Curator (Malware Family)

Curator

aka: Ever101, SunnyDay
VTCollection
Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.
References

2022-12-22 ⋅ Sentinel LABS ⋅ Antonio Cocomazzi
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
Curator PolyVice
2022-04-11 ⋅ Seguranca Informatica ⋅ Pedro Tavares
Analysis of the SunnyDay ransomware
Curator
2021-06-22 ⋅ Profero ⋅ Profero, SecurityJoes
Secrets Behind Ever101 Ransomware
Curator
Yara Rules

[TLP:WHITE] win_curator_auto (20260504 | Detects win.curator.)
rule win_curator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.curator."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 4883ec38 488d05f9210300 41b91b000000 4889442420 e8???????? }
            // n = 6, score = 200
            //   c3                   | dec                 eax
            //   4883ec38             | test                eax, eax
            //   488d05f9210300       | je                  0x4b2
            //   41b91b000000         | mov                 cl, byte ptr [esi]
            //   4889442420           | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 488b06 488bce 48896c2430 4c89742438 ff9098000000 85c0 488bce }
            // n = 7, score = 200
            //   488b06               | dec                 eax
            //   488bce               | lea                 eax, [0x4c688]
            //   48896c2430           | dec                 eax
            //   4c89742438           | mov                 dword ptr [ecx], eax
            //   ff9098000000         | dec                 eax
            //   85c0                 | lea                 eax, [0x4c7e6]
            //   488bce               | dec                 eax

        $sequence_2 = { f00fc101 83f801 751c 488b4530 488b8888000000 488d056ad40400 483bc8 }
            // n = 7, score = 200
            //   f00fc101             | je                  0x2a4
            //   83f801               | mov                 byte ptr [ebp - 0x71], 1
            //   751c                 | test                eax, eax
            //   488b4530             | jmp                 0x2a7
            //   488b8888000000       | inc                 ebp
            //   488d056ad40400       | xor                 edx, edx
            //   483bc8               | dec                 esp

        $sequence_3 = { 488d57f8 488bcb e8???????? 488bc8 33c0 4885c9 7404 }
            // n = 7, score = 200
            //   488d57f8             | dec                 eax
            //   488bcb               | mov                 ecx, ebx
            //   e8????????           |                     
            //   488bc8               | inc                 ecx
            //   33c0                 | call                dword ptr [edx + 0x100]
            //   4885c9               | nop                 
            //   7404                 | dec                 eax

        $sequence_4 = { 4881fb00100000 720d 488bcb e8???????? 488be8 eb11 4885db }
            // n = 7, score = 200
            //   4881fb00100000       | dec                 esp
            //   720d                 | mov                 eax, edi
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   488be8               | mov                 edx, edi
            //   eb11                 | inc                 esp
            //   4885db               | mov                 eax, edi

        $sequence_5 = { f6d9 488903 1bc0 83e002 894308 488bc3 488b8c2480000000 }
            // n = 7, score = 200
            //   f6d9                 | mov                 dword ptr [esp + 0x50], edi
            //   488903               | movdqu              xmmword ptr [esp + 0x70], xmm0
            //   1bc0                 | xor                 edx, edx
            //   83e002               | dec                 eax
            //   894308               | lea                 ecx, [esp + 0x70]
            //   488bc3               | test                eax, eax
            //   488b8c2480000000     | jne                 0x2a5

        $sequence_6 = { 83f801 7e18 83f802 7430 488d05a1940500 488901 4883c108 }
            // n = 7, score = 200
            //   83f801               | dec                 ecx
            //   7e18                 | lea                 ecx, [eax - 4]
            //   83f802               | dec                 eax
            //   7430                 | lea                 ecx, [ecx + eax*4]
            //   488d05a1940500       | dec                 eax
            //   488901               | lea                 edx, [edx + eax*4]
            //   4883c108             | dec                 esp

        $sequence_7 = { 33c0 488bca f3aa 498bc8 e8???????? 90 }
            // n = 6, score = 200
            //   33c0                 | lea                 ecx, [ebp - 0x20]
            //   488bca               | test                al, al
            //   f3aa                 | je                  0x8f3
            //   498bc8               | je                  0xc1b
            //   e8????????           |                     
            //   90                   | cmp                 eax, 0x43

        $sequence_8 = { 4889442448 33ed 85ff 400f98c5 896c2450 8bcf }
            // n = 6, score = 200
            //   4889442448           | dec                 esp
            //   33ed                 | mov                 esi, ecx
            //   85ff                 | dec                 eax
            //   400f98c5             | test                ecx, ecx
            //   896c2450             | je                  0xc9
            //   8bcf                 | xor                 ebx, ebx

        $sequence_9 = { 48895c2408 57 4883ec20 488d99c8000000 488bf9 488d0505080200 488bd3 }
            // n = 7, score = 200
            //   48895c2408           | mov                 ecx, dword ptr [ebp - 0x58]
            //   57                   | dec                 eax
            //   4883ec20             | test                ecx, ecx
            //   488d99c8000000       | je                  0x549
            //   488bf9               | dec                 eax
            //   488d0505080200       | mov                 dword ptr [ebp + 0x18], eax
            //   488bd3               | dec                 esp

    condition:
        7 of them and filesize < 1265664
}
Download all Yara Rules
Curator Propose Change

References

Yara Rules

Curator
