SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov
VTCollection    

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-01SecureworksSecureWorks
GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
New Defray Ransomware Targets Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20260504 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d34ba 3bf0 741b 8bf8 2bf8 57 50 }
            // n = 7, score = 200
            //   8d34ba               | lea                 esi, [edx + edi*4]
            //   3bf0                 | cmp                 esi, eax
            //   741b                 | je                  0x1d
            //   8bf8                 | mov                 edi, eax
            //   2bf8                 | sub                 edi, eax
            //   57                   | push                edi
            //   50                   | push                eax

        $sequence_1 = { 8b4dec ba10000000 8b7df0 8d49ff d3e2 8bcb }
            // n = 6, score = 200
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   ba10000000           | mov                 edx, 0x10
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   8d49ff               | lea                 ecx, [ecx - 1]
            //   d3e2                 | shl                 edx, cl
            //   8bcb                 | mov                 ecx, ebx

        $sequence_2 = { 8bf0 894dfc 2bf2 8d7b1f c1ef05 c1fe02 897d08 }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   2bf2                 | sub                 esi, edx
            //   8d7b1f               | lea                 edi, [ebx + 0x1f]
            //   c1ef05               | shr                 edi, 5
            //   c1fe02               | sar                 esi, 2
            //   897d08               | mov                 dword ptr [ebp + 8], edi

        $sequence_3 = { 85c0 7471 8b45f0 8b4de8 8b048568f34800 f644012880 745d }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7471                 | je                  0x73
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b048568f34800       | mov                 eax, dword ptr [eax*4 + 0x48f368]
            //   f644012880           | test                byte ptr [ecx + eax + 0x28], 0x80
            //   745d                 | je                  0x5f

        $sequence_4 = { 8bc2 8bca 83e03f c1f906 6bc030 03048d68f34800 eb05 }
            // n = 7, score = 200
            //   8bc2                 | mov                 eax, edx
            //   8bca                 | mov                 ecx, edx
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bc030               | imul                eax, eax, 0x30
            //   03048d68f34800       | add                 eax, dword ptr [ecx*4 + 0x48f368]
            //   eb05                 | jmp                 7

        $sequence_5 = { ab ab ab 66ab 33c0 8dbd74faffff a5 }
            // n = 7, score = 200
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   33c0                 | xor                 eax, eax
            //   8dbd74faffff         | lea                 edi, [ebp - 0x58c]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_6 = { 740b 50 ff15???????? 32c0 eb31 e8???????? 3bf0 }
            // n = 7, score = 200
            //   740b                 | je                  0xd
            //   50                   | push                eax
            //   ff15????????         |                     
            //   32c0                 | xor                 al, al
            //   eb31                 | jmp                 0x33
            //   e8????????           |                     
            //   3bf0                 | cmp                 esi, eax

        $sequence_7 = { 84c0 750f 8d8d98fbffff e8???????? 84c0 7430 8d8d68f9ffff }
            // n = 7, score = 200
            //   84c0                 | test                al, al
            //   750f                 | jne                 0x11
            //   8d8d98fbffff         | lea                 ecx, [ebp - 0x468]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7430                 | je                  0x32
            //   8d8d68f9ffff         | lea                 ecx, [ebp - 0x698]

        $sequence_8 = { c1ee02 8bfb 8bce 33c0 f3ab 8b75e8 33d2 }
            // n = 7, score = 200
            //   c1ee02               | shr                 esi, 2
            //   8bfb                 | mov                 edi, ebx
            //   8bce                 | mov                 ecx, esi
            //   33c0                 | xor                 eax, eax
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   33d2                 | xor                 edx, edx

        $sequence_9 = { eb07 c6437600 894304 8b8544ffffff 85c0 0f8482000000 }
            // n = 6, score = 200
            //   eb07                 | jmp                 9
            //   c6437600             | mov                 byte ptr [ebx + 0x76], 0
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b8544ffffff         | mov                 eax, dword ptr [ebp - 0xbc]
            //   85c0                 | test                eax, eax
            //   0f8482000000         | je                  0x88

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules