SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyvice (Back to overview)

PolyVice

aka: Chily

There is no description at this point.

References
2023-02-14IntrinsecIntrinsec, CTI Intrinsec
@online{intrinsec:20230214:vicesociety:2dffe2e, author = {Intrinsec and CTI Intrinsec}, title = {{Vice-Society spreads its own ransomware}}, date = {2023-02-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/}, language = {English}, urldate = {2023-02-15} } Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin
2022-12-22Sentinel LABSAntonio Cocomazzi
@online{cocomazzi:20221222:custombranded:3f5dd45, author = {Antonio Cocomazzi}, title = {{Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development}}, date = {2022-12-22}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/}, language = {English}, urldate = {2023-01-05} } Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
Curator PolyVice
Yara Rules
[TLP:WHITE] win_polyvice_auto (20230715 | Detects win.polyvice.)
rule win_polyvice_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.polyvice."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4c2428 e8???????? 85c0 0f85dd010000 488b4c2428 488d9c24a0020000 488d742450 }
            // n = 7, score = 100
            //   488b4c2428           | inc                 ebp
            //   e8????????           |                     
            //   85c0                 | xor                 edx, esp
            //   0f85dd010000         | mov                 dword ptr [esp + 0x18], edi
            //   488b4c2428           | inc                 ebp
            //   488d9c24a0020000     | and                 esi, eax
            //   488d742450           | inc                 ebp

        $sequence_1 = { 0fb7ce 488b75c0 410fb7c1 4a890cc6 4a8904c7 8b75cc 89f0 }
            // n = 7, score = 100
            //   0fb7ce               | shr                 edx, 0x18
            //   488b75c0             | movzx               ebx, bh
            //   410fb7c1             | inc                 edi
            //   4a890cc6             | mov                 edx, dword ptr [ecx + edx*4]
            //   4a8904c7             | inc                 ecx
            //   8b75cc               | shr                 esi, 0x10
            //   89f0                 | xor                 esi, dword ptr [edx + ebp*4]

        $sequence_2 = { 335c241c 4131da 4431d7 4589e2 d1c7 4531fa 458dac3dd6c162ca }
            // n = 7, score = 100
            //   335c241c             | mov                 dword ptr [ebp - 0x24], eax
            //   4131da               | dec                 esp
            //   4431d7               | lea                 edi, [ebp + 0xbd0]
            //   4589e2               | dec                 ebp
            //   d1c7                 | mov                 ecx, esi
            //   4531fa               | inc                 ecx
            //   458dac3dd6c162ca     | movzx               ebx, word ptr [eax + 0x1c]

        $sequence_3 = { 31ef 337c242c 4489fd 4431e2 4189f4 }
            // n = 5, score = 100
            //   31ef                 | dec                 eax
            //   337c242c             | mov                 eax, dword ptr [ebx + 0x20030]
            //   4489fd               | dec                 eax
            //   4431e2               | mov                 edx, dword ptr [ebx + 0x202c0]
            //   4189f4               | dec                 ecx

        $sequence_4 = { 0fb6f8 29f9 d3ee 6685ed 7457 8d55ff }
            // n = 6, score = 100
            //   0fb6f8               | inc                 esp
            //   29f9                 | movsx               eax, byte ptr [eax + 3]
            //   d3ee                 | inc                 ecx
            //   6685ed               | shl                 eax, 0x18
            //   7457                 | inc                 esp
            //   8d55ff               | or                  edx, eax

        $sequence_5 = { c1eb10 0fb6db 4433249a 0fb6dc c1ee18 4489d0 4533249e }
            // n = 7, score = 100
            //   c1eb10               | mov                 ecx, dword ptr [esp + 0x108]
            //   0fb6db               | dec                 eax
            //   4433249a             | mov                 ecx, esi
            //   0fb6dc               | dec                 esp
            //   c1ee18               | mov                 eax, dword ptr [esp + 0x110]
            //   4489d0               | dec                 esp
            //   4533249e             | mov                 edx, esp

        $sequence_6 = { 4c8d827c170000 4989d9 e8???????? 4889d9 89c6 e8???????? }
            // n = 6, score = 100
            //   4c8d827c170000       | mov                 eax, dword ptr [eax]
            //   4989d9               | dec                 ebp
            //   e8????????           |                     
            //   4889d9               | test                eax, eax
            //   89c6                 | sub                 edx, 1
            //   e8????????           |                     

        $sequence_7 = { 4409d8 478d9c21dcbc1b8f 448b642428 4189c9 4401d8 4189eb }
            // n = 6, score = 100
            //   4409d8               | mov                 ebp, edx
            //   478d9c21dcbc1b8f     | inc                 edx
            //   448b642428           | lea                 ebp, [ebp + esi + 0x2de92c6f]
            //   4189c9               | inc                 ebp
            //   4401d8               | xor                 ebp, ecx
            //   4189eb               | inc                 esp

        $sequence_8 = { 4589f7 e8???????? 84c0 0f8583000000 448b442448 48897c2430 4189d9 }
            // n = 7, score = 100
            //   4589f7               | or                  ecx, eax
            //   e8????????           |                     
            //   84c0                 | inc                 esp
            //   0f8583000000         | mov                 eax, dword ptr [eax + ebp*4]
            //   448b442448           | xor                 ecx, dword ptr [edx]
            //   48897c2430           | inc                 ecx
            //   4189d9               | and                 edx, 0xff0000

        $sequence_9 = { 56 53 4881ec48040000 31d2 41b808020000 488d6c2420 }
            // n = 6, score = 100
            //   56                   | movzx               edi, bh
            //   53                   | inc                 esp
            //   4881ec48040000       | movzx               esp, bl
            //   31d2                 | shr                 eax, 0x10
            //   41b808020000         | mov                 edi, dword ptr [edx + edi*4]
            //   488d6c2420           | mov                 eax, ebx

    condition:
        7 of them and filesize < 369664
}
[TLP:WHITE] win_polyvice_w0   (20230102 | Detect a custom branded version of Vice Society ransomware)
rule win_polyvice_w0 {
  meta:
    author = "Antonio Cocomazzi @ SentinelOne"
    description = "Detect a custom branded version of Vice Society ransomware"
    date = "2022-11-28"
    reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development"
    hash = "c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice"
    malpedia_rule_date = "20230102"
    malpedia_hash = ""
    malpedia_version = "20230102"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code1 = {4? 8B ?? 28 00 02 00 }
    $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00}
    $code3 = {(48|49) 8D 8? 58 00 02 00}
    $code4 = {(48|49) 8D 9? E8 02 02 00}
    $code5 = {(48|4C) 89 ?? 24 38}
    $code6 = {4? 8B ?? F8 02 02 00}
    $code7 = {C7 44 24 48 01 00 00 00}
    $string1 = "vsociet" nocase wide ascii
 
  condition:
    uint16(0) == 0x5A4D and all of them
}
[TLP:WHITE] win_polyvice_w1   (20230102 | Detect a windows ransomware variant tracked as PolyVice adopted by multiple threat actors)
rule win_polyvice_w1 {
  meta:
    author = "Antonio Cocomazzi @ SentinelOne"
    description = "Detect a windows ransomware variant tracked as PolyVice adopted by multiple threat actors"
    date = "2022-11-28"
    reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development"
    hash1 = "c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac"
    hash2 = "6cfb5b4a68100678d95270e3d188572a30abd568"
    hash3 = "2b3fea431f342c7b8bcff4b89715002e44d662c7"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice"
    malpedia_rule_date = "20230102"
    malpedia_hash = ""
    malpedia_version = "20230102"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code1 = {4? 8B ?? 28 00 02 00 }
    $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00}
    $code3 = {(48|49) 8D 8? 58 00 02 00}
    $code4 = {(48|49) 8D 9? E8 02 02 00}
    $code5 = {(48|4C) 89 ?? 24 38}
    $code6 = {4? 8B ?? F8 02 02 00}
    $code7 = {C7 44 24 48 01 00 00 00}
 
  condition:
    uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules