SYMBOLCOMMON_NAMEaka. SYNONYMS
win.m0yv (Back to overview)

m0yv

VTCollection    

Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.

References
2023-03-31Youtube (ThreatCatch)ThreatCat.ch
Sinkholing the Domain Generation Algorithm of m0yv
Expiro m0yv
2022-02-09Security AffairsPierluigi Paganini
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-01-11Github (baderj)Johannes Bader
Reimplementation of Expiro's DGA
m0yv
Yara Rules
[TLP:WHITE] win_m0yv_auto (20230808 | Detects win.m0yv.)
rule win_m0yv_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.m0yv."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 490faff8 4d89c3 4901ff 4c8b1424 490fafd2 48039424b8000000 4c89ef }
            // n = 7, score = 100
            //   490faff8             | mov                 byte ptr [esp + eax + 0x20], dl
            //   4d89c3               | dec                 eax
            //   4901ff               | add                 eax, 1
            //   4c8b1424             | dec                 eax
            //   490fafd2             | cmp                 eax, 0x3f
            //   48039424b8000000     | jne                 0x2e8
            //   4c89ef               | add                 byte ptr [esp + 0x5f], cl

        $sequence_1 = { 72e7 4889f9 4889da e8???????? 48c7474800000000 31c0 6690 }
            // n = 7, score = 100
            //   72e7                 | bt                  ebx, eax
            //   4889f9               | inc                 ebp
            //   4889da               | test                ecx, ecx
            //   e8????????           |                     
            //   48c7474800000000     | je                  0xad0
            //   31c0                 | dec                 eax
            //   6690                 | test                esi, esi

        $sequence_2 = { f6c201 0f84e3000000 4183fb66 775c 744e }
            // n = 5, score = 100
            //   f6c201               | dec                 ecx
            //   0f84e3000000         | imul                esi, edi, 0xa2c13
            //   4183fb66             | dec                 eax
            //   775c                 | add                 esi, dword ptr [esp + 0x70]
            //   744e                 | dec                 ebp

        $sequence_3 = { 4889fa e8???????? 4889f9 4889fa e8???????? 4c89f1 }
            // n = 6, score = 100
            //   4889fa               | inc                 ecx
            //   e8????????           |                     
            //   4889f9               | sub                 ecx, edi
            //   4889fa               | dec                 esp
            //   e8????????           |                     
            //   4c89f1               | lea                 esi, [esi + ebp]

        $sequence_4 = { 29e8 488bac24a8000000 894500 895504 44895d08 }
            // n = 5, score = 100
            //   29e8                 | dec                 ecx
            //   488bac24a8000000     | mov                 ecx, edi
            //   894500               | mov                 byte ptr [ebp + 1], ah
            //   895504               | dec                 ecx
            //   44895d08             | mov                 ebx, ebp

        $sequence_5 = { 490fafc6 4801c2 4889942440010000 4c89842488000000 4c89c0 480fafc1 }
            // n = 6, score = 100
            //   490fafc6             | inc                 esp
            //   4801c2               | mov                 byte ptr [edx + 0x14], dh
            //   4889942440010000     | mov                 byte ptr [edx + 0x15], bl
            //   4c89842488000000     | mov                 byte ptr [edx + 0x16], bh
            //   4c89c0               | inc                 esp
            //   480fafc1             | mov                 eax, edx

        $sequence_6 = { 4f037ce538 4c21df 4c31d7 4e03bce498000000 4831c1 4901ff 4c89c8 }
            // n = 7, score = 100
            //   4f037ce538           | inc                 esp
            //   4c21df               | mov                 eax, eax
            //   4c31d7               | and                 eax, 0x1ffffff
            //   4e03bce498000000     | inc                 ecx
            //   4831c1               | shr                 ecx, 0xc
            //   4901ff               | inc                 esp
            //   4c89c8               | mov                 byte ptr [ecx + 0x1b], cl

        $sequence_7 = { 2b6a24 448901 44894904 44895108 4489590c 44897110 897114 }
            // n = 7, score = 100
            //   2b6a24               | dec                 ecx
            //   448901               | xor                 edx, eax
            //   44894904             | dec                 ebx
            //   44895108             | xchg                dword ptr [edi + esi*8 + 0x59c30], edx
            //   4489590c             | jmp                 0x1840
            //   44897110             | jmp                 0x17cd
            //   897114               | dec                 ecx

        $sequence_8 = { 4883ec28 e8???????? 4885c0 7409 488b4010 }
            // n = 5, score = 100
            //   4883ec28             | nop                 
            //   e8????????           |                     
            //   4885c0               | inc                 ecx
            //   7409                 | add                 eax, -1
            //   488b4010             | xor                 edi, edi

        $sequence_9 = { c1e802 4122c2 41884041 8bc2 83e003 8a0481 498bc8 }
            // n = 7, score = 100
            //   c1e802               | dec                 eax
            //   4122c2               | mov                 dword ptr [esp + 0x58], eax
            //   41884041             | dec                 eax
            //   8bc2                 | mov                 ecx, ebx
            //   83e003               | dec                 eax
            //   8a0481               | mov                 dword ptr [esp + 0xa8], eax
            //   498bc8               | dec                 eax

    condition:
        7 of them and filesize < 779264
}
Download all Yara Rules