SYMBOLCOMMON_NAMEaka. SYNONYMS
win.diavol (Back to overview)

Diavol

A ransomware with potential ties to Wizard Spider.

References
2021-09-06Bleeping ComputerLawrence Abrams
@online{abrams:20210906:trickbot:652a467, author = {Lawrence Abrams}, title = {{TrickBot gang developer arrested when trying to leave Korea}}, date = {2021-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/}, language = {English}, urldate = {2021-09-10} } TrickBot gang developer arrested when trying to leave Korea
Diavol TrickBot
2021-08-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210818:diavol:a12e37f, author = {Ionut Ilascu}, title = {{Diavol ransomware sample shows stronger connection to TrickBot gang}}, date = {2021-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/}, language = {English}, urldate = {2021-08-18} } Diavol ransomware sample shows stronger connection to TrickBot gang
Diavol
2021-08-17IBM X-Force ExchangeCharlotte Hammond, Chris Caridi
@online{hammond:20210817:analysis:03981d3, author = {Charlotte Hammond and Chris Caridi}, title = {{Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang}}, date = {2021-08-17}, organization = {IBM X-Force Exchange}, url = {https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/}, language = {English}, urldate = {2021-08-18} } Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang
Diavol
2021-07-06Heimdal SecurityDora Tudor
@online{tudor:20210706:is:65f5d77, author = {Dora Tudor}, title = {{Is Diavol Ransomware Connected to Wizard Spider?}}, date = {2021-07-06}, organization = {Heimdal Security}, url = {https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/}, language = {English}, urldate = {2021-08-18} } Is Diavol Ransomware Connected to Wizard Spider?
Diavol
2021-07-02Binary DefenseGarrett Thompson
@online{thompson:20210702:new:4a7f0c3, author = {Garrett Thompson}, title = {{New Ransomware “Diavol” Being Dropped by Trickbot}}, date = {2021-07-02}, organization = {Binary Defense}, url = {https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/}, language = {English}, urldate = {2021-08-18} } New Ransomware “Diavol” Being Dropped by Trickbot
Diavol
2021-07-01FortinetDor Neeamni, Asaf Rubinfeld
@online{neeamni:20210701:diavol:d1ed746, author = {Dor Neeamni and Asaf Rubinfeld}, title = {{Diavol - A New Ransomware Used By Wizard Spider?}}, date = {2021-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider}, language = {English}, urldate = {2021-07-02} } Diavol - A New Ransomware Used By Wizard Spider?
Conti Diavol
Yara Rules
[TLP:WHITE] win_diavol_auto (20211008 | Detects win.diavol.)
rule win_diavol_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.diavol."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83d300 3b9d34c2ffff 7f15 7c08 3bbd30c2ffff }
            // n = 5, score = 100
            //   83d300               | adc                 ebx, 0
            //   3b9d34c2ffff         | cmp                 ebx, dword ptr [ebp - 0x3dcc]
            //   7f15                 | jg                  0x17
            //   7c08                 | jl                  0xa
            //   3bbd30c2ffff         | cmp                 edi, dword ptr [ebp - 0x3dd0]

        $sequence_1 = { 6a02 8945d4 8945d8 8945dc 8945e0 8945e4 668945e8 }
            // n = 7, score = 100
            //   6a02                 | push                2
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   668945e8             | mov                 word ptr [ebp - 0x18], ax

        $sequence_2 = { ff15???????? 33c0 8985e8feffff 8985ecfeffff 8985f0feffff 8985f4feffff }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   8985e8feffff         | mov                 dword ptr [ebp - 0x118], eax
            //   8985ecfeffff         | mov                 dword ptr [ebp - 0x114], eax
            //   8985f0feffff         | mov                 dword ptr [ebp - 0x110], eax
            //   8985f4feffff         | mov                 dword ptr [ebp - 0x10c], eax

        $sequence_3 = { 50 56 ff15???????? 85c0 7529 6a02 56 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7529                 | jne                 0x2b
            //   6a02                 | push                2
            //   56                   | push                esi

        $sequence_4 = { e8???????? 83c40c 8d8de4feffff 51 8d9578ffffff 52 ff15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8de4feffff         | lea                 ecx, dword ptr [ebp - 0x11c]
            //   51                   | push                ecx
            //   8d9578ffffff         | lea                 edx, dword ptr [ebp - 0x88]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_5 = { ff15???????? 66898586f3ffff a1???????? 8b08 6a10 8d9584f3ffff }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   66898586f3ffff       | mov                 word ptr [ebp - 0xc7a], ax
            //   a1????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   6a10                 | push                0x10
            //   8d9584f3ffff         | lea                 edx, dword ptr [ebp - 0xc7c]

        $sequence_6 = { 8d95f4f9ffff 52 c785f4f9ffff00000000 e8???????? 8d443604 83c414 50 }
            // n = 7, score = 100
            //   8d95f4f9ffff         | lea                 edx, dword ptr [ebp - 0x60c]
            //   52                   | push                edx
            //   c785f4f9ffff00000000     | mov    dword ptr [ebp - 0x60c], 0
            //   e8????????           |                     
            //   8d443604             | lea                 eax, dword ptr [esi + esi + 4]
            //   83c414               | add                 esp, 0x14
            //   50                   | push                eax

        $sequence_7 = { c3 b90e000000 be???????? 8d7dc0 f3a5 66a5 8d45c0 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   b90e000000           | mov                 ecx, 0xe
            //   be????????           |                     
            //   8d7dc0               | lea                 edi, dword ptr [ebp - 0x40]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   8d45c0               | lea                 eax, dword ptr [ebp - 0x40]

        $sequence_8 = { 56 57 8d8520faffff 50 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d8520faffff         | lea                 eax, dword ptr [ebp - 0x5e0]
            //   50                   | push                eax

        $sequence_9 = { 83c702 6685c0 75f4 a1???????? 8d8df4efffff }
            // n = 5, score = 100
            //   83c702               | add                 edi, 2
            //   6685c0               | test                ax, ax
            //   75f4                 | jne                 0xfffffff6
            //   a1????????           |                     
            //   8d8df4efffff         | lea                 ecx, dword ptr [ebp - 0x100c]

    condition:
        7 of them and filesize < 191488
}
Download all Yara Rules