SYMBOLCOMMON_NAMEaka. SYNONYMS
win.btcware (Back to overview)

BTCWare

VTCollection    

According to PCRisk, BTCWare is an updated version of a ransomware-type virus called Crptxxx. This ransomware is distributed via a malicious application called "Rogers Hi-Speed Internet". Once infiltrated, BTCWare encrypts files and appends filenames with the ".btcware" extension. Newer variants of this ransomware append .shadow, .payday, .wyvern, .nuclear, .aleta, .gryphon, .nopasaran, .blocking, .xfile, .master, .onyon, .theva, .cryptobyte or .cryptowin extensions to encrypted files. BTCWare then creates an HTM file ("#_HOW_TO_FIX_!.hta.htm"), placing it on the desktop. Other variants of this ransomware use !#_RESTORE_FILES_#!.inf file to store their ransom demanding message.

References
2017-08-28Bleeping ComputerLawrence Abrams
New Nuclear BTCWare Ransomware Released (Updated)
BTCWare
Yara Rules
[TLP:WHITE] win_btcware_auto (20260504 | Detects win.btcware.)
rule win_btcware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.btcware."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 16 97 88bd24f1ed24 ae }
            // n = 4, score = 100
            //   16                   | push                ss
            //   97                   | xchg                eax, edi
            //   88bd24f1ed24         | mov                 byte ptr [ebp + 0x24edf124], bh
            //   ae                   | scasb               al, byte ptr es:[edi]

        $sequence_1 = { 6bf830 8955f4 8b149540d04100 897df0 8a5c1729 80fb02 7405 }
            // n = 7, score = 100
            //   6bf830               | imul                edi, eax, 0x30
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b149540d04100       | mov                 edx, dword ptr [edx*4 + 0x41d040]
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   8a5c1729             | mov                 bl, byte ptr [edi + edx + 0x29]
            //   80fb02               | cmp                 bl, 2
            //   7405                 | je                  7

        $sequence_2 = { ffd6 6a00 8d45d8 50 6a03 ff75ec }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   6a00                 | push                0
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   6a03                 | push                3
            //   ff75ec               | push                dword ptr [ebp - 0x14]

        $sequence_3 = { 0f84b7010000 68???????? 8d85d0d7ffff 50 ffd6 85c0 0f84a1010000 }
            // n = 7, score = 100
            //   0f84b7010000         | je                  0x1bd
            //   68????????           |                     
            //   8d85d0d7ffff         | lea                 eax, [ebp - 0x2830]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f84a1010000         | je                  0x1a7

        $sequence_4 = { 0f82206fffff 83f923 0f87176fffff 8bc8 51 e8???????? }
            // n = 6, score = 100
            //   0f82206fffff         | jb                  0xffff6f26
            //   83f923               | cmp                 ecx, 0x23
            //   0f87176fffff         | ja                  0xffff6f1d
            //   8bc8                 | mov                 ecx, eax
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_5 = { 83f81d 7cf1 eb07 8b0cc5ec494100 894de4 }
            // n = 5, score = 100
            //   83f81d               | cmp                 eax, 0x1d
            //   7cf1                 | jl                  0xfffffff3
            //   eb07                 | jmp                 9
            //   8b0cc5ec494100       | mov                 ecx, dword ptr [eax*8 + 0x4149ec]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_6 = { 660f282d???????? 660f59f5 660f28aae03f4100 660f54e5 660f58fe 660f58fc }
            // n = 6, score = 100
            //   660f282d????????     |                     
            //   660f59f5             | mulpd               xmm6, xmm5
            //   660f28aae03f4100     | movapd              xmm5, xmmword ptr [edx + 0x413fe0]
            //   660f54e5             | andpd               xmm4, xmm5
            //   660f58fe             | addpd               xmm7, xmm6
            //   660f58fc             | addpd               xmm7, xmm4

        $sequence_7 = { c78530ffffff00000000 c78534ffffff0f000000 c68520ffffff00 83f810 7245 }
            // n = 5, score = 100
            //   c78530ffffff00000000     | mov    dword ptr [ebp - 0xd0], 0
            //   c78534ffffff0f000000     | mov    dword ptr [ebp - 0xcc], 0xf
            //   c68520ffffff00       | mov                 byte ptr [ebp - 0xe0], 0
            //   83f810               | cmp                 eax, 0x10
            //   7245                 | jb                  0x47

        $sequence_8 = { 8b45e0 8d4e0c 6a06 8d904cc54100 5f 668b02 8d5202 }
            // n = 7, score = 100
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8d4e0c               | lea                 ecx, [esi + 0xc]
            //   6a06                 | push                6
            //   8d904cc54100         | lea                 edx, [eax + 0x41c54c]
            //   5f                   | pop                 edi
            //   668b02               | mov                 ax, word ptr [edx]
            //   8d5202               | lea                 edx, [edx + 2]

        $sequence_9 = { e8???????? 8bf8 bad4fc8101 c645fc04 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   bad4fc8101           | mov                 edx, 0x181fcd4
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

    condition:
        7 of them and filesize < 458752
}
Download all Yara Rules