SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mimic (Back to overview)

Mimic Ransomware

VTCollection    

According to PCrisk, Mimic is a ransomware-type program. Malware within this classification is designed to encrypt data and demand ransoms for decryption. Evidence suggests that Mimic is based on the leaked CONTI ransomware builder. Mimic campaigns have been observed targeting English and Russian speaking users.

References
2025-05-19The DFIR Report0xtornado, pcsc0ut, Randy Pargman
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Mimic Ransomware MimiKatz
2024-01-09SecuronixDen Iyzvyk, Oleg Kolesnikov, Tim Peck
New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC Ransomware
Mimic Ransomware
2023-01-26TrendmicroDon Ovid Ladores, Earle Maui Earnshaw, Nathaniel Gregory Ragasa, Nathaniel Morales, Nick Dai
New Mimic Ransomware Abuses Everything APIs for its Encryption Process
Mimic Ransomware
Yara Rules
[TLP:WHITE] win_mimic_auto (20260504 | Detects win.mimic.)
rule win_mimic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.mimic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb6c1 33148508ee5b00 8bc7 c1e810 33d3 0fb6c8 33de }
            // n = 7, score = 100
            //   0fb6c1               | movzx               eax, cl
            //   33148508ee5b00       | xor                 edx, dword ptr [eax*4 + 0x5bee08]
            //   8bc7                 | mov                 eax, edi
            //   c1e810               | shr                 eax, 0x10
            //   33d3                 | xor                 edx, ebx
            //   0fb6c8               | movzx               ecx, al
            //   33de                 | xor                 ebx, esi

        $sequence_1 = { 7429 83e804 83f86c 77e8 0fb680147a4d00 ff24850c7a4d00 2d86000000 }
            // n = 7, score = 100
            //   7429                 | je                  0x2b
            //   83e804               | sub                 eax, 4
            //   83f86c               | cmp                 eax, 0x6c
            //   77e8                 | ja                  0xffffffea
            //   0fb680147a4d00       | movzx               eax, byte ptr [eax + 0x4d7a14]
            //   ff24850c7a4d00       | jmp                 dword ptr [eax*4 + 0x4d7a0c]
            //   2d86000000           | sub                 eax, 0x86

        $sequence_2 = { 83ec14 8b4518 8b5508 53 8bd9 8945f0 }
            // n = 6, score = 100
            //   83ec14               | sub                 esp, 0x14
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   8bd9                 | mov                 ebx, ecx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_3 = { 53 56 57 8d442414 c744241400000000 50 51 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_4 = { 0f84c1010000 8b45ec 33c9 3b45e0 0f85b3010000 3b4de4 0f85aa010000 }
            // n = 7, score = 100
            //   0f84c1010000         | je                  0x1c7
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   33c9                 | xor                 ecx, ecx
            //   3b45e0               | cmp                 eax, dword ptr [ebp - 0x20]
            //   0f85b3010000         | jne                 0x1b9
            //   3b4de4               | cmp                 ecx, dword ptr [ebp - 0x1c]
            //   0f85aa010000         | jne                 0x1b0

        $sequence_5 = { 8975dc c745e400000000 837f1410 8b5f10 7202 8b3f e8???????? }
            // n = 7, score = 100
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   8b5f10               | mov                 ebx, dword ptr [edi + 0x10]
            //   7202                 | jb                  4
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   e8????????           |                     

        $sequence_6 = { c70700000000 b801000000 e9???????? ff15???????? 50 68???????? }
            // n = 6, score = 100
            //   c70700000000         | mov                 dword ptr [edi], 0
            //   b801000000           | mov                 eax, 1
            //   e9????????           |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_7 = { 0f8483000000 eb7d 8b1c9de8a75c00 6800080000 6a00 53 ff15???????? }
            // n = 7, score = 100
            //   0f8483000000         | je                  0x89
            //   eb7d                 | jmp                 0x7f
            //   8b1c9de8a75c00       | mov                 ebx, dword ptr [ebx*4 + 0x5ca7e8]
            //   6800080000           | push                0x800
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_8 = { 50 6a00 ff75ec 0f1145dc ff15???????? 85c0 0f8878ffffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   0f1145dc             | movups              xmmword ptr [ebp - 0x24], xmm0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8878ffffff         | js                  0xffffff7e

        $sequence_9 = { 663930 75f2 85c0 7523 3bd7 7405 83ea02 }
            // n = 7, score = 100
            //   663930               | cmp                 word ptr [eax], si
            //   75f2                 | jne                 0xfffffff4
            //   85c0                 | test                eax, eax
            //   7523                 | jne                 0x25
            //   3bd7                 | cmp                 edx, edi
            //   7405                 | je                  7
            //   83ea02               | sub                 edx, 2

    condition:
        7 of them and filesize < 4204544
}
Download all Yara Rules