A ransomware with potential ties to Wizard Spider.
rule win_diavol_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.diavol." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a01 6a02 ff15???????? 8bf0 83feff 0f849f010000 33c0 } // n = 7, score = 100 // 6a01 | push 1 // 6a02 | push 2 // ff15???????? | // 8bf0 | mov esi, eax // 83feff | cmp esi, -1 // 0f849f010000 | je 0x1a5 // 33c0 | xor eax, eax $sequence_1 = { 56 33db 8bf1 8d95f8efffff 57 899d30c2ffff 899d34c2ffff } // n = 7, score = 100 // 56 | push esi // 33db | xor ebx, ebx // 8bf1 | mov esi, ecx // 8d95f8efffff | lea edx, [ebp - 0x1008] // 57 | push edi // 899d30c2ffff | mov dword ptr [ebp - 0x3dd0], ebx // 899d34c2ffff | mov dword ptr [ebp - 0x3dcc], ebx $sequence_2 = { 7412 66837dfc2a 7431 663bca 7535 83c002 } // n = 6, score = 100 // 7412 | je 0x14 // 66837dfc2a | cmp word ptr [ebp - 4], 0x2a // 7431 | je 0x33 // 663bca | cmp cx, dx // 7535 | jne 0x37 // 83c002 | add eax, 2 $sequence_3 = { 83c404 84c0 0f84d3000000 6800040000 8d95f8f9ffff 6a00 52 } // n = 7, score = 100 // 83c404 | add esp, 4 // 84c0 | test al, al // 0f84d3000000 | je 0xd9 // 6800040000 | push 0x400 // 8d95f8f9ffff | lea edx, [ebp - 0x608] // 6a00 | push 0 // 52 | push edx $sequence_4 = { 66890c45f0114100 40 ebe8 33c0 8945e4 3d01010000 7d0d } // n = 7, score = 100 // 66890c45f0114100 | mov word ptr [eax*2 + 0x4111f0], cx // 40 | inc eax // ebe8 | jmp 0xffffffea // 33c0 | xor eax, eax // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 3d01010000 | cmp eax, 0x101 // 7d0d | jge 0xf $sequence_5 = { 8bd0 8d9b00000000 668b08 83c002 6685c9 75f5 8dbdf4efffff } // n = 7, score = 100 // 8bd0 | mov edx, eax // 8d9b00000000 | lea ebx, [ebx] // 668b08 | mov cx, word ptr [eax] // 83c002 | add eax, 2 // 6685c9 | test cx, cx // 75f5 | jne 0xfffffff7 // 8dbdf4efffff | lea edi, [ebp - 0x100c] $sequence_6 = { 8a8004064100 08443b1d 0fb64601 47 3bf8 76ea } // n = 6, score = 100 // 8a8004064100 | mov al, byte ptr [eax + 0x410604] // 08443b1d | or byte ptr [ebx + edi + 0x1d], al // 0fb64601 | movzx eax, byte ptr [esi + 1] // 47 | inc edi // 3bf8 | cmp edi, eax // 76ea | jbe 0xffffffec $sequence_7 = { 57 33ff ffb7500d4100 ff15???????? } // n = 4, score = 100 // 57 | push edi // 33ff | xor edi, edi // ffb7500d4100 | push dword ptr [edi + 0x410d50] // ff15???????? | $sequence_8 = { c785fcefffff00000000 e8???????? 6800020000 8d85a0fdffff 6a00 } // n = 5, score = 100 // c785fcefffff00000000 | mov dword ptr [ebp - 0x1004], 0 // e8???????? | // 6800020000 | push 0x200 // 8d85a0fdffff | lea eax, [ebp - 0x260] // 6a00 | push 0 $sequence_9 = { 83c702 6685c0 75f4 a1???????? 8d8df4efffff } // n = 5, score = 100 // 83c702 | add edi, 2 // 6685c0 | test ax, ax // 75f4 | jne 0xfffffff6 // a1???????? | // 8d8df4efffff | lea ecx, [ebp - 0x100c] condition: 7 of them and filesize < 191488 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY