Ransomware.
rule win_crytox_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.crytox." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8d5640 8d4320 896c2404 891424 89442408 8954241c } // n = 7, score = 100 // e8???????? | // 8d5640 | test eax, eax // 8d4320 | je 0x5a4 // 896c2404 | mov dword ptr [esp], 0x664c3c // 891424 | lea eax, [ebx + 0x39] // 89442408 | mov dword ptr [esp + 0x10], 0x68 // 8954241c | mov dword ptr [esp + 8], ebp $sequence_1 = { f20f70daff 660ffde0 660ffdd8 660f67e4 660f67db 660f7e20 660f7e1c08 } // n = 7, score = 100 // f20f70daff | lea esi, [ecx + eax*4] // 660ffde0 | jmp 0x1bd // 660ffdd8 | mov eax, dword ptr [esp + 0x1104] // 660f67e4 | mov ebp, dword ptr [esp + 0xa8] // 660f67db | mov ecx, dword ptr [esp + 0x78] // 660f7e20 | mov eax, dword ptr [eax + 8] // 660f7e1c08 | cmp eax, dword ptr [esp + 0x70] $sequence_2 = { df0448 d8cd dec1 df0450 8b9424d4000000 d8cb dec1 } // n = 7, score = 100 // df0448 | mov word ptr [esp + 0x24], ax // d8cd | fdivp st(1) // dec1 | fild dword ptr [ebp + 0x1ce9c] // df0450 | fnstcw word ptr [esp + 0xa6] // 8b9424d4000000 | movzx eax, word ptr [esp + 0xa6] // d8cb | mov ah, 0xc // dec1 | mov word ptr [esp + 0xa4], ax $sequence_3 = { e8???????? 8d742600 ff15???????? bfffffffff c70016000000 ebca ff15???????? } // n = 7, score = 100 // e8???????? | // 8d742600 | mov dword ptr [ebp - 0x44], eax // ff15???????? | // bfffffffff | lea eax, [eax + eax - 1] // c70016000000 | imul ax, word ptr [ebp] // ebca | mov word ptr [ebp], ax // ff15???????? | $sequence_4 = { dddc ddd8 ddd8 ddd8 d9c9 db7c2430 d91424 } // n = 7, score = 100 // dddc | fstp qword ptr [esp + 0x28] // ddd8 | ja 0x1ad // ddd8 | add ebx, dword ptr [esp + 0x30] // ddd8 | add edi, 2 // d9c9 | cmp edi, dword ptr [esp + 0x40] // db7c2430 | fstp st(2) // d91424 | fxch st(1) $sequence_5 = { dec1 d95c247c e8???????? d9c0 d9fa dbe8 d944242c } // n = 7, score = 100 // dec1 | faddp st(1) // d95c247c | fld dword ptr [esp + 0x10] // e8???????? | // d9c0 | fmul st(2) // d9fa | fmul st(4) // dbe8 | faddp st(1) // d944242c | fld dword ptr [esp + 0x14] $sequence_6 = { d835???????? b40c 6689442424 dec9 d96c2424 db5c2420 d96c2426 } // n = 7, score = 100 // d835???????? | // b40c | faddp st(3) // 6689442424 | fxch st(2) // dec9 | fadd st(3) // d96c2424 | fst dword ptr [ebx + ecx*8] // db5c2420 | fsubr dword ptr [ecx + eax*4] // d96c2426 | mov eax, ebx $sequence_7 = { e8???????? 8b4310 8b6b0c 83f807 89442418 89c7 0f8efe000000 } // n = 7, score = 100 // e8???????? | // 8b4310 | mov dword ptr [esp], eax // 8b6b0c | mov eax, edi // 83f807 | xor edx, edx // 89442418 | xor ecx, ecx // 89c7 | mov esi, dword ptr [ebx + 0xc] // 0f8efe000000 | mov edi, dword ptr [esp + 0x38] $sequence_8 = { e8???????? 85c0 0f8583010000 e8???????? 83f804 7e14 c7442404b0966600 } // n = 7, score = 100 // e8???????? | // 85c0 | test eax, eax // 0f8583010000 | je 0x191 // e8???????? | // 83f804 | mov dword ptr [esp], ebx // 7e14 | mov edi, eax // c7442404b0966600 | test eax, eax $sequence_9 = { e8???????? d99c9e98000000 83c301 83fb04 75c6 d94704 30db } // n = 7, score = 100 // e8???????? | // d99c9e98000000 | fstp dword ptr [esp + 0xac] // 83c301 | fld dword ptr [esp + 0xac] // 83fb04 | fmulp st(1) // 75c6 | fdivr dword ptr [esp + 0x2c] // d94704 | mov eax, dword ptr [esp + 0x4c] // 30db | fld1 condition: 7 of them and filesize < 6156288 }
import "pe" rule win_crytox_w0 { meta: description = "Detect variants of Crytox Ransomware" author = "Jake Goldi" date = "2022-09-29" packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67" hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d" hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047" hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa" source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara" version="1.0" phase = "experimental" url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" malware = "Win64.Ransom.Crytox" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20220930" malpedia_hash = "" malpedia_version = "20220930" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "utox" wide ascii nocase /* hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax ; unk_5F2520 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 DD 13 00 00 call sub_1402E940E 48 C7 C1 C0 01 00 00 mov rcx, 448 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A2 11 00 00 call sub_1402E91F5 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047 FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 90 nop 50 push rax 59 pop rcx E8 E2 13 00 00 call sub_1402E9413 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A7 11 00 00 call sub_1402E91FA 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 61 12 00 00 call sub_1402E9292 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 26 10 00 00 call sub_1402E9079 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFre */ $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 } $op3 = { 4C 8D 05 29 20 00 00 } $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 } condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*))) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY