DoppelPaymer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.doppelpaymer (Back to overview)

DoppelPaymer

aka: Pay OR Grief

Actor(s): DOPPEL SPIDER

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

References

2023-03-06 ⋅ Bleeping Computer ⋅ Bill Toulas
Core DoppelPaymer ransomware gang members targeted in Europol operation
DoppelPaymer

2023-03-06 ⋅ Landeskriminalamt NRW ⋅ Landeskriminalamt NRW
Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen
DoppelPaymer Entropy FriedEx

2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-01-05 ⋅ ARMOR ⋅ Armor
Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware
DoppelPaymer FriedEx

2021-12-30 ⋅ LIFARS ⋅ Vlad Pasca
A Deep Dive into The Grief Ransomware’s Capabilities
DoppelPaymer

2021-12-07 ⋅ CrowdStrike ⋅ Shaun Hurley
Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes
DoppelPaymer

2021-11-03 ⋅ CERT-FR ⋅ ANSSI
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil

2021-10-28 ⋅ Twitter (@BrettCallow) ⋅ Brett Callow
Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-07-28 ⋅ Zscaler ⋅ Brett Stone-Gross
DoppelPaymer Continues to Cause Grief Through Rebranding
DoppelPaymer

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer

2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker

2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt

2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
An Overview of the DoppelPaymer Ransomware
DoppelPaymer

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER

2020-12-10 ⋅ FBI ⋅ FBI
PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services
DoppelPaymer

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil

2020-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Foxconn electronics giant hit by ransomware, $34 million ransom
DoppelPaymer

2020-12-01 ⋅ Intel 471 ⋅ Intel 471
Steal, then strike: Access merchants are first clues to future ransomware attacks
DoppelPaymer

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Laptop maker Compal hit by ransomware, $17 million demanded
DoppelPaymer

2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader

2020-10-23 ⋅ AP News ⋅ Frank Bajak
Report: Ransomware disables Georgia county election database
DoppelPaymer

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER

2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER

2020-09-22 ⋅ Heise Security ⋅ Olivia von Westernhagen
Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken
DoppelPaymer

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08 ⋅ Temple University ⋅ CARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-07-17 ⋅ CERT-FR ⋅ CERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus

2020-07-15 ⋅ Mandiant ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-06-03 ⋅ ZDNet ⋅ Catalin Cimpanu
Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer

2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze

2020-03-02 ⋅ TechCrunch ⋅ Zack Whittaker, Kirsten Korosec
Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer

2020-02-25 ⋅ Bleeping Computer ⋅ Lawrence Abrams
DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD HERON
DoppelPaymer Dridex Empire Downloader

2019-07-12 ⋅ CrowdStrike ⋅ Brett Stone-Gross, Sergei Frankoff, Bex Hartley
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx

Yara Rules

[TLP:WHITE] win_doppelpaymer_auto (20230715 | Detects win.doppelpaymer.)

rule win_doppelpaymer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.doppelpaymer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 80790264 751d 80790561 7517 }
            // n = 4, score = 700
            //   80790264             | cmp                 byte ptr [ecx + 2], 0x64
            //   751d                 | jne                 0x1f
            //   80790561             | cmp                 byte ptr [ecx + 5], 0x61
            //   7517                 | jne                 0x19

        $sequence_1 = { 80790600 7523 80790264 751d }
            // n = 4, score = 700
            //   80790600             | cmp                 byte ptr [ecx + 6], 0
            //   7523                 | jne                 0x25
            //   80790264             | cmp                 byte ptr [ecx + 2], 0x64
            //   751d                 | jne                 0x1f

        $sequence_2 = { e8???????? 8b08 e8???????? 3db6389096 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   e8????????           |                     
            //   3db6389096           | cmp                 eax, 0x969038b6

        $sequence_3 = { 80790561 7517 80790361 7511 80790474 750b }
            // n = 6, score = 700
            //   80790561             | cmp                 byte ptr [ecx + 5], 0x61
            //   7517                 | jne                 0x19
            //   80790361             | cmp                 byte ptr [ecx + 3], 0x61
            //   7511                 | jne                 0x13
            //   80790474             | cmp                 byte ptr [ecx + 4], 0x74
            //   750b                 | jne                 0xd

        $sequence_4 = { 83ec28 6800002002 6a00 6a01 }
            // n = 4, score = 700
            //   83ec28               | sub                 esp, 0x28
            //   6800002002           | push                0x2200000
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_5 = { baffffff7f 43 e8???????? 3bd8 }
            // n = 4, score = 700
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   43                   | inc                 ebx
            //   e8????????           |                     
            //   3bd8                 | cmp                 ebx, eax

        $sequence_6 = { 8d4c2414 e8???????? 8944243c c7042400000000 }
            // n = 4, score = 600
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   e8????????           |                     
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_7 = { 8d4c2414 e8???????? 84db 7551 8d0c24 }
            // n = 5, score = 600
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   e8????????           |                     
            //   84db                 | test                bl, bl
            //   7551                 | jne                 0x53
            //   8d0c24               | lea                 ecx, [esp]

        $sequence_8 = { 8b45dc 8b4854 8b55e8 891424 8b75ec 89742404 894c2408 }
            // n = 7, score = 100
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8b4854               | mov                 ecx, dword ptr [eax + 0x54]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   891424               | mov                 dword ptr [esp], edx
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   894c2408             | mov                 dword ptr [esp + 8], ecx

        $sequence_9 = { 81c7f8034681 8b5824 89855cffffff 89d8 c1e81e 83e001 }
            // n = 6, score = 100
            //   81c7f8034681         | add                 edi, 0x814603f8
            //   8b5824               | mov                 ebx, dword ptr [eax + 0x24]
            //   89855cffffff         | mov                 dword ptr [ebp - 0xa4], eax
            //   89d8                 | mov                 eax, ebx
            //   c1e81e               | shr                 eax, 0x1e
            //   83e001               | and                 eax, 1

        $sequence_10 = { 50 c745fc53284e72 8b45fc 3552284e72 83c404 5d }
            // n = 6, score = 100
            //   50                   | push                eax
            //   c745fc53284e72       | mov                 dword ptr [ebp - 4], 0x724e2853
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3552284e72           | xor                 eax, 0x724e2852
            //   83c404               | add                 esp, 4
            //   5d                   | pop                 ebp

        $sequence_11 = { c745ec25155e0b 8b713c 6689f7 662b55f2 }
            // n = 4, score = 100
            //   c745ec25155e0b       | mov                 dword ptr [ebp - 0x14], 0xb5e1525
            //   8b713c               | mov                 esi, dword ptr [ecx + 0x3c]
            //   6689f7               | mov                 di, si
            //   662b55f2             | sub                 dx, word ptr [ebp - 0xe]

        $sequence_12 = { c20400 3ad1 740c 80fa3f 7407 8bf7 8bc3 }
            // n = 7, score = 100
            //   c20400               | ret                 4
            //   3ad1                 | cmp                 dl, cl
            //   740c                 | je                  0xe
            //   80fa3f               | cmp                 dl, 0x3f
            //   7407                 | je                  9
            //   8bf7                 | mov                 esi, edi
            //   8bc3                 | mov                 eax, ebx

        $sequence_13 = { 83c418 5e 5d c3 8b45e8 8b4dec 8a55e7 }
            // n = 7, score = 100
            //   83c418               | add                 esp, 0x18
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8a55e7               | mov                 dl, byte ptr [ebp - 0x19]

        $sequence_14 = { 31c0 b958000000 8b559c 8b75b0 035604 8b7e50 }
            // n = 6, score = 100
            //   31c0                 | xor                 eax, eax
            //   b958000000           | mov                 ecx, 0x58
            //   8b559c               | mov                 edx, dword ptr [ebp - 0x64]
            //   8b75b0               | mov                 esi, dword ptr [ebp - 0x50]
            //   035604               | add                 edx, dword ptr [esi + 4]
            //   8b7e50               | mov                 edi, dword ptr [esi + 0x50]

        $sequence_15 = { f6c601 8b4dd4 8975cc 897dc8 895dc4 894dc0 0f85bc000000 }
            // n = 7, score = 100
            //   f6c601               | test                dh, 1
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi
            //   897dc8               | mov                 dword ptr [ebp - 0x38], edi
            //   895dc4               | mov                 dword ptr [ebp - 0x3c], ebx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   0f85bc000000         | jne                 0xc2

        $sequence_16 = { c1eb1d 898554ffffff 8b45f0 3508fcb97e 21fb }
            // n = 5, score = 100
            //   c1eb1d               | shr                 ebx, 0x1d
            //   898554ffffff         | mov                 dword ptr [ebp - 0xac], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   3508fcb97e           | xor                 eax, 0x7eb9fc08
            //   21fb                 | and                 ebx, edi

        $sequence_17 = { c20400 53 6861c1a23d 689e81b24d }
            // n = 4, score = 100
            //   c20400               | ret                 4
            //   53                   | push                ebx
            //   6861c1a23d           | push                0x3da2c161
            //   689e81b24d           | push                0x4db2819e

    condition:
        7 of them and filesize < 7266304
}

[TLP:WHITE] win_doppelpaymer_w0 (20200304 | DoppelPaymer Payload)

/*
# Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

rule win_doppelpaymer_w0 {
    meta:
        author = "kevoreilly"
        description = "DoppelPaymer Payload"
        source = "https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3}
        $cmd_string = "Setup run\n" wide
    condition:
        uint16(0) == 0x5A4D and all of them
}

Download all Yara Rules

DoppelPaymer Propose Change

References

Yara Rules

DoppelPaymer