SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppelpaymer (Back to overview)

DoppelPaymer

aka: Pay OR Grief

Actor(s): DOPPEL SPIDER

VTCollection    

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

References
2023-03-06Landeskriminalamt NRWLandeskriminalamt NRW
Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen
DoppelPaymer Entropy FriedEx
2023-03-06Bleeping ComputerBill Toulas
Core DoppelPaymer ransomware gang members targeted in Europol operation
DoppelPaymer
2022-06-13Jorge TestaJorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-01-05ARMORArmor
Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware
DoppelPaymer FriedEx
2021-12-30LIFARSVlad Pasca
A Deep Dive into The Grief Ransomware’s Capabilities
DoppelPaymer
2021-12-07CrowdStrikeShaun Hurley
Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes
DoppelPaymer
2021-11-03CERT-FRANSSI
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
2021-10-28Twitter (@BrettCallow)Brett Callow
Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer
2021-10-26ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-05Red CanaryBrian Donohue, Dan Cotton, Tony Lambert
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-07-28ZscalerBrett Stone-Gross
DoppelPaymer Continues to Cause Grief Through Rebranding
DoppelPaymer
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-23Twitter (@vikas891)Vikas Singh
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Medium s2wlabSojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-04ChainanalysisChainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021-01-05Trend MicroTrend Micro Research
An Overview of the DoppelPaymer Ransomware
DoppelPaymer
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER
2020-12-10FBIFBI
PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services
DoppelPaymer
2020-12-09FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-07Bleeping ComputerLawrence Abrams
Foxconn electronics giant hit by ransomware, $34 million ransom
DoppelPaymer
2020-12-01Intel 471Intel 471
Steal, then strike: Access merchants are first clues to future ransomware attacks
DoppelPaymer
2020-11-30FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18KELAVictoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-09Bleeping ComputerIonut Ilascu
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-09Bleeping ComputerLawrence Abrams
Laptop maker Compal hit by ransomware, $17 million demanded
DoppelPaymer
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-23AP NewsFrank Bajak
Report: Ransomware disables Georgia county election database
DoppelPaymer
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-22Heise SecurityOlivia von Westernhagen
Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken
DoppelPaymer
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-17CERT-FRCERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-03ZDNetCatalin Cimpanu
Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer
2020-03-24Bleeping ComputerLawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03Bleeping ComputerLawrence Abrams
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-03-02TechCrunchKirsten Korosec, Zack Whittaker
Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer
2020-02-25Bleeping ComputerLawrence Abrams
DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx
2020-01-01SecureworksSecureWorks
GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-07-12CrowdStrikeBex Hartley, Brett Stone-Gross, Sergei Frankoff
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelDridex DoppelPaymer Dridex FriedEx
Yara Rules
[TLP:WHITE] win_doppelpaymer_auto (20241030 | Detects win.doppelpaymer.)
rule win_doppelpaymer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.doppelpaymer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 80790600 7523 80790264 751d }
            // n = 4, score = 700
            //   80790600             | cmp                 byte ptr [ecx + 6], 0
            //   7523                 | jne                 0x25
            //   80790264             | cmp                 byte ptr [ecx + 2], 0x64
            //   751d                 | jne                 0x1f

        $sequence_1 = { e8???????? 8b08 e8???????? 3db6389096 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   e8????????           |                     
            //   3db6389096           | cmp                 eax, 0x969038b6

        $sequence_2 = { 7517 80790361 7511 80790474 750b 80790173 7505 }
            // n = 7, score = 700
            //   7517                 | jne                 0x19
            //   80790361             | cmp                 byte ptr [ecx + 3], 0x61
            //   7511                 | jne                 0x13
            //   80790474             | cmp                 byte ptr [ecx + 4], 0x74
            //   750b                 | jne                 0xd
            //   80790173             | cmp                 byte ptr [ecx + 1], 0x73
            //   7505                 | jne                 7

        $sequence_3 = { 83ec28 6800002002 6a00 6a01 }
            // n = 4, score = 700
            //   83ec28               | sub                 esp, 0x28
            //   6800002002           | push                0x2200000
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_4 = { 80790264 751d 80790561 7517 80790361 }
            // n = 5, score = 700
            //   80790264             | cmp                 byte ptr [ecx + 2], 0x64
            //   751d                 | jne                 0x1f
            //   80790561             | cmp                 byte ptr [ecx + 5], 0x61
            //   7517                 | jne                 0x19
            //   80790361             | cmp                 byte ptr [ecx + 3], 0x61

        $sequence_5 = { baffffff7f 43 e8???????? 3bd8 }
            // n = 4, score = 700
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   43                   | inc                 ebx
            //   e8????????           |                     
            //   3bd8                 | cmp                 ebx, eax

        $sequence_6 = { 50 8d4c2454 e8???????? 8bcb e8???????? 8d4c2450 e8???????? }
            // n = 7, score = 600
            //   50                   | push                eax
            //   8d4c2454             | lea                 ecx, [esp + 0x54]
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8d4c2450             | lea                 ecx, [esp + 0x50]
            //   e8????????           |                     

        $sequence_7 = { 50 ffd2 8bd8 8b442404 80780400 741b 8b00 }
            // n = 7, score = 600
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   8bd8                 | mov                 ebx, eax
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   80780400             | cmp                 byte ptr [eax + 4], 0
            //   741b                 | je                  0x1d
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_8 = { c20400 8d8d5cfdffff e8???????? 80bd50fdffff00 }
            // n = 4, score = 100
            //   c20400               | ret                 4
            //   8d8d5cfdffff         | lea                 ecx, [ebp - 0x2a4]
            //   e8????????           |                     
            //   80bd50fdffff00       | cmp                 byte ptr [ebp - 0x2b0], 0

        $sequence_9 = { c20400 8d4de8 e8???????? 8b4df4 8bf1 85c9 74ad }
            // n = 7, score = 100
            //   c20400               | ret                 4
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bf1                 | mov                 esi, ecx
            //   85c9                 | test                ecx, ecx
            //   74ad                 | je                  0xffffffaf

        $sequence_10 = { e8???????? 8b4dd8 890c24 8b55e8 89542404 8945bc e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   890c24               | mov                 dword ptr [esp], ecx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   e8????????           |                     

        $sequence_11 = { 31c9 c745f469d9900b 8b5034 8b4008 8955f0 8945ec }
            // n = 6, score = 100
            //   31c9                 | xor                 ecx, ecx
            //   c745f469d9900b       | mov                 dword ptr [ebp - 0xc], 0xb90d969
            //   8b5034               | mov                 edx, dword ptr [eax + 0x34]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_12 = { 8b75ec 81c61d0b66d6 8b7dc0 897904 }
            // n = 4, score = 100
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   81c61d0b66d6         | add                 esi, 0xd6660b1d
            //   8b7dc0               | mov                 edi, dword ptr [ebp - 0x40]
            //   897904               | mov                 dword ptr [ecx + 4], edi

        $sequence_13 = { 8945c4 74d0 e9???????? 31c0 }
            // n = 4, score = 100
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   74d0                 | je                  0xffffffd2
            //   e9????????           |                     
            //   31c0                 | xor                 eax, eax

        $sequence_14 = { e8???????? 8b4de8 8b55d8 895128 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   895128               | mov                 dword ptr [ecx + 0x28], edx

        $sequence_15 = { 894c2404 8945d8 e8???????? 31c0 8b4de8 8b5108 8b7134 }
            // n = 7, score = 100
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   e8????????           |                     
            //   31c0                 | xor                 eax, eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   8b7134               | mov                 esi, dword ptr [ecx + 0x34]

        $sequence_16 = { 8d75d1 c745f0e7566258 c645ef3c 8a1d???????? 80fb00 8945c0 894dbc }
            // n = 7, score = 100
            //   8d75d1               | lea                 esi, [ebp - 0x2f]
            //   c745f0e7566258       | mov                 dword ptr [ebp - 0x10], 0x586256e7
            //   c645ef3c             | mov                 byte ptr [ebp - 0x11], 0x3c
            //   8a1d????????         |                     
            //   80fb00               | cmp                 bl, 0
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx

        $sequence_17 = { 8b7e50 897db8 8b7e3c 897dbc 8b7e10 897dc0 8b7e18 }
            // n = 7, score = 100
            //   8b7e50               | mov                 edi, dword ptr [esi + 0x50]
            //   897db8               | mov                 dword ptr [ebp - 0x48], edi
            //   8b7e3c               | mov                 edi, dword ptr [esi + 0x3c]
            //   897dbc               | mov                 dword ptr [ebp - 0x44], edi
            //   8b7e10               | mov                 edi, dword ptr [esi + 0x10]
            //   897dc0               | mov                 dword ptr [ebp - 0x40], edi
            //   8b7e18               | mov                 edi, dword ptr [esi + 0x18]

    condition:
        7 of them and filesize < 7266304
}
[TLP:WHITE] win_doppelpaymer_w0   (20200304 | DoppelPaymer Payload)
/*
# Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

rule win_doppelpaymer_w0 {
    meta:
        author = "kevoreilly"
        description = "DoppelPaymer Payload"
        source = "https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3}
        $cmd_string = "Setup run\n" wide
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules