SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eternal_petya (Back to overview)

EternalPetya

aka: ExPetr, Pnyetya, Petna, NotPetya, Nyetya, NonPetya, nPetya, Diskcoder.C, BadRabbit

Actor(s): TeleBots, Sandworm

VTCollection    

According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.

References
2023-01-29AcronisIlan Duhin
Petya/Not Petya Ransomware Analysis
EternalPetya
2022-11-18Atlantic CouncilJustin Sherman
GRU 26165: The Russian cyber unit that hacks targets on-site
EternalPetya
2022-10-31The RecordAlexander Martin
Mondelez and Zurich reach settlement in NotPetya cyberattack insurance suit
EternalPetya
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-03-01Marco Ramilli's BlogMarco Ramilli
DiskKill/HermeticWiper and NotPetya (Dis)similarities
EternalPetya HermeticWiper
2022-02-25CyberPeace Institute
UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-24nvisoMichel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-24TalosMitch Neff
Threat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine
VPNFilter EternalPetya
2022-02-23ISTARIManuel Hepfer
Re-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History
EternalPetya
2021-09-09Recorded FutureInsikt Group
Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-05-31WiredAndy Greenberg
Hacker Lexicon: What Is a Supply Chain Attack?
EternalPetya SUNBURST
2021-04-29The Institute for Security and TechnologyThe Institute for Security and Technology
Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
Conti EternalPetya
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020-10-19UK GovernmentDominic Raab, ForeignCommonwealth & Development Office
UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19CyberScoopTim Starks
US charges Russian GRU officers for NotPetya, other major hacks
EternalPetya
2020-10-19WiredAndy Greenberg
US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
EternalPetya Olympic Destroyer
2020-08-29AguinetAdrien Guinet
Emulating NotPetya bootloader with Miasm
EternalPetya
2020-07-29Atlantic CouncilJune Lee, Stewart Scott, Trey Herr, William Loomis
BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-21GVNSHTNGavin Ashton
Maersk, me & notPetya
EternalPetya
2020-06-09Kaspersky LabsCostin Raiu
Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2018-08-22WiredAndy Greenberg
The Untold Story of NotPetya, the Most Devastating Cyberattack in History
EternalPetya
2018-01-13The Washington PostEllen Nakashima
Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes
EternalPetya
2017-10-27F-SecureF-Secure Global
The big difference with Bad Rabbit
EternalPetya
2017-10-26FireEyeBarry Vengerik, Ben Read, Brian Mordosky, Christopher Glyer, Ian Ahl, Matt Williams, Michael Matonis, Nick Carr
BACKSWING - Pulling a BADRABBIT Out of a Hat
EternalPetya
2017-10-26Reversing LabsNone
ReversingLabs' YARA rule detects BadRabbit encryption routine specifics
EternalPetya
2017-10-25RiskIQYonathan Klijnsma
Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection
EternalPetya
2017-10-24ESET ResearchEditor
Kiev metro hit with a new variant of the infamous Diskcoder ransomware
EternalPetya
2017-10-24Kaspersky LabsAnton Ivanov, Fedor Sinitsyn, Orkhan Mamedov
Bad Rabbit ransomware
EternalPetya
2017-10-24ESET ResearchMarc-Etienne M.Léveillé
Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya
2017-10-24WiredAndy Greenberg
New Ransomware Linked to NotPetya Sweeps Russia and Ukraine
EternalPetya
2017-10-24IntezerJay Rosenberg
NotPetya Returns as Bad Rabbit
EternalPetya
2017-10-24Cisco TalosNick Biasini
Threat Spotlight: Follow the Bad Rabbit
EternalPetya
2017-09-19NCC GroupOllie Whitehouse
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
EternalPetya
2017-08-24ESET ResearchMarc-Etienne M.Léveillé
Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya Sandworm
2017-08-11ThreatpostTom Spring
Ukrainian Man Arrested, Charged in NotPetya Distribution
EternalPetya
2017-07-14MalwarebytesMalwarebytes Labs
Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-07-04KasperskyAnton Ivanov, Orkhan Mamedov
In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine
EternalPetya FakeCry
2017-07-03G DataG Data
Who is behind Petna?
EternalPetya
2017-07-03CrowdStrikeKaran Sood, Shaun Hurley
NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery
EternalPetya
2017-07-03The GuardianAlex Hern
'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher
EternalPetya
2017-06-30Kaspersky LabsGReAT
From BlackEnergy to ExPetr
EternalPetya
2017-06-30ESET ResearchAnton Cherepanov
TeleBots are back: Supply‑chain attacks against Ukraine
EternalPetya
2017-06-30MalwarebytesMalwarebytes Labs
EternalPetya – yet another stolen piece in the package?
EternalPetya
2017-06-29MalwarebytesMalwarebytes Labs
EternalPetya and the lost Salsa20 key
EternalPetya
2017-06-29MicrosoftMicrosoft Defender ATP Research Team
Windows 10 platform resilience against the Petya ransomware attack
EternalPetya
2017-06-29Robert Graham
NonPetya: no evidence it was a "smokescreen"
EternalPetya
2017-06-29Bleeping ComputerCatalin Cimpanu
Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone
EternalPetya
2017-06-28CrowdStrikeFalcon Intelligence Team
CrowdStrike Protects Against NotPetya Attack
EternalPetya
2017-06-28hacks4pancakes
Why NotPetya Kept Me Awake (& You Should Worry Too)
EternalPetya
2017-06-28Kaspersky LabsAnton Ivanov, Orkhan Mamedov
ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
EternalPetya
2017-06-27ESET ResearchEditor
New WannaCryptor‑like ransomware attack hits globally: All you need to know
EternalPetya Sandworm
2017-06-27Kaspersky LabsGReAT
Schroedinger’s Pet(ya)
EternalPetya
2017-06-27Medium thegrugqthegrugq
Pnyetya: Yet Another Ransomware Outbreak
EternalPetya
2017-06-27SANSBrad Duncan
Checking out the new Petya variant
EternalPetya
2017-05-31MITREMITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
Yara Rules
[TLP:WHITE] win_eternal_petya_auto (20230808 | Detects win.eternal_petya.)
rule win_eternal_petya_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.eternal_petya."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 51 57 68000000f0 }
            // n = 5, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi
            //   68000000f0           | push                0xf0000000

        $sequence_1 = { 53 8d4644 50 53 }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   8d4644               | lea                 eax, [esi + 0x44]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_2 = { 57 68000000f0 6a18 33ff }
            // n = 4, score = 400
            //   57                   | push                edi
            //   68000000f0           | push                0xf0000000
            //   6a18                 | push                0x18
            //   33ff                 | xor                 edi, edi

        $sequence_3 = { 53 6a21 8d460c 50 }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   6a21                 | push                0x21
            //   8d460c               | lea                 eax, [esi + 0xc]
            //   50                   | push                eax

        $sequence_4 = { 68f0000000 6a40 ff15???????? 8bd8 }
            // n = 4, score = 400
            //   68f0000000           | push                0xf0
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_5 = { 49 75f2 8b4364 034360 8b4b68 894dd4 }
            // n = 6, score = 300
            //   49                   | dec                 ecx
            //   75f2                 | jne                 0xfffffff4
            //   8b4364               | mov                 eax, dword ptr [ebx + 0x64]
            //   034360               | add                 eax, dword ptr [ebx + 0x60]
            //   8b4b68               | mov                 ecx, dword ptr [ebx + 0x68]
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx

        $sequence_6 = { 8945d0 8bc7 8b7df8 d3e8 8b4de0 03c1 8d3c87 }
            // n = 7, score = 300
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8bc7                 | mov                 eax, edi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   d3e8                 | shr                 eax, cl
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   03c1                 | add                 eax, ecx
            //   8d3c87               | lea                 edi, [edi + eax*4]

        $sequence_7 = { 55 8bec 8b4d0c baff000000 }
            // n = 4, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   baff000000           | mov                 edx, 0xff

        $sequence_8 = { 8d4508 50 53 ff750c 897508 }
            // n = 5, score = 300
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   897508               | mov                 dword ptr [ebp + 8], esi

        $sequence_9 = { 68???????? e8???????? 85c0 7403 83ce02 }
            // n = 5, score = 300
            //   68????????           |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   83ce02               | or                  esi, 2

        $sequence_10 = { 68e8030000 ff15???????? 3bfe 75d3 }
            // n = 4, score = 300
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   3bfe                 | cmp                 edi, esi
            //   75d3                 | jne                 0xffffffd5

        $sequence_11 = { 55 8bec 8b5508 53 56 57 8b721c }
            // n = 7, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b721c               | mov                 esi, dword ptr [edx + 0x1c]

        $sequence_12 = { 8b07 85c0 75c3 8b75f4 }
            // n = 4, score = 300
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   85c0                 | test                eax, eax
            //   75c3                 | jne                 0xffffffc5
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]

        $sequence_13 = { e8???????? 894610 895614 8bc6 5f 5e }
            // n = 6, score = 200
            //   e8????????           |                     
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   895614               | mov                 dword ptr [esi + 0x14], edx
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_14 = { 898502fcffff 8b85e8fbffff 99 81e2ff010000 }
            // n = 4, score = 200
            //   898502fcffff         | mov                 dword ptr [ebp - 0x3fe], eax
            //   8b85e8fbffff         | mov                 eax, dword ptr [ebp - 0x418]
            //   99                   | cdq                 
            //   81e2ff010000         | and                 edx, 0x1ff

        $sequence_15 = { 56 51 ffd3 8b15???????? 56 52 8985f0fbffff }
            // n = 7, score = 200
            //   56                   | push                esi
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   8b15????????         |                     
            //   56                   | push                esi
            //   52                   | push                edx
            //   8985f0fbffff         | mov                 dword ptr [ebp - 0x410], eax

    condition:
        7 of them and filesize < 851968
}
[TLP:WHITE] win_eternal_petya_w0   (20171222 | No description)
rule win_eternal_petya_w0 {

    meta:
        author = "ReversingLabs"
        date = "2017-11-29"
        source = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html"
        info = "ReversingLabs' YARA rule detects BadRabbit encryption routine specifics."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya"
        malpedia_version = "20171222"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $encrypt_file = { 55 8B EC 83 EC ?? 53 56 57 8B 7D ?? 8B 4F ?? 33 DB 8D 45 ?? 50 53 53 51 89 5D ?? 89  5D ?? 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 53 53 6A ?? 53 53  68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D  4D ?? 51 57 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 39 5D ?? 0F 84 ??  ?? ?? ?? 39 5D ?? 0F 84 ?? ?? ?? ?? 8D 55 ?? 52 56 FF 15 ?? ?? ?? ?? 8B 4F ?? 8B 45  ?? 83 C1 ?? 2B C1 19 5D ?? 89 45 ?? 89 5D ?? 78 ?? 7F ?? 3D ?? ?? ?? ?? 76 ?? B8 ??  ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 53 50 53 6A ?? 53 8B F8 56 89 45 ?? 89 7D ?? FF  15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8B 55 ?? 52 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ??  8B F8 85 FF 74 ?? 8B 4D ?? 8B 55 ?? 8D 45 ?? 50 57 6A ?? 51 6A ?? 52 FF 15 ?? ?? ??  ?? 85 C0 74 ?? 8B 45 ?? 50 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 68 ?? ?? ?? ?? E8 ?? ??  ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? 3B C7 73  ?? 2B F8 EB ?? 33 FF 8B 55 ?? 8B 42 ?? 8D 4C 38 ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B 7D ??  83 C4 ?? 33 DB 56 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 39 5D ?? 74 ?? 39  5D ?? 75 ?? 8B 47 ?? 8B 35 ?? ?? ?? ?? 50 FF D6 8B 7F ?? 3B FB 74 ?? 57 FF D6 5F 5E  5B 8B E5 5D C3 }

        $main_encrypt = { 55 8B EC 56 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 89 46 ?? 85 C0 0F 84  ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 7E ?? 57 FF  D3 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 FF  D3 85 C0 74 ?? 8B 07 8D 5E ?? 53 50 8B 46 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B  C6 E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 4E ?? 6A ?? 51 E8 ??  ?? ?? ?? 8B 56 ?? 83 C4 ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 0B  51 FF 15 ?? ?? ?? ?? 8B 17 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ??  5F 5B B9 ?? ?? ?? ?? 8D 46 ?? 8B FF C6 00 ?? 40 49 75 ?? 56 FF 15 ?? ?? ?? ?? 33 C0  5E 5D C2 ?? ?? }

        $encryption_loop = { 8B 7C 24 ?? 6A ?? 6A ?? 8D 43 ?? 50 33 C0 39 43 ?? 0F 95 C0 40 50 FF 15 ?? ?? ?? ??  85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B9 ??  ?? ?? ?? 8D 44 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ??  75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ??  ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ??  66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83  D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 57 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ??  ?? ?? 85 C0 74 ?? 8B 44 24 ?? A8 ?? 74 ?? A9 ?? ?? ?? ?? 75 ?? 8D BC 24 ?? ?? ?? ??  E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 53 48 50 8B CF 51 E8 ?? ?? ?? ?? 83 C4 ?? EB ??  8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 8D 71 ?? 90 66 8B 11 83 C1 ?? 66 85 D2  75 ?? 2B CE D1 F9 8D 4C 4C ?? 3B C1 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D  94 24 ?? ?? ?? ?? 53 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 FF 15  ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ??}

    condition:
        $encrypt_file and $main_encrypt and $encryption_loop 
}
Download all Yara Rules