SYMBOLCOMMON_NAMEaka. SYNONYMS
win.m0yv (Back to overview)

m0yv

VTCollection    

Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.

References
2023-03-31Youtube (ThreatCatch)ThreatCat.ch
Sinkholing the Domain Generation Algorithm of m0yv
Expiro m0yv
2022-02-09Security AffairsPierluigi Paganini
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-01-11Github (baderj)Johannes Bader
Reimplementation of Expiro's DGA
m0yv
Yara Rules
[TLP:WHITE] win_m0yv_auto (20260504 | Detects win.m0yv.)
rule win_m0yv_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.m0yv."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 742e 403afe 731c 488b83b0000000 400fb6cf 8a0c01 }
            // n = 6, score = 100
            //   742e                 | mov                 ecx, esi
            //   403afe               | dec                 ecx
            //   731c                 | mov                 eax, ebx
            //   488b83b0000000       | inc                 ecx
            //   400fb6cf             | mov                 ecx, ebp
            //   8a0c01               | mov                 ecx, eax

        $sequence_1 = { 243f 0c40 8844244f 488dac2440010000 4889e9 e8???????? 488d9c2470010000 }
            // n = 7, score = 100
            //   243f                 | test                eax, eax
            //   0c40                 | jne                 0x17e7
            //   8844244f             | dec                 eax
            //   488dac2440010000     | lea                 ecx, [esp + 0x20]
            //   4889e9               | dec                 eax
            //   e8????????           |                     
            //   488d9c2470010000     | mov                 edx, esi

        $sequence_2 = { 83f802 7323 0fb6495c 488d159d110200 488b04c2 488b14c8 }
            // n = 6, score = 100
            //   83f802               | mov                 dword ptr [ebp - 0x18], ecx
            //   7323                 | dec                 eax
            //   0fb6495c             | mov                 dword ptr [ebp - 0x10], eax
            //   488d159d110200       | dec                 eax
            //   488b04c2             | lea                 edx, [0x154c0]
            //   488b14c8             | mov                 eax, 5

        $sequence_3 = { 4c89e9 4809c1 4901fb 4c21f9 4c89ee 4821c6 }
            // n = 6, score = 100
            //   4c89e9               | inc                 ecx
            //   4809c1               | and                 eax, edx
            //   4901fb               | xor                 ebx, dword ptr [esp + 4]
            //   4c21f9               | inc                 ebp
            //   4c89ee               | and                 esi, eax
            //   4821c6               | inc                 esp

        $sequence_4 = { 4889f1 490fafcc 4d0faffd 4901cf 4c89f7 4c89f1 490fafca }
            // n = 7, score = 100
            //   4889f1               | je                  0x1a0a
            //   490fafcc             | cmp                 dword ptr [esp + 0x20], 0
            //   4d0faffd             | je                  0x1a0a
            //   4901cf               | inc                 ebp
            //   4c89f7               | test                esi, esi
            //   4c89f1               | je                  0x1a0a
            //   490fafca             | test                edi, edi

        $sequence_5 = { 09c1 884a1c 4c89e0 48d1e8 88421d 4c89e0 48c1e809 }
            // n = 7, score = 100
            //   09c1                 | lea                 eax, [0x1d0e9]
            //   884a1c               | dec                 edx
            //   4c89e0               | mov                 ecx, dword ptr [eax + ebp*8]
            //   48d1e8               | dec                 eax
            //   88421d               | lea                 edx, [ebp - 8]
            //   4c89e0               | dec                 edx
            //   48c1e809             | mov                 ecx, dword ptr [ecx + esi + 0x28]

        $sequence_6 = { 48c1fe19 488b7c2440 4c8d0c3e 488d0c3e 4881c100000002 4889ce 48c1ee1a }
            // n = 7, score = 100
            //   48c1fe19             | test                ebp, ebp
            //   488b7c2440           | je                  0xb56
            //   4c8d0c3e             | dec                 eax
            //   488d0c3e             | lea                 edx, [0x15b76]
            //   4881c100000002       | dec                 eax
            //   4889ce               | mov                 ecx, esi
            //   48c1ee1a             | inc                 ebp

        $sequence_7 = { e8???????? 4889f1 4c89f2 e8???????? 31db 4c8d7c2460 31ff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889f1               | add                 eax, dword ptr [esp + 0x170]
            //   4c89f2               | dec                 eax
            //   e8????????           |                     
            //   31db                 | mov                 dword ptr [esp + 0xe8], eax
            //   4c8d7c2460           | dec                 eax
            //   31ff                 | mov                 dword ptr [esp + 0xe0], esi

        $sequence_8 = { 66410fdbcf 660f76ca 660fdbcf 660fefcb 660fefcd 66410f6fd9 }
            // n = 6, score = 100
            //   66410fdbcf           | mov                 esi, esi
            //   660f76ca             | dec                 eax
            //   660fdbcf             | sar                 esi, 0x15
            //   660fefcb             | dec                 ecx
            //   660fefcd             | lea                 ebp, [esp + esi]
            //   66410f6fd9           | dec                 eax

        $sequence_9 = { 488d1529540200 4533c0 488d0c9b 488d0cca baa00f0000 e8???????? 85c0 }
            // n = 7, score = 100
            //   488d1529540200       | cmp                 edi, eax
            //   4533c0               | dec                 eax
            //   488d0c9b             | mov                 ecx, esi
            //   488d0cca             | cmova               edi, eax
            //   baa00f0000           | inc                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 byte ptr [esi + 0x5a], bh

    condition:
        7 of them and filesize < 779264
}
Download all Yara Rules