Ransomware. Identical samples (apart from note) operated by Morpheus and HellCat ransomware groups.
rule win_morpheus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.morpheus." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.morpheus" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b44244c ffc0 8944244c ebc4 } // n = 4, score = 200 // 8b44244c | mov dword ptr [esp + 0x1b0], eax // ffc0 | dec eax // 8944244c | lea eax, [0x1bb4] // ebc4 | dec eax $sequence_1 = { 8b8424dc010000 8b4c242c 488b942428040000 488b5210 488904ca } // n = 5, score = 200 // 8b8424dc010000 | mov eax, dword ptr [esp + 0xc8] // 8b4c242c | dec eax // 488b942428040000 | dec eax // 488b5210 | dec eax // 488904ca | mov dword ptr [esp + 0xd0], eax $sequence_2 = { 0f845a020000 b808000000 486bc002 488b8c24f0000000 } // n = 4, score = 200 // 0f845a020000 | je 0x22f // b808000000 | dec eax // 486bc002 | mov eax, dword ptr [esp + 0x30] // 488b8c24f0000000 | dec eax $sequence_3 = { 488b8c2400010000 ff15???????? 488b8c2400010000 ff15???????? e9???????? } // n = 5, score = 200 // 488b8c2400010000 | movzx eax, word ptr [eax] // ff15???????? | // 488b8c2400010000 | mov dword ptr [esp + 0x120], eax // ff15???????? | // e9???????? | $sequence_4 = { 4883c002 4889842468010000 83bc241401000000 740c 8b442444 ffc0 89442444 } // n = 7, score = 200 // 4883c002 | test eax, eax // 4889842468010000 | je 0x1cb7 // 83bc241401000000 | dec eax // 740c | mov eax, dword ptr [esp + 0x78] // 8b442444 | movzx eax, word ptr [eax] // ffc0 | dec eax // 89442444 | mov eax, dword ptr [esp + 0x70] $sequence_5 = { b85f000000 66898424c4000000 b82e000000 66898424c6000000 } // n = 4, score = 200 // b85f000000 | lea eax, [esp + 0x120] // 66898424c4000000 | dec eax // b82e000000 | mov dword ptr [esp + 0x20], eax // 66898424c6000000 | inc ecx $sequence_6 = { ebb1 33c0 488b8c24a8000000 668901 } // n = 4, score = 200 // ebb1 | mov ecx, dword ptr [esp + 0x58] // 33c0 | dec esp // 488b8c24a8000000 | lea ecx, [esp + 0x7c] // 668901 | inc esp $sequence_7 = { 39442440 731f 8b442440 488b4c2450 0fbe0401 33442444 } // n = 6, score = 200 // 39442440 | dec eax // 731f | mov ecx, dword ptr [esp + 0x428] // 8b442440 | dec eax // 488b4c2450 | mov edx, dword ptr [esp + 0x428] // 0fbe0401 | dec eax // 33442444 | mov edx, dword ptr [edx + 0x10] $sequence_8 = { ff15???????? c744242000000000 c744242800000000 eb0a 8b442420 ffc0 } // n = 6, score = 200 // ff15???????? | // c744242000000000 | add eax, 2 // c744242800000000 | dec eax // eb0a | mov dword ptr [esp + 0xd8], eax // 8b442420 | jmp 0x1199 // ffc0 | xor eax, eax $sequence_9 = { 4c8bc0 ba08000000 488b0d???????? ff15???????? 488b4c2438 48894110 } // n = 6, score = 200 // 4c8bc0 | movzx eax, byte ptr [esp + 0x58] // ba08000000 | mov byte ptr [esp + 0x22], al // 488b0d???????? | // ff15???????? | // 488b4c2438 | movzx eax, byte ptr [esp + 0x22] // 48894110 | test eax, eax condition: 7 of them and filesize < 74752 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY