A ransomware with potential ties to Wizard Spider.
rule win_diavol_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.diavol." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3bc1 0f87200a0000 ff248584564000 33c0 838de8fdffffff 89858cfdffff 8985a4fdffff } // n = 7, score = 100 // 3bc1 | cmp eax, ecx // 0f87200a0000 | ja 0xa26 // ff248584564000 | jmp dword ptr [eax*4 + 0x405684] // 33c0 | xor eax, eax // 838de8fdffffff | or dword ptr [ebp - 0x218], 0xffffffff // 89858cfdffff | mov dword ptr [ebp - 0x274], eax // 8985a4fdffff | mov dword ptr [ebp - 0x25c], eax $sequence_1 = { 8bff 56 57 33ff ffb7500d4100 ff15???????? 8987500d4100 } // n = 7, score = 100 // 8bff | mov edi, edi // 56 | push esi // 57 | push edi // 33ff | xor edi, edi // ffb7500d4100 | push dword ptr [edi + 0x410d50] // ff15???????? | // 8987500d4100 | mov dword ptr [edi + 0x410d50], eax $sequence_2 = { 50 6802020000 ff15???????? 85c0 0f85bc010000 6a06 } // n = 6, score = 100 // 50 | push eax // 6802020000 | push 0x202 // ff15???????? | // 85c0 | test eax, eax // 0f85bc010000 | jne 0x1c2 // 6a06 | push 6 $sequence_3 = { 75f0 8d95fcfeffff 52 43 e8???????? } // n = 5, score = 100 // 75f0 | jne 0xfffffff2 // 8d95fcfeffff | lea edx, [ebp - 0x104] // 52 | push edx // 43 | inc ebx // e8???????? | $sequence_4 = { 8d55f0 52 56 6a00 6a01 } // n = 5, score = 100 // 8d55f0 | lea edx, [ebp - 0x10] // 52 | push edx // 56 | push esi // 6a00 | push 0 // 6a01 | push 1 $sequence_5 = { ff15???????? 85c0 7506 ff85c4fbffff } // n = 4, score = 100 // ff15???????? | // 85c0 | test eax, eax // 7506 | jne 8 // ff85c4fbffff | inc dword ptr [ebp - 0x43c] $sequence_6 = { e8???????? 83c40c 8b4dfc 5f 5e 33cd b001 } // n = 7, score = 100 // e8???????? | // 83c40c | add esp, 0xc // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 5f | pop edi // 5e | pop esi // 33cd | xor ecx, ebp // b001 | mov al, 1 $sequence_7 = { 8bff 55 8bec 8b4508 ff34c558094100 ff15???????? 5d } // n = 7, score = 100 // 8bff | mov edi, edi // 55 | push ebp // 8bec | mov ebp, esp // 8b4508 | mov eax, dword ptr [ebp + 8] // ff34c558094100 | push dword ptr [eax*8 + 0x410958] // ff15???????? | // 5d | pop ebp $sequence_8 = { 6a20 53 56 ff15???????? 8bf8 85ff } // n = 6, score = 100 // 6a20 | push 0x20 // 53 | push ebx // 56 | push esi // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi $sequence_9 = { 8945fc 6880000000 8d8578ffffff 6a00 50 } // n = 5, score = 100 // 8945fc | mov dword ptr [ebp - 4], eax // 6880000000 | push 0x80 // 8d8578ffffff | lea eax, [ebp - 0x88] // 6a00 | push 0 // 50 | push eax condition: 7 of them and filesize < 191488 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY