bb20edec-ecd4-4acd-9ad2-e4559748b336

burntcigar.sys :inline

Description

BurntCigar (aka POORTRY) is a malicious kernel-mode rootkit driver used by multiple ransomware groups including Cuba, BlackCat, Medusa, LockBit, and RansomHub. Designed to disable and remove EDR solutions by terminating security processes and deleting critical security software files. VMProtect-packed driver signed with stolen Blueone Technology certificate. Detected by 32.9% of AV engines. Facilitates ransomware deployment by rendering systems defenseless.

  • UUID: bb20edec-ecd4-4acd-9ad2-e4559748b336
  • Created: 2025-10-09
  • Author: Michael Haag

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create burntcigar binPath=C:\windows\temp\burntcigar.sys type=kernel && sc.exe start burntcigar
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.virustotal.com/gui/file/7c5329b842cc3eaf1ec6c11b00e09a8c5e38ad14134b40a8bae3eda0a167a919
  • https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/
  • https://www.fortiguard.com/threat-signal-report/4920
  • https://securelist.com/cuba-ransomware/110533/

    • Known Vulnerable Samples

    PropertyValue
    Filenameburntcigar.sys
    Creation Timestamp2020-06-07 18:52:25
    MD508cd822f1ef3e94616f75d484faf4d04
    SHA13b4f4e6640e2e83f2caba72346972d9f7ab7f7e6
    SHA2567c5329b842cc3eaf1ec6c11b00e09a8c5e38ad14134b40a8bae3eda0a167a919
    Authentihash MD536b55c68011bcd05588c949b43501f33
    Authentihash SHA17d3e874abbc4f315cbce8c2fbd76df826e20f813
    Authentihash SHA25631ce29a3ead6b843b40c9c08e08488e04eba209e13dd8cac7a4a28ab9250f401
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Download

    Certificates

    Expand
    Certificate 7735a905d3c999565ccc8bcd7f85d920
    FieldValue
    ToBeSigned (TBS) MD5e42baccee43e5b102aeca34a72ee4fdf
    ToBeSigned (TBS) SHA14642608f457feb1f5afcbef0267348ea62698337
    ToBeSigned (TBS) SHA25621706594256a20f6715b7ae79aad2faf37154c34a5d1a50b2f356ec2392b6efe
    SubjectCN=Blueone Technology Co., Ltd,OU=Digital ID Class 3 , Microsoft Software Validation v2,O=Blueone Technology Co., Ltd,L=Shenzhen,ST=Guangdong,C=CN
    ValidFrom2012-12-06 00:00:00
    ValidTo2013-12-06 23:59:59
    Signaturec55da598f13b9cd62d8eae867de66eb27f49f057813c0aa10f16f276d0840a2b26853738d9b2ccc640ecda9d7e188a85e0aa73af0db6b9d8ff76de746dc4b966eb1b4378915a1520763e3b7445dd680e2733a7fa475729d9268f1c9d105b0970c01478586b0ddd3d5bf92051740072550b0eb3d7ce8f55bfb52ec03c6d90e1a29abacabd96feac0912d764f771581f09274249c1bd37e04898780785e2a7121e6e2e4bb624c46209da7e6bdf95e13f73b556297831152b86aca469a93b9cf47b567816d51561c7a11f94c133c72d9d0038a14d0973cd06fff780912f757286c650c97956a2d643922bd0ddd3274a6d7d9a4a66a1a4ee4e29edd86626946dde50
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber7735a905d3c999565ccc8bcd7f85d920
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectCN=VeriSign Class 3 Public Primary Certification Authority , G5,OU=(c) 2006 VeriSign, Inc. , For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectCN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • ObQueryNameString
    • WdfVersionBindClass
    • ExAllocatePool
    • NtQuerySystemInformation
    • ExFreePoolWithTag
    • IoAllocateMdl
    • MmProbeAndLockPages
    • MmMapLockedPagesSpecifyCache
    • MmUnlockPages
    • IoFreeMdl
    • KeQueryActiveProcessors
    • KeSetSystemAffinityThread
    • KeRevertToUserAffinityThread
    • DbgPrint
    • KeQueryPerformanceCounter

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .vmp0
    • .vmp1
    • .vmp2
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "7735a905d3c999565ccc8bcd7f85d920",
      "Signature": "c55da598f13b9cd62d8eae867de66eb27f49f057813c0aa10f16f276d0840a2b26853738d9b2ccc640ecda9d7e188a85e0aa73af0db6b9d8ff76de746dc4b966eb1b4378915a1520763e3b7445dd680e2733a7fa475729d9268f1c9d105b0970c01478586b0ddd3d5bf92051740072550b0eb3d7ce8f55bfb52ec03c6d90e1a29abacabd96feac0912d764f771581f09274249c1bd37e04898780785e2a7121e6e2e4bb624c46209da7e6bdf95e13f73b556297831152b86aca469a93b9cf47b567816d51561c7a11f94c133c72d9d0038a14d0973cd06fff780912f757286c650c97956a2d643922bd0ddd3274a6d7d9a4a66a1a4ee4e29edd86626946dde50",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=Blueone Technology Co., Ltd,OU=Digital ID Class 3 , Microsoft Software Validation v2,O=Blueone Technology Co., Ltd,L=Shenzhen,ST=Guangdong,C=CN",
      "TBS": {
        "MD5": "e42baccee43e5b102aeca34a72ee4fdf",
        "SHA1": "4642608f457feb1f5afcbef0267348ea62698337",
        "SHA256": "21706594256a20f6715b7ae79aad2faf37154c34a5d1a50b2f356ec2392b6efe",
        "SHA384": "e38c01a82da5c267342686b0a0b8c346008d504ae2e07d5ec7006ebf277f412fb5ec7aeecba4078a5c32b75254a37b4b"
      },
      "ValidFrom": "2012-12-06 00:00:00",
      "ValidTo": "2013-12-06 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=VeriSign Class 3 Public Primary Certification Authority , G5,OU=(c) 2006 VeriSign, Inc. , For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "SerialNumber": "7735a905d3c999565ccc8bcd7f85d920",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-01-07