m0yv (Malware Family)

m0yv

Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.
References

2022-02-09 ⋅ Security Affairs ⋅ Pierluigi Paganini
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-01-11 ⋅ Github (baderj) ⋅ Johannes Bader
Reimplementation of Expiro's DGA
m0yv
Yara Rules

[TLP:WHITE] win_m0yv_auto (20230125 | Detects win.m0yv.)
rule win_m0yv_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.m0yv."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4881c100000001 4889ca 81e1000000fe 4129cf 4c89c9 4e8d0c4e }
            // n = 6, score = 100
            //   4881c100000001       | dec                 eax
            //   4889ca               | imul                ecx, ebx
            //   81e1000000fe         | dec                 eax
            //   4129cf               | add                 ebp, ecx
            //   4c89c9               | dec                 esp
            //   4e8d0c4e             | mov                 ecx, esp

        $sequence_1 = { 480f44d0 4889f1 4531c0 e8???????? 895c2420 4983c701 498b4508 }
            // n = 7, score = 100
            //   480f44d0             | add                 edi, ecx
            //   4889f1               | dec                 ebp
            //   4531c0               | imul                ebp, eax, 0x9fb67
            //   e8????????           |                     
            //   895c2420             | dec                 ebp
            //   4983c701             | add                 ebp, ebx
            //   498b4508             | dec                 ecx

        $sequence_2 = { 57 53 4883ec20 b801000000 4885c9 0f840c010000 4889d6 }
            // n = 7, score = 100
            //   57                   | mov                 ebx, dword ptr [edx + 8]
            //   53                   | inc                 esp
            //   4883ec20             | mov                 dword ptr [esp + 0x2c], ebx
            //   b801000000           | inc                 esp
            //   4885c9               | mov                 esp, dword ptr [edx + 0xc]
            //   0f840c010000         | inc                 esp
            //   4889d6               | mov                 dword ptr [esp + 0x30], esp

        $sequence_3 = { e8???????? 488d7c2420 4889f9 4889da e8???????? 4889f9 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d7c2420           | test                eax, eax
            //   4889f9               | je                  0xf69
            //   4889da               | dec                 eax
            //   e8????????           |                     
            //   4889f9               | mov                 eax, dword ptr [eax + 0x10]

        $sequence_4 = { 4889d6 4885d2 7475 4889cf 8b01 83c0ff 83f806 }
            // n = 7, score = 100
            //   4889d6               | jne                 0x17b1
            //   4885d2               | inc                 ecx
            //   7475                 | mov                 byte ptr [eax + 0x4f], cl
            //   4889cf               | inc                 ecx
            //   8b01                 | mov                 byte ptr [eax + 0x59], cl
            //   83c0ff               | jmp                 0x17c9
            //   83f806               | cmp                 cl, 0xa

        $sequence_5 = { 8814ce 0fb654cf0e 8854ce01 0fb654cf0d 8854ce02 0fb654cf0c 8854ce03 }
            // n = 7, score = 100
            //   8814ce               | dec                 ebp
            //   0fb654cf0e           | imul                edi, esi
            //   8854ce01             | dec                 esp
            //   0fb654cf0d           | add                 edx, edi
            //   8854ce02             | dec                 eax
            //   0fb654cf0c           | add                 eax, esi
            //   8854ce03             | dec                 ecx

        $sequence_6 = { 41887419fe 83c009 4c8d5bff 83f813 7210 }
            // n = 5, score = 100
            //   41887419fe           | mov                 dword ptr [esp + 0x78], ebx
            //   83c009               | dec                 ebp
            //   4c8d5bff             | add                 eax, edx
            //   83f813               | dec                 esp
            //   7210                 | add                 eax, edx

        $sequence_7 = { 4989d8 e8???????? 4d8d4728 4c8d7650 4c89f1 4889f2 e8???????? }
            // n = 7, score = 100
            //   4989d8               | shr                 eax, 2
            //   e8????????           |                     
            //   4d8d4728             | and                 eax, 0x1fffff
            //   4c8d7650             | dec                 eax
            //   4c89f1               | mov                 dword ptr [esp + 0xa8], eax
            //   4889f2               | dec                 eax
            //   e8????????           |                     

        $sequence_8 = { 4e8d2402 4c01c2 4881c200001000 4889d6 4881e20000e0ff 4929d4 488b542470 }
            // n = 7, score = 100
            //   4e8d2402             | xor                 eax, eax
            //   4c01c2               | inc                 esp
            //   4881c200001000       | movaps              xmmword ptr [esp + 0x1440], xmm2
            //   4889d6               | inc                 esp
            //   4881e20000e0ff       | movaps              xmmword ptr [esp + 0x1430], xmm1
            //   4929d4               | inc                 sp
            //   488b542470           | movq                qword ptr [esp + 0x1420], mm0

        $sequence_9 = { 4889f9 4c89f2 4989d8 e8???????? 4d8d4728 4c8d7650 4c89f1 }
            // n = 7, score = 100
            //   4889f9               | arpl                cx, dx
            //   4c89f2               | dec                 eax
            //   4989d8               | lea                 ecx, [0x1db24]
            //   e8????????           |                     
            //   4d8d4728             | test                ecx, ecx
            //   4c8d7650             | js                  0x1268
            //   4c89f1               | jae                 0x1262

    condition:
        7 of them and filesize < 779264
}
Download all Yara Rules
m0yv Propose Change

References

Yara Rules

m0yv
