Date: 04/06/2026
Severity: High
Summary
Endpoint Detection and Response (EDR) tools are more advanced than traditional antivirus and are widely used today. Attackers deploy EDR killers to bypass or disable these defenses, limiting visibility into system activity. As detection improves, attackers increasingly target security layers early in the attack lifecycle. This blog analyzes a malicious “msimg32.dll” used in Qilin ransomware, featuring a multi-stage infection chain. The malware uses advanced evasion techniques to disable EDR systems, including obfuscation, kernel manipulation, and API bypass methods.
Indicators of Compromise (IOC) List
Hash | 89ee7235906f7d12737679860264feaf
01d00d3dd8bc8fd92dae9e04d0f076cb3158dc9c
7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497
6bc8e3505d9f51368ddf323acb6abc49
82ed942a52cdcf120a8919730e00ba37619661a3
16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0
cf7cad39407d8cd93135be42b6bd258f
ce1b9909cef820e5281618a7a0099a27a70643dc
bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
1305e8b0f9c459d5ed85e7e474fbebb1
84e2d2084fe08262c2c378a377963a1482b35ac5
12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | md5hash IN ("cf7cad39407d8cd93135be42b6bd258f","89ee7235906f7d12737679860264feaf","6bc8e3505d9f51368ddf323acb6abc49","1305e8b0f9c459d5ed85e7e474fbebb1") |
Detection Query 2 : | sha1hash IN ("01d00d3dd8bc8fd92dae9e04d0f076cb3158dc9c","ce1b9909cef820e5281618a7a0099a27a70643dc","82ed942a52cdcf120a8919730e00ba37619661a3","84e2d2084fe08262c2c378a377963a1482b35ac5")
|
Detection Query 3 : | sha256hash IN ("16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0","bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56","7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497","12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0")
|
Reference:
https://blog.talosintelligence.com/qilin-edr-killer/