SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll
VTCollection    

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20260504 | Detects win.acidbox.)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.acidbox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec30 488bfa 33db 4885c9 7479 4885d2 7474 }
            // n = 7, score = 400
            //   4883ec30             | dec                 eax
            //   488bfa               | lea                 ecx, [esp + 0x80]
            //   33db                 | mov                 edi, eax
            //   4885c9               | mov                 dword ptr [esp + 0x40], eax
            //   7479                 | test                eax, eax
            //   4885d2               | jne                 0x1e94
            //   7474                 | dec                 eax

        $sequence_1 = { c1e91f 03d1 6bc21a 442bc0 4488442420 410fbed8 458d6c2461 }
            // n = 7, score = 400
            //   c1e91f               | lea                 eax, [ecx + 3]
            //   03d1                 | inc                 cx
            //   6bc21a               | shl                 ecx, cl
            //   442bc0               | inc                 bp
            //   4488442420           | or                  dword ptr [ebx + 0x1710], ecx
            //   410fbed8             | inc                 ecx
            //   458d6c2461           | mov                 dword ptr [ebx + 0x1714], eax

        $sequence_2 = { 66c74424406e74 66c74424486c00 c644244264 c64424476c c7442437322e646c c74424336e656c33 66c74424306b65 }
            // n = 7, score = 400
            //   66c74424406e74       | mov                 ecx, esp
            //   66c74424486c00       | test                eax, eax
            //   c644244264           | jne                 0xb5b
            //   c64424476c           | inc                 esp
            //   c7442437322e646c     | lea                 eax, [eax + 0x5b]
            //   c74424336e656c33     | dec                 eax
            //   66c74424306b65       | lea                 edx, [0x4b58]

        $sequence_3 = { 7750 85d2 7413 8b477c 6644898c4788000000 ff477c ffca }
            // n = 7, score = 400
            //   7750                 | mov                 eax, dword ptr [ebx + 0x94]
            //   85d2                 | mov                 dword ptr [ebx + 0x170c], edi
            //   7413                 | mov                 dword ptr [ebx + 0x70], edi
            //   8b477c               | mov                 dword ptr [ebx + 0xa0], eax
            //   6644898c4788000000     | mov    dword ptr [ebx + 0x88], eax
            //   ff477c               | dec                 eax
            //   ffca                 | mov                 ebx, dword ptr [esp + 0x30]

        $sequence_4 = { 488908 48894108 498b00 488b4810 }
            // n = 4, score = 400
            //   488908               | mov                 dword ptr [esp + 0x30], esp
            //   48894108             | inc                 esp
            //   498b00               | mov                 edi, dword ptr [edi + 0x24]
            //   488b4810             | inc                 esp

        $sequence_5 = { 488b8898000000 c7413809000000 488b03 89a810010000 488b03 89b814010000 eb30 }
            // n = 7, score = 400
            //   488b8898000000       | xor                 edx, edx
            //   c7413809000000       | inc                 esp
            //   488b03               | mov                 eax, dword ptr [ebp + 0x50]
            //   89a810010000         | inc                 esp
            //   488b03               | mov                 edx, dword ptr [ebp + 0x48]
            //   89b814010000         | dec                 eax
            //   eb30                 | lea                 eax, [0xffff7eeb]

        $sequence_6 = { 0f95c0 894a08 488bca 4189424c 488d82bc000000 }
            // n = 5, score = 400
            //   0f95c0               | cmp                 eax, edi
            //   894a08               | jb                  0x6dd
            //   488bca               | ja                  0x6ee
            //   4189424c             | dec                 ecx
            //   488d82bc000000       | lea                 ecx, [edx + 0x28]

        $sequence_7 = { 488d4fff 4883f9fd 7709 488bcf ff15???????? 488b6c2460 }
            // n = 6, score = 400
            //   488d4fff             | add                 ebx, eax
            //   4883f9fd             | inc                 esp
            //   7709                 | mov                 dword ptr [esp + 4], ebx
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   488b6c2460           | add                 edx, eax

        $sequence_8 = { 44017328 897e4c c7430871000000 397b28 7418 488bce e8???????? }
            // n = 7, score = 400
            //   44017328             | mov                 dword ptr [esp + 0x28], ebx
            //   897e4c               | inc                 esp
            //   c7430871000000       | mov                 dh, bl
            //   397b28               | mov                 byte ptr [esp + 0x20], bl
            //   7418                 | dec                 eax
            //   488bce               | mov                 eax, dword ptr [esi + 0x88]
            //   e8????????           |                     

        $sequence_9 = { 395308 7708 41b9070a00a0 eb36 488d8e50010000 4c8bca 4c8bc3 }
            // n = 7, score = 400
            //   395308               | jne                 0x9f6
            //   7708                 | inc                 ecx
            //   41b9070a00a0         | mov                 eax, eax
            //   eb36                 | jmp                 0xa0c
            //   488d8e50010000       | dec                 eax
            //   4c8bca               | mov                 eax, edi
            //   4c8bc3               | dec                 eax

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules