Maktub (Malware Family)

Maktub

VTCollection
According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.
References

2018-05-29 ⋅ Intezer ⋅ Omri Ben Bassat
Iron Cybercrime Group Under The Scope
Maktub Iron Group
2018-04-10 ⋅ Blaze's Security Blog ⋅ BartBlaze
Maktub ransomware: possibly rebranded as Iron
Maktub
2016-03-24 ⋅ Malwarebytes ⋅ hasherezade
Maktub Locker – Beautiful And Dangerous
Maktub
Yara Rules

[TLP:WHITE] win_maktub_auto (20260504 | Detects win.maktub.)
rule win_maktub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.maktub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 }
            // n = 5, score = 400
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   8be5                 | mov                 esp, ebp

        $sequence_1 = { ff15???????? eb02 33db 8b4df4 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   eb02                 | jmp                 4
            //   33db                 | xor                 ebx, ebx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_2 = { ff15???????? f6c301 0f8414010000 8d46fc }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   0f8414010000         | je                  0x11a
            //   8d46fc               | lea                 eax, [esi - 4]

        $sequence_3 = { ff15???????? e9???????? a1???????? 3bc1 0f8deefeffff 8bf0 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   e9????????           |                     
            //   a1????????           |                     
            //   3bc1                 | cmp                 eax, ecx
            //   0f8deefeffff         | jge                 0xfffffef4
            //   8bf0                 | mov                 esi, eax

        $sequence_4 = { ff15???????? eb02 33c0 46 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   46                   | inc                 esi

        $sequence_5 = { ff15???????? eb0a 57 6a08 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   eb0a                 | jmp                 0xc
            //   57                   | push                edi
            //   6a08                 | push                8

        $sequence_6 = { ff15???????? f6c301 7432 8b75b8 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   7432                 | je                  0x34
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]

        $sequence_7 = { ff7508 ffd7 50 ffd6 53 }
            // n = 5, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd7                 | call                edi
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   53                   | push                ebx

        $sequence_8 = { ff30 e8???????? 8bc7 5f 5e 5b }
            // n = 6, score = 200
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_9 = { 8d5005 e8???????? 8b45f8 8d4d08 }
            // n = 4, score = 100
            //   8d5005               | lea                 edx, [eax + 5]
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8d4d08               | lea                 ecx, [ebp + 8]

        $sequence_10 = { 8d429f 663b442418 7767 8d42a9 }
            // n = 4, score = 100
            //   8d429f               | lea                 eax, [edx - 0x61]
            //   663b442418           | cmp                 ax, word ptr [esp + 0x18]
            //   7767                 | ja                  0x69
            //   8d42a9               | lea                 eax, [edx - 0x57]

        $sequence_11 = { 8d55ac 8d4d9c e8???????? 8bd0 }
            // n = 4, score = 100
            //   8d55ac               | lea                 edx, [ebp - 0x54]
            //   8d4d9c               | lea                 ecx, [ebp - 0x64]
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax

        $sequence_12 = { 8d42a9 0fb7c0 43 0bc8 }
            // n = 4, score = 100
            //   8d42a9               | lea                 eax, [edx - 0x57]
            //   0fb7c0               | movzx               eax, ax
            //   43                   | inc                 ebx
            //   0bc8                 | or                  ecx, eax

        $sequence_13 = { 8d5590 85c0 7507 837a0401 }
            // n = 4, score = 100
            //   8d5590               | lea                 edx, [ebp - 0x70]
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   837a0401             | cmp                 dword ptr [edx + 4], 1

        $sequence_14 = { 8d42bf 663b442418 7705 8d42c9 }
            // n = 4, score = 100
            //   8d42bf               | lea                 eax, [edx - 0x41]
            //   663b442418           | cmp                 ax, word ptr [esp + 0x18]
            //   7705                 | ja                  7
            //   8d42c9               | lea                 eax, [edx - 0x37]

        $sequence_15 = { 8d42d0 663b442410 761c 8d42bf }
            // n = 4, score = 100
            //   8d42d0               | lea                 eax, [edx - 0x30]
            //   663b442410           | cmp                 ax, word ptr [esp + 0x10]
            //   761c                 | jbe                 0x1e
            //   8d42bf               | lea                 eax, [edx - 0x41]

        $sequence_16 = { 8d55ac 8d4d8c e8???????? 50 }
            // n = 4, score = 100
            //   8d55ac               | lea                 edx, [ebp - 0x54]
            //   8d4d8c               | lea                 ecx, [ebp - 0x74]
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_17 = { 8d4202 f30fe6c0 8901 f20f58c8 }
            // n = 4, score = 100
            //   8d4202               | lea                 eax, [edx + 2]
            //   f30fe6c0             | cvtdq2pd            xmm0, xmm0
            //   8901                 | mov                 dword ptr [ecx], eax
            //   f20f58c8             | addsd               xmm1, xmm0

        $sequence_18 = { 8d5001 8911 c20400 55 }
            // n = 4, score = 100
            //   8d5001               | lea                 edx, [eax + 1]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   c20400               | ret                 4
            //   55                   | push                ebp

        $sequence_19 = { 8d4fff 03ca 8a041e 46 8801 }
            // n = 5, score = 100
            //   8d4fff               | lea                 ecx, [edi - 1]
            //   03ca                 | add                 ecx, edx
            //   8a041e               | mov                 al, byte ptr [esi + ebx]
            //   46                   | inc                 esi
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_20 = { 8d42c9 eb0d 8d429f 663b442418 }
            // n = 4, score = 100
            //   8d42c9               | lea                 eax, [edx - 0x37]
            //   eb0d                 | jmp                 0xf
            //   8d429f               | lea                 eax, [edx - 0x61]
            //   663b442418           | cmp                 ax, word ptr [esp + 0x18]

        $sequence_21 = { 8d5001 8955f0 8d4dd4 e8???????? }
            // n = 4, score = 100
            //   8d5001               | lea                 edx, [eax + 1]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 3063808
}
Download all Yara Rules
Maktub Propose Change

References

Yara Rules

Maktub
