Curator (Malware Family)

Curator

aka: Ever101, SunnyDay
Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.
References

2022-12-22 ⋅ Sentinel LABS ⋅ Antonio Cocomazzi
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
Curator PolyVice
2022-04-11 ⋅ Seguranca Informatica ⋅ Pedro Tavares
Analysis of the SunnyDay ransomware
Curator
2021-06-22 ⋅ Profero ⋅ Profero, SecurityJoes
Secrets Behind Ever101 Ransomware
Curator
Yara Rules

[TLP:WHITE] win_curator_auto (20230715 | Detects win.curator.)
rule win_curator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.curator."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66410f72d519 660fef442440 660fef642450 66440fef442460 66440fef642470 660fefc1 660fefe5 }
            // n = 7, score = 200
            //   66410f72d519         | mov                 edi, edx
            //   660fef442440         | dec                 eax
            //   660fef642450         | mov                 ebx, ecx
            //   66440fef442460       | dec                 eax
            //   66440fef642470       | mov                 ecx, edi
            //   660fefc1             | dec                 eax
            //   660fefe5             | lea                 edx, [0x55d8c]

        $sequence_1 = { 894df8 83f8fe 755f bb00080000 4c8d45f0 }
            // n = 5, score = 200
            //   894df8               | mov                 al, byte ptr [ecx + 0x2c]
            //   83f8fe               | test                al, al
            //   755f                 | jne                 0x243
            //   bb00080000           | dec                 esp
            //   4c8d45f0             | lea                 esi, [ecx + 0x110]

        $sequence_2 = { 488b4920 48ffc2 e8???????? 4883633000 488d056ff20500 48c743380f000000 488d4b08 }
            // n = 7, score = 200
            //   488b4920             | mov                 eax, dword ptr [esp + 0x70]
            //   48ffc2               | dec                 eax
            //   e8????????           |                     
            //   4883633000           | mov                 edx, edi
            //   488d056ff20500       | dec                 ecx
            //   48c743380f000000     | mov                 ecx, ebp
            //   488d4b08             | dec                 ebp

        $sequence_3 = { 4883c438 415e 5f c3 48895c2410 4889742418 }
            // n = 6, score = 200
            //   4883c438             | dec                 esp
            //   415e                 | lea                 ecx, [esp + 0x70]
            //   5f                   | inc                 ebp
            //   c3                   | xor                 eax, eax
            //   48895c2410           | dec                 eax
            //   4889742418           | mov                 edx, esi

        $sequence_4 = { 752b c745f802000000 488d050eee0300 488945f0 488d55f0 0f2845f0 }
            // n = 6, score = 200
            //   752b                 | dec                 eax
            //   c745f802000000       | cmp                 ebx, edi
            //   488d050eee0300       | je                  0x381
            //   488945f0             | dec                 ebp
            //   488d55f0             | mov                 esi, dword ptr [esi + esi*8 + 0x68b20]
            //   0f2845f0             | xor                 edx, edx

        $sequence_5 = { e9???????? 488b8a68000000 e9???????? 488d8a90010000 e9???????? 488d8a90010000 e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488b8a68000000       | dec                 eax
            //   e9????????           |                     
            //   488d8a90010000       | mov                 dword ptr [esi], eax
            //   e9????????           |                     
            //   488d8a90010000       | dec                 eax
            //   e9????????           |                     

        $sequence_6 = { 4183ff01 743c 488d542428 488bcf e8???????? eb15 4183ff01 }
            // n = 7, score = 200
            //   4183ff01             | jmp                 0xb91
            //   743c                 | dec                 eax
            //   488d542428           | mov                 edx, dword ptr [ebp - 0x70]
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   eb15                 | lea                 ecx, [ebx + 0x78]
            //   4183ff01             | test                eax, eax

        $sequence_7 = { 4c8b00 41ff5010 4d8b06 33d2 8bf0 498bce 488bc3 }
            // n = 7, score = 200
            //   4c8b00               | call                dword ptr [edx + 0x40]
            //   41ff5010             | inc                 ebp
            //   4d8b06               | xor                 esp, esp
            //   33d2                 | dec                 ebp
            //   8bf0                 | mov                 dword ptr [esi + 0x38], esp
            //   498bce               | dec                 eax
            //   488bc3               | mov                 edx, dword ptr [esi]

        $sequence_8 = { 4c8b442448 488b542450 488b4e08 e8???????? 4889442448 4885c0 0f8550feffff }
            // n = 7, score = 200
            //   4c8b442448           | dec                 esp
            //   488b542450           | mov                 ebp, edx
            //   488b4e08             | dec                 ecx
            //   e8????????           |                     
            //   4889442448           | mov                 eax, dword ptr [edi + edi*8 + 0x8f678]
            //   4885c0               | dec                 ecx
            //   0f8550feffff         | or                  esi, 0xffffffff

        $sequence_9 = { 7d1f 498b5608 4d6306 488d0cea 48833900 7577 ffc0 }
            // n = 7, score = 200
            //   7d1f                 | inc                 esp
            //   498b5608             | mov                 edx, dword ptr [ecx + 0xdc]
            //   4d6306               | mov                 ecx, dword ptr [ecx + 0xd0]
            //   488d0cea             | inc                 ebp
            //   48833900             | sub                 edx, eax
            //   7577                 | inc                 esp
            //   ffc0                 | cmp                 edx, eax

    condition:
        7 of them and filesize < 1265664
}
Download all Yara Rules
Curator Propose Change

References

Yara Rules

Curator
