Actor(s): Mirage
Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.
rule win_ketrum_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.ketrum." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7e0d 33db 53 53 } // n = 4, score = 200 // 7e0d | jle 0xf // 33db | xor ebx, ebx // 53 | push ebx // 53 | push ebx $sequence_1 = { 8818 8816 8a00 02c2 8b55f8 0fb6c0 } // n = 6, score = 200 // 8818 | mov byte ptr [eax], bl // 8816 | mov byte ptr [esi], dl // 8a00 | mov al, byte ptr [eax] // 02c2 | add al, dl // 8b55f8 | mov edx, dword ptr [ebp - 8] // 0fb6c0 | movzx eax, al $sequence_2 = { 8bfe 33db 897de0 895de8 } // n = 4, score = 200 // 8bfe | mov edi, esi // 33db | xor ebx, ebx // 897de0 | mov dword ptr [ebp - 0x20], edi // 895de8 | mov dword ptr [ebp - 0x18], ebx $sequence_3 = { b8???????? ffb5e8cbffff 68???????? ffb5f4cbffff 68???????? ffb5f8cbffff } // n = 6, score = 200 // b8???????? | // ffb5e8cbffff | push dword ptr [ebp - 0x3418] // 68???????? | // ffb5f4cbffff | push dword ptr [ebp - 0x340c] // 68???????? | // ffb5f8cbffff | push dword ptr [ebp - 0x3408] $sequence_4 = { ffb5f0cbffff ff15???????? ffb5f0cbffff ff15???????? ffb5e8cbffff ffb5f4cbffff ffb5f8cbffff } // n = 7, score = 200 // ffb5f0cbffff | push dword ptr [ebp - 0x3410] // ff15???????? | // ffb5f0cbffff | push dword ptr [ebp - 0x3410] // ff15???????? | // ffb5e8cbffff | push dword ptr [ebp - 0x3418] // ffb5f4cbffff | push dword ptr [ebp - 0x340c] // ffb5f8cbffff | push dword ptr [ebp - 0x3408] $sequence_5 = { 50 e8???????? 50 e8???????? 83c420 ff35???????? ff05???????? } // n = 7, score = 200 // 50 | push eax // e8???????? | // 50 | push eax // e8???????? | // 83c420 | add esp, 0x20 // ff35???????? | // ff05???????? | $sequence_6 = { 53 53 68???????? 6a03 eb04 53 53 } // n = 7, score = 200 // 53 | push ebx // 53 | push ebx // 68???????? | // 6a03 | push 3 // eb04 | jmp 6 // 53 | push ebx // 53 | push ebx $sequence_7 = { ff15???????? 8bf8 3bfb 0f8670020000 } // n = 4, score = 200 // ff15???????? | // 8bf8 | mov edi, eax // 3bfb | cmp edi, ebx // 0f8670020000 | jbe 0x276 $sequence_8 = { 8b8510efffff 8b8d0cefffff 2bc1 6a1c 99 5e } // n = 6, score = 100 // 8b8510efffff | mov eax, dword ptr [ebp - 0x10f0] // 8b8d0cefffff | mov ecx, dword ptr [ebp - 0x10f4] // 2bc1 | sub eax, ecx // 6a1c | push 0x1c // 99 | cdq // 5e | pop esi $sequence_9 = { e8???????? 8d4dc4 c745c802000000 e8???????? 84c0 753f } // n = 6, score = 100 // e8???????? | // 8d4dc4 | lea ecx, [ebp - 0x3c] // c745c802000000 | mov dword ptr [ebp - 0x38], 2 // e8???????? | // 84c0 | test al, al // 753f | jne 0x41 $sequence_10 = { 75e6 c6460401 830eff 2b34bd20174800 c1fe06 8bc7 } // n = 6, score = 100 // 75e6 | jne 0xffffffe8 // c6460401 | mov byte ptr [esi + 4], 1 // 830eff | or dword ptr [esi], 0xffffffff // 2b34bd20174800 | sub esi, dword ptr [edi*4 + 0x481720] // c1fe06 | sar esi, 6 // 8bc7 | mov eax, edi $sequence_11 = { 59 8b83ac000000 be00280000 33ff } // n = 4, score = 100 // 59 | pop ecx // 8b83ac000000 | mov eax, dword ptr [ebx + 0xac] // be00280000 | mov esi, 0x2800 // 33ff | xor edi, edi $sequence_12 = { 50 898d24efffff ffd7 8bf0 } // n = 4, score = 100 // 50 | push eax // 898d24efffff | mov dword ptr [ebp - 0x10dc], ecx // ffd7 | call edi // 8bf0 | mov esi, eax $sequence_13 = { 33ff 8d742414 e8???????? 833d????????01 7507 e8???????? } // n = 6, score = 100 // 33ff | xor edi, edi // 8d742414 | lea esi, [esp + 0x14] // e8???????? | // 833d????????01 | // 7507 | jne 9 // e8???????? | $sequence_14 = { 0f95c0 e8???????? c20800 b8???????? c3 } // n = 5, score = 100 // 0f95c0 | setne al // e8???????? | // c20800 | ret 8 // b8???????? | // c3 | ret $sequence_15 = { 8b4508 897708 83781c00 7510 } // n = 4, score = 100 // 8b4508 | mov eax, dword ptr [ebp + 8] // 897708 | mov dword ptr [edi + 8], esi // 83781c00 | cmp dword ptr [eax + 0x1c], 0 // 7510 | jne 0x12 condition: 7 of them and filesize < 4599808 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY