 of ($ran*) or all of ($code*) or all of ($ext*)) \n Page 10 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "MITRE" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" ], "report_names": [ "agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-18T02:00:04.850304Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-18T02:00:04.622212Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-18T02:00:03.879116Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN", "AMERICIUM", "BlackShadow", "DEV-0022" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-18T02:00:04.803053Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1776306149, "ts_updated_at": 1776478898, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a55926bde2b5740c0399b974ae2f8ed7740c660.pdf", "text": "https://archive.orkl.eu/1a55926bde2b5740c0399b974ae2f8ed7740c660.txt", "img": "https://archive.orkl.eu/1a55926bde2b5740c0399b974ae2f8ed7740c660.jpg" } }