{ "id": "de1e5586-99f5-4fdb-b180-886634ef4b7b", "created_at": "2026-04-06T00:09:52.581993Z", "updated_at": "2026-04-10T03:30:36.226235Z", "deleted_at": null, "sha1_hash": "edd147c245dcbf63d18c6f2b96f0cc2afd0476f4", "title": "Apostle Ransomware Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1145445, "plain_text": "Apostle Ransomware Analysis\r\nBy cyberpunkleigh\r\nPublished: 2021-05-27 · Archived: 2026-04-05 14:28:07 UTC\r\nHere we go another ransomware writeup 🙂\r\nSmall note sorry if not the best quality I am new to blogging and working on improving!\r\nWhat is this Ransomware?\r\nApostle ransomware appears to be a ransomware connected with attacks on israel with IOC’s many reports\r\npointing towards Iran APTs but also a group formed in 2020 dubbed “Agrius“.\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 1 of 9\n\nThis ransomware is another one developed in .NET which as seen recently is starting to become a trend which is\r\nvery good for us not so good for the bad guy.\r\nFilename(s): Apostle.exe / alldata-3.5.exe\r\nFile Hash: 19DBED996B1A814658BEF433BAD62B03E5C59C2BF2351B793D1A5D4A5216D27E\r\nSample Download: https://vxug.fakedoma.in/samples/Exotic/NonAPTs/Agrius/Agrius.zip\r\nScan Online: https://www.malwares.com/report/file?\r\nhash=19DBED996B1A814658BEF433BAD62B03E5C59C2BF2351B793D1A5D4A5216D27E\r\nWe got the sample, and now what?\r\nThe first thing I did upon getting the sample was to look on VirusTotal to try and identify some key information\r\nsuch as what language was used to write the malware, In this case we discovered that it has been identified by a\r\nfew of the detection’s on VirusTotal as shown below.\r\nThe above image displays some great news about the malware, .NET is normally very trivial to decompile and get\r\na understanding of what is actually going on with tools such as:\r\nhttps://github.com/icsharpcode/ILSpy\r\nhttps://github.com/dnSpy/dnSpy\r\nDecompiling the executable\r\nUsing the tool “ILSpy” I loaded my fresh sample to see what we could find inside the code maybe some juicy\r\ndetails or maybe we can look at the methods involved or just pull some juicy information.\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 2 of 9\n\nWhat a surprise its obfuscated\r\nOH NO ITS OBFUSCATED!?!\r\nLets give it a good ol’ rub with de4dot and see if it detects and deobfuscates it, there is no way this is going to\r\nwork right all these AdVaNcEd ThReAt AcToRs would be using custom obfuscation to prevent an ancient tool\r\nfrom working?!?\r\nOH NO IT WORKED\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 3 of 9\n\nIts just free code for us to look at\r\nOkay we are deobfuscated let take a look around\r\nFirst of all lets take a look and see if we can find any kind of unique strings or indicators.\r\nUgh the strings are obfuscated lets find how strings are used\r\nHere is a simple XOR string function inside that references SC\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 4 of 9\n\nSC is just a XOR index table with SC being a cached version assuming to be StringCache\r\nThanks for the string method\r\nNow lets yoink this method and put it all together in a simple C# app\r\nAs you can see here it has worked\r\nSelf Deletion\r\nHere is the way that it deletes itself after run it creates a .bat file to bypass file locks\r\nSetting process tokens\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 5 of 9\n\nThis method attempts to set token privs to one that allows SeShutdownPrivilege\r\nFile Destruction\r\nA way to flag for files also would be using this timestamp as identifier: 2037, 1, 1, 0, 0, 0\r\n“Y,M,D,H,M,S”\r\nMaking sure it only runs once\r\nThis function is called and generates a MUTEX for preventing multiple runs\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 6 of 9\n\nEncryption Key\r\nEncryption key is passed in as a command line argument\r\nStopping SQL services\r\nThis is the stop function which the below screenshot uses\r\nv\\u0096ï turns into “SQL”\r\nRSA Encryption\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 7 of 9\n\nThis function handles RSA Encryption\r\nDamaging data blocks\r\nFunction to literally damage data blocks\r\nI hope maybe you learned something or just enjoyed looking at the pretty\r\nscreenshots \u003c333\r\nCredits:\r\nSentinelOne – For great research and publication regarding this malware\r\nhttps://twitter.com/SentinelOne\r\nhttps://labs.sentinelone.com/from-wiper-to-ransomware-the-evolution-of-agrius/\r\nvx-underground – Hosting the samples and generally having an awesome community\r\nhttps://twitter.com/vxunderground\r\nhttps://vx-underground.org/samples.html\r\nPublished May 27, 2021May 27, 2021\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 8 of 9\n\nPost navigation\r\nSource: https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nhttps://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/\r\nPage 9 of 9\n\n https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/ \nEncryption Key \nEncryption key is passed in as a command line argument\nStopping SQL services \nThis is the stop function which the below screenshot uses\nv\\u0096ï turns into “SQL” \nRSA Encryption \n Page 7 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/" ], "report_names": [ "apostle-ransomware-analysis" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434192, "ts_updated_at": 1775791836, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/edd147c245dcbf63d18c6f2b96f0cc2afd0476f4.pdf", "text": "https://archive.orkl.eu/edd147c245dcbf63d18c6f2b96f0cc2afd0476f4.txt", "img": "https://archive.orkl.eu/edd147c245dcbf63d18c6f2b96f0cc2afd0476f4.jpg" } }