Azov Wiper (Malware Family)

Azov Wiper

VTCollection

According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.

References

2023-01-24 ⋅ Fortinet ⋅ Geri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar

2022-12-12 ⋅ Checkpoint ⋅ Jiří Vinopal
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
Azov Wiper

2022-11-02 ⋅ Twitter (@_CPResearch_) ⋅ Checkpoint Research
Tweet on Azov Wiper
Azov Wiper

Yara Rules

[TLP:WHITE] win_azov_wiper_auto (20260504 | Detects win.azov_wiper.)

rule win_azov_wiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.azov_wiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48894c2408 57 4883ec40 33ff 4c8bda 4883cbff 488bc3 }
            // n = 7, score = 100
            //   48894c2408           | je                  0x2be
            //   57                   | mov                 edx, 0x1fe
            //   4883ec40             | dec                 eax
            //   33ff                 | mov                 ecx, ebx
            //   4c8bda               | dec                 esp
            //   4883cbff             | mov                 eax, dword ptr [eax]
            //   488bc3               | dec                 eax

        $sequence_1 = { 488d5202 6685c9 75ef 488b05???????? 4c8d0551feffff 48897c2428 33d2 }
            // n = 7, score = 100
            //   488d5202             | mov                 eax, dword ptr [edi + 0x10]
            //   6685c9               | subsd               xmm0, qword ptr [eax + 4]
            //   75ef                 | comisd              xmm0, xmmword ptr [eax + 0xc]
            //   488b05????????       |                     
            //   4c8d0551feffff       | jae                 0x80a
            //   48897c2428           | dec                 eax
            //   33d2                 | mov                 eax, dword ptr [edi]

        $sequence_2 = { 48897c2430 4533c0 33d2 4c8b10 }
            // n = 4, score = 100
            //   48897c2430           | xor                 eax, eax
            //   4533c0               | dec                 eax
            //   33d2                 | add                 edi, 0x29a
            //   4c8b10               | dec                 eax

        $sequence_3 = { 8bc6 488b7c2430 488b5c2438 4883c420 }
            // n = 4, score = 100
            //   8bc6                 | dec                 eax
            //   488b7c2430           | mov                 ebx, dword ptr [esp + 0x88]
            //   488b5c2438           | dec                 eax
            //   4883c420             | mov                 ecx, edi

        $sequence_4 = { 8d571a 4533c9 48895c2420 4533c0 33c9 }
            // n = 5, score = 100
            //   8d571a               | dec                 eax
            //   4533c9               | add                 esp, 8
            //   48895c2420           | dec                 eax
            //   4533c0               | mov                 ecx, dword ptr [esp - 8]
            //   33c9                 | dec                 eax

        $sequence_5 = { 4889742418 57 4881ec60020000 33ff }
            // n = 4, score = 100
            //   4889742418           | dec                 eax
            //   57                   | mov                 dword ptr [esp], esi
            //   4881ec60020000       | dec                 eax
            //   33ff                 | xor                 esi, esi

        $sequence_6 = { 4885c0 7509 488b15???????? ebd6 e8???????? 0f57f6 }
            // n = 6, score = 100
            //   4885c0               | inc                 ecx
            //   7509                 | call                dword ptr [ecx + 0x20]
            //   488b15????????       |                     
            //   ebd6                 | dec                 eax
            //   e8????????           |                     
            //   0f57f6               | mov                 ebx, ecx

        $sequence_7 = { 4881ec50020000 488b4108 0f29b42440020000 48890d???????? ff5028 }
            // n = 5, score = 100
            //   4881ec50020000       | lea                 eax, [0xfffff4ff]
            //   488b4108             | cmp                 word ptr [edx + ebx*2 + 2], di
            //   0f29b42440020000     | dec                 eax
            //   48890d????????       |                     
            //   ff5028               | lea                 ebx, [ebx + 1]

        $sequence_8 = { 458bc4 ba000000c0 48c744242002000000 4c8b10 41ff5238 488bf0 }
            // n = 6, score = 100
            //   458bc4               | mov                 edx, dword ptr [eax]
            //   ba000000c0           | call                dword ptr [edx + 0xb8]
            //   48c744242002000000     | add    eax, -2
            //   4c8b10               | cmp                 eax, 2
            //   41ff5238             | ja                  0x3fe
            //   488bf0               | dec                 eax

        $sequence_9 = { ff5260 4c8d9c2460020000 33c0 498b5b10 498b7320 498be3 5f }
            // n = 7, score = 100
            //   ff5260               | dec                 eax
            //   4c8d9c2460020000     | mov                 ebx, ecx
            //   33c0                 | dec                 eax
            //   498b5b10             | mov                 dword ptr [esp + 0x20], ecx
            //   498b7320             | xor                 edi, edi
            //   498be3               | push                edi
            //   5f                   | dec                 eax

    condition:
        7 of them and filesize < 73728
}

Download all Yara Rules

Azov Wiper Propose Change

References

Yara Rules

Azov Wiper