7ev3n (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.7ev3n (Back to overview)

7ev3n

VTCollection

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

References

2016-07-06 ⋅ NJCCIC ⋅ NJCCIC
7ev3n
7ev3n

2016-05-06 ⋅ Malwarebytes ⋅ hasherezade
7ev3n ransomware turning ‘HONE$T’
7ev3n

Yara Rules

[TLP:WHITE] win_7ev3n_auto (20260504 | Detects win.7ev3n.)

rule win_7ev3n_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.7ev3n."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66898560fbffff f30f7e05???????? 660fd68560feffff 0fb705???????? 66898568feffff f30f7e05???????? 660fd6854cfbffff }
            // n = 7, score = 100
            //   66898560fbffff       | mov                 word ptr [ebp - 0x4a0], ax
            //   f30f7e05????????     |                     
            //   660fd68560feffff     | movq                qword ptr [ebp - 0x1a0], xmm0
            //   0fb705????????       |                     
            //   66898568feffff       | mov                 word ptr [ebp - 0x198], ax
            //   f30f7e05????????     |                     
            //   660fd6854cfbffff     | movq                qword ptr [ebp - 0x4b4], xmm0

        $sequence_1 = { 660fd685c0f3ffff 0fb705???????? 668985c8f3ffff f30f7e05???????? 660fd685b4f3ffff 0fb705???????? 668985bcf3ffff }
            // n = 7, score = 100
            //   660fd685c0f3ffff     | movq                qword ptr [ebp - 0xc40], xmm0
            //   0fb705????????       |                     
            //   668985c8f3ffff       | mov                 word ptr [ebp - 0xc38], ax
            //   f30f7e05????????     |                     
            //   660fd685b4f3ffff     | movq                qword ptr [ebp - 0xc4c], xmm0
            //   0fb705????????       |                     
            //   668985bcf3ffff       | mov                 word ptr [ebp - 0xc44], ax

        $sequence_2 = { 2bcf 3bc1 0f8412490000 8dbdcce7ffff 8d4f02 0f1f840000000000 668b07 }
            // n = 7, score = 100
            //   2bcf                 | sub                 ecx, edi
            //   3bc1                 | cmp                 eax, ecx
            //   0f8412490000         | je                  0x4918
            //   8dbdcce7ffff         | lea                 edi, [ebp - 0x1834]
            //   8d4f02               | lea                 ecx, [edi + 2]
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   668b07               | mov                 ax, word ptr [edi]

        $sequence_3 = { 50 8d8dd0cdffff e8???????? 8bce 2b8de8caffff 3bc1 0f848e040000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8dd0cdffff         | lea                 ecx, [ebp - 0x3230]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   2b8de8caffff         | sub                 ecx, dword ptr [ebp - 0x3518]
            //   3bc1                 | cmp                 eax, ecx
            //   0f848e040000         | je                  0x494

        $sequence_4 = { 0fb78100084500 8d4902 6689440dda 6685c0 75ec eb5e }
            // n = 6, score = 100
            //   0fb78100084500       | movzx               eax, word ptr [ecx + 0x450800]
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   6689440dda           | mov                 word ptr [ebp + ecx - 0x26], ax
            //   6685c0               | test                ax, ax
            //   75ec                 | jne                 0xffffffee
            //   eb5e                 | jmp                 0x60

        $sequence_5 = { 6a00 8d8518e7ffff 50 8d8dd0cdffff e8???????? 8bce 2bcf }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   8d8518e7ffff         | lea                 eax, [ebp - 0x18e8]
            //   50                   | push                eax
            //   8d8dd0cdffff         | lea                 ecx, [ebp - 0x3230]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   2bcf                 | sub                 ecx, edi

        $sequence_6 = { 75de 33c0 eb05 1bc0 83c801 85c0 0f84b0fdffff }
            // n = 7, score = 100
            //   75de                 | jne                 0xffffffe0
            //   33c0                 | xor                 eax, eax
            //   eb05                 | jmp                 7
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   0f84b0fdffff         | je                  0xfffffdb6

        $sequence_7 = { 660fd68570fbffff 0fb705???????? 66898578fbffff f30f7e05???????? 660fd68570ddffff a1???????? 898578ddffff }
            // n = 7, score = 100
            //   660fd68570fbffff     | movq                qword ptr [ebp - 0x490], xmm0
            //   0fb705????????       |                     
            //   66898578fbffff       | mov                 word ptr [ebp - 0x488], ax
            //   f30f7e05????????     |                     
            //   660fd68570ddffff     | movq                qword ptr [ebp - 0x2290], xmm0
            //   a1????????           |                     
            //   898578ddffff         | mov                 dword ptr [ebp - 0x2288], eax

        $sequence_8 = { f30f7e05???????? 660fd68564e6ffff 0fb705???????? 6689856ce6ffff f30f7e05???????? 660fd68558e6ffff 0fb705???????? }
            // n = 7, score = 100
            //   f30f7e05????????     |                     
            //   660fd68564e6ffff     | movq                qword ptr [ebp - 0x199c], xmm0
            //   0fb705????????       |                     
            //   6689856ce6ffff       | mov                 word ptr [ebp - 0x1994], ax
            //   f30f7e05????????     |                     
            //   660fd68558e6ffff     | movq                qword ptr [ebp - 0x19a8], xmm0
            //   0fb705????????       |                     

        $sequence_9 = { ff15???????? b902000000 e8???????? be01000000 85c0 740d 8d4e01 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   b902000000           | mov                 ecx, 2
            //   e8????????           |                     
            //   be01000000           | mov                 esi, 1
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   8d4e01               | lea                 ecx, [esi + 1]

    condition:
        7 of them and filesize < 803840
}

Download all Yara Rules

7ev3n Propose Change

References

Yara Rules

7ev3n