SYMBOLCOMMON_NAMEaka. SYNONYMS
win.anatova_ransom (Back to overview)

Anatova Ransomware

VTCollection    

Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.

References
2019-01-23Bleeping ComputerIonut Ilascu
New Anatova Ransomware Supports Modules for Extra Functionality
Anatova Ransomware
2019-01-22McAfeeAlexandre Mundo
Happy New Year 2019! Anatova is here!
Anatova Ransomware
Yara Rules
[TLP:WHITE] win_anatova_ransom_auto (20230808 | Detects win.anatova_ransom.)
rule win_anatova_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.anatova_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d05ec570000 48894588 488d05eb570000 48894590 }
            // n = 4, score = 100
            //   488d05ec570000       | lea                 eax, [0x63e7]
            //   48894588             | dec                 eax
            //   488d05eb570000       | mov                 dword ptr [ebp - 0xf0], eax
            //   48894590             | dec                 eax

        $sequence_1 = { b805000000 4989c3 488b01 4989c2 4c89d1 4c89da e8???????? }
            // n = 7, score = 100
            //   b805000000           | cmp                 ecx, eax
            //   4989c3               | jae                 0xa15
            //   488b01               | mov                 eax, dword ptr [ebp - 0x84]
            //   4989c2               | mov                 word ptr [ebx + esi*2 - 0x7a], es
            //   4c89d1               | cmp                 al, 0x67
            //   4c89da               | jns                 0xa26
            //   e8????????           |                     

        $sequence_2 = { 4989c2 4c89d1 e8???????? e9???????? 488b45e0 4989c2 4c89d1 }
            // n = 7, score = 100
            //   4989c2               | dec                 eax
            //   4c89d1               | mov                 eax, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   e9????????           |                     
            //   488b45e0             | dec                 ecx
            //   4989c2               | mov                 ecx, eax
            //   4c89d1               | mov                 eax, 4

        $sequence_3 = { e8???????? 488b05???????? 488b0d???????? 488b15???????? 488945f0 488d45fc 4889442420 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b05????????       |                     
            //   488b0d????????       |                     
            //   488b15????????       |                     
            //   488945f0             | mov                 eax, 0xa
            //   488d45fc             | mov                 byte ptr [ebp - 0x6c], al
            //   4889442420           | mov                 eax, 0xe

        $sequence_4 = { 4883f800 0f84b2000000 488b05???????? 4883f800 0f84a1000000 488b05???????? }
            // n = 6, score = 100
            //   4883f800             | mov                 dword ptr [ebp - 0x30], eax
            //   0f84b2000000         | dec                 eax
            //   488b05????????       |                     
            //   4883f800             | lea                 eax, [0x56f3]
            //   0f84a1000000         | dec                 eax
            //   488b05????????       |                     

        $sequence_5 = { 4989c2 4c89d1 e8???????? 488b05???????? 4883f800 0f843e000000 8b05???????? }
            // n = 7, score = 100
            //   4989c2               | mov                 ecx, eax
            //   4c89d1               | dec                 eax
            //   e8????????           |                     
            //   488b05????????       |                     
            //   4883f800             | mov                 eax, dword ptr [ebp - 0x10]
            //   0f843e000000         | dec                 ecx
            //   8b05????????         |                     

        $sequence_6 = { b800000000 4989c3 b802000000 4989c2 4c89d1 4c89da 4c8b1d???????? }
            // n = 7, score = 100
            //   b800000000           | cmp                 eax, 5
            //   4989c3               | je                  0x232
            //   b802000000           | mov                 eax, dword ptr [ebp - 0x18]
            //   4989c2               | cmp                 eax, 3
            //   4c89d1               | je                  0x24a
            //   4c89da               | mov                 eax, dword ptr [ebp - 0x18]
            //   4c8b1d????????       |                     

        $sequence_7 = { 4989c0 488b45d8 4989c3 488b45a0 4989c2 4c89d1 4c89da }
            // n = 7, score = 100
            //   4989c0               | dec                 eax
            //   488b45d8             | mov                 dword ptr [ebp - 0x40], eax
            //   4989c3               | dec                 eax
            //   488b45a0             | mov                 eax, 4
            //   4989c2               | add                 byte ptr [eax], al
            //   4c89d1               | add                 byte ptr [eax], al
            //   4c89da               | dec                 ecx

        $sequence_8 = { 4989c1 b800000000 4989c0 b800000000 4989c3 }
            // n = 5, score = 100
            //   4989c1               | dec                 ecx
            //   b800000000           | mov                 edx, eax
            //   4989c0               | dec                 esp
            //   b800000000           | mov                 ecx, edx
            //   4989c3               | jne                 0x1056

        $sequence_9 = { 48b80f00000000000000 4989c0 b800000000 4989c3 488d45b1 4989c2 4c89d1 }
            // n = 7, score = 100
            //   48b80f00000000000000     | dec    ecx
            //   4989c0               | mov                 ebx, eax
            //   b800000000           | dec                 eax
            //   4989c3               | lea                 eax, [0x27fb]
            //   488d45b1             | dec                 ecx
            //   4989c2               | mov                 edx, eax
            //   4c89d1               | dec                 eax

    condition:
        7 of them and filesize < 671744
}
Download all Yara Rules