SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mbrlock (Back to overview)

MBRlock

aka: DexLocker
VTCollection    

This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.

References
2018-02-09Bleeping ComputerLawrence Abrams
DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer
MBRlock
2018-02-08Hybrid-AnalysisHybrid-Analysis
Analysis Run
MBRlock
2018-02-08ANY.RUNANY.RUN
ANY.RUN analysis of MBRLock
MBRlock
2018-02-08ID RansomwareAndrew Ivanov
MBRlock Ransomware
MBRlock
Yara Rules
[TLP:WHITE] win_mbrlock_auto (20260504 | Detects win.mbrlock.)
rule win_mbrlock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.mbrlock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84c3010000 c744241400000000 c7442410c8664a00 8b4c2474 03ef 03ce c744246802000000 }
            // n = 7, score = 100
            //   0f84c3010000         | je                  0x1c9
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   c7442410c8664a00     | mov                 dword ptr [esp + 0x10], 0x4a66c8
            //   8b4c2474             | mov                 ecx, dword ptr [esp + 0x74]
            //   03ef                 | add                 ebp, edi
            //   03ce                 | add                 ecx, esi
            //   c744246802000000     | mov                 dword ptr [esp + 0x68], 2

        $sequence_1 = { eb9e 8b45e8 40 8945e8 e9???????? 8b4d08 51 }
            // n = 7, score = 100
            //   eb9e                 | jmp                 0xffffffa0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   40                   | inc                 eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   e9????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx

        $sequence_2 = { 5e 8801 83c414 c3 3d01050080 772f 741b }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   8801                 | mov                 byte ptr [ecx], al
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   3d01050080           | cmp                 eax, 0x80000501
            //   772f                 | ja                  0x31
            //   741b                 | je                  0x1d

        $sequence_3 = { 8b4708 85c0 7455 8b08 49 7425 83e902 }
            // n = 7, score = 100
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   85c0                 | test                eax, eax
            //   7455                 | je                  0x57
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   49                   | dec                 ecx
            //   7425                 | je                  0x27
            //   83e902               | sub                 ecx, 2

        $sequence_4 = { 5e c60200 83c414 c3 dd06 e8???????? 8b4c241c }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   c60200               | mov                 byte ptr [edx], 0
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   dd06                 | fld                 qword ptr [esi]
            //   e8????????           |                     
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_5 = { 83c40c 2bf8 8d8c4690000000 83ff02 894d10 7c3c 68c0540110 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   2bf8                 | sub                 edi, eax
            //   8d8c4690000000       | lea                 ecx, [esi + eax*2 + 0x90]
            //   83ff02               | cmp                 edi, 2
            //   894d10               | mov                 dword ptr [ebp + 0x10], ecx
            //   7c3c                 | jl                  0x3e
            //   68c0540110           | push                0x100154c0

        $sequence_6 = { 8b4c2408 51 52 ff15???????? f7d8 1bc0 40 }
            // n = 7, score = 100
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   40                   | inc                 eax

        $sequence_7 = { 83c418 85ff 747e 8b5de4 8b560c 8d4dec }
            // n = 6, score = 100
            //   83c418               | add                 esp, 0x18
            //   85ff                 | test                edi, edi
            //   747e                 | je                  0x80
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_8 = { 8965e8 c785c4feffff00000000 6a00 6a00 6a03 6a00 6a01 }
            // n = 7, score = 100
            //   8965e8               | mov                 dword ptr [ebp - 0x18], esp
            //   c785c4feffff00000000     | mov    dword ptr [ebp - 0x13c], 0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_9 = { 6801000000 bb???????? e8???????? 83c410 8945f4 6800000000 bb???????? }
            // n = 7, score = 100
            //   6801000000           | push                1
            //   bb????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   6800000000           | push                0
            //   bb????????           |                     

    condition:
        7 of them and filesize < 2031616
}
Download all Yara Rules