SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group

VTCollection    

BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20260504 | Detects win.bootwreck.)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.bootwreck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f9 66d3ef 660fcf 0fb738 f8 29db }
            // n = 6, score = 100
            //   f9                   | stc                 
            //   66d3ef               | shr                 di, cl
            //   660fcf               | bswap               di
            //   0fb738               | movzx               edi, word ptr [eax]
            //   f8                   | clc                 
            //   29db                 | sub                 ebx, ebx

        $sequence_1 = { 97 4e 1db48b7a71 f8 8766ad fa 2976a7 }
            // n = 7, score = 100
            //   97                   | xchg                eax, edi
            //   4e                   | dec                 esi
            //   1db48b7a71           | sbb                 eax, 0x717a8bb4
            //   f8                   | clc                 
            //   8766ad               | xchg                dword ptr [esi - 0x53], esp
            //   fa                   | cli                 
            //   2976a7               | sub                 dword ptr [esi - 0x59], esi

        $sequence_2 = { 8dac246971318a 8dada1cd3823 66f7d5 5d 689c422a44 9c 60 }
            // n = 7, score = 100
            //   8dac246971318a       | lea                 ebp, [esp - 0x75ce8e97]
            //   8dada1cd3823         | lea                 ebp, [ebp + 0x2338cda1]
            //   66f7d5               | not                 bp
            //   5d                   | pop                 ebp
            //   689c422a44           | push                0x442a429c
            //   9c                   | pushfd              
            //   60                   | pushal              

        $sequence_3 = { 9c 8d642428 e9???????? 9c 8d642410 e8???????? 28c3 }
            // n = 7, score = 100
            //   9c                   | pushfd              
            //   8d642428             | lea                 esp, [esp + 0x28]
            //   e9????????           |                     
            //   9c                   | pushfd              
            //   8d642410             | lea                 esp, [esp + 0x10]
            //   e8????????           |                     
            //   28c3                 | sub                 bl, al

        $sequence_4 = { 60 67b41b 4f b666 6d 5a }
            // n = 6, score = 100
            //   60                   | pushal              
            //   67b41b               | mov                 ah, 0x1b
            //   4f                   | dec                 edi
            //   b666                 | mov                 dh, 0x66
            //   6d                   | insd                dword ptr es:[edi], dx
            //   5a                   | pop                 edx

        $sequence_5 = { 397dfc 0f847affffff 0fb6d2 3b55f8 7523 8b8c88380c0000 6a03 }
            // n = 7, score = 100
            //   397dfc               | cmp                 dword ptr [ebp - 4], edi
            //   0f847affffff         | je                  0xffffff80
            //   0fb6d2               | movzx               edx, dl
            //   3b55f8               | cmp                 edx, dword ptr [ebp - 8]
            //   7523                 | jne                 0x25
            //   8b8c88380c0000       | mov                 ecx, dword ptr [eax + ecx*4 + 0xc38]
            //   6a03                 | push                3

        $sequence_6 = { 8b742420 9c 8a7c2404 8da9483b0901 66bb2520 890f c644241c95 }
            // n = 7, score = 100
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   9c                   | pushfd              
            //   8a7c2404             | mov                 bh, byte ptr [esp + 4]
            //   8da9483b0901         | lea                 ebp, [ecx + 0x1093b48]
            //   66bb2520             | mov                 bx, 0x2025
            //   890f                 | mov                 dword ptr [edi], ecx
            //   c644241c95           | mov                 byte ptr [esp + 0x1c], 0x95

        $sequence_7 = { 5a 3d1eff0e9c 5d 22812152a18e 33dd fa 7599 }
            // n = 7, score = 100
            //   5a                   | pop                 edx
            //   3d1eff0e9c           | cmp                 eax, 0x9c0eff1e
            //   5d                   | pop                 ebp
            //   22812152a18e         | and                 al, byte ptr [ecx - 0x715eaddf]
            //   33dd                 | xor                 ebx, ebp
            //   fa                   | cli                 
            //   7599                 | jne                 0xffffff9b

        $sequence_8 = { 88642404 8d64243c e8???????? 80d988 8b4dfc 9c 60 }
            // n = 7, score = 100
            //   88642404             | mov                 byte ptr [esp + 4], ah
            //   8d64243c             | lea                 esp, [esp + 0x3c]
            //   e8????????           |                     
            //   80d988               | sbb                 cl, 0x88
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   9c                   | pushfd              
            //   60                   | pushal              

        $sequence_9 = { 5a 7df3 293f bd5b0c762c 8400 47 f77e54 }
            // n = 7, score = 100
            //   5a                   | pop                 edx
            //   7df3                 | jge                 0xfffffff5
            //   293f                 | sub                 dword ptr [edi], edi
            //   bd5b0c762c           | mov                 ebp, 0x2c760c5b
            //   8400                 | test                byte ptr [eax], al
            //   47                   | inc                 edi
            //   f77e54               | idiv                dword ptr [esi + 0x54]

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules