There is no description at this point.
rule win_polyvice_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.polyvice." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b4c2428 e8???????? 85c0 0f85dd010000 488b4c2428 488d9c24a0020000 488d742450 } // n = 7, score = 100 // 488b4c2428 | inc ebp // e8???????? | // 85c0 | xor edx, esp // 0f85dd010000 | mov dword ptr [esp + 0x18], edi // 488b4c2428 | inc ebp // 488d9c24a0020000 | and esi, eax // 488d742450 | inc ebp $sequence_1 = { 0fb7ce 488b75c0 410fb7c1 4a890cc6 4a8904c7 8b75cc 89f0 } // n = 7, score = 100 // 0fb7ce | shr edx, 0x18 // 488b75c0 | movzx ebx, bh // 410fb7c1 | inc edi // 4a890cc6 | mov edx, dword ptr [ecx + edx*4] // 4a8904c7 | inc ecx // 8b75cc | shr esi, 0x10 // 89f0 | xor esi, dword ptr [edx + ebp*4] $sequence_2 = { 335c241c 4131da 4431d7 4589e2 d1c7 4531fa 458dac3dd6c162ca } // n = 7, score = 100 // 335c241c | mov dword ptr [ebp - 0x24], eax // 4131da | dec esp // 4431d7 | lea edi, [ebp + 0xbd0] // 4589e2 | dec ebp // d1c7 | mov ecx, esi // 4531fa | inc ecx // 458dac3dd6c162ca | movzx ebx, word ptr [eax + 0x1c] $sequence_3 = { 31ef 337c242c 4489fd 4431e2 4189f4 } // n = 5, score = 100 // 31ef | dec eax // 337c242c | mov eax, dword ptr [ebx + 0x20030] // 4489fd | dec eax // 4431e2 | mov edx, dword ptr [ebx + 0x202c0] // 4189f4 | dec ecx $sequence_4 = { 0fb6f8 29f9 d3ee 6685ed 7457 8d55ff } // n = 6, score = 100 // 0fb6f8 | inc esp // 29f9 | movsx eax, byte ptr [eax + 3] // d3ee | inc ecx // 6685ed | shl eax, 0x18 // 7457 | inc esp // 8d55ff | or edx, eax $sequence_5 = { c1eb10 0fb6db 4433249a 0fb6dc c1ee18 4489d0 4533249e } // n = 7, score = 100 // c1eb10 | mov ecx, dword ptr [esp + 0x108] // 0fb6db | dec eax // 4433249a | mov ecx, esi // 0fb6dc | dec esp // c1ee18 | mov eax, dword ptr [esp + 0x110] // 4489d0 | dec esp // 4533249e | mov edx, esp $sequence_6 = { 4c8d827c170000 4989d9 e8???????? 4889d9 89c6 e8???????? } // n = 6, score = 100 // 4c8d827c170000 | mov eax, dword ptr [eax] // 4989d9 | dec ebp // e8???????? | // 4889d9 | test eax, eax // 89c6 | sub edx, 1 // e8???????? | $sequence_7 = { 4409d8 478d9c21dcbc1b8f 448b642428 4189c9 4401d8 4189eb } // n = 6, score = 100 // 4409d8 | mov ebp, edx // 478d9c21dcbc1b8f | inc edx // 448b642428 | lea ebp, [ebp + esi + 0x2de92c6f] // 4189c9 | inc ebp // 4401d8 | xor ebp, ecx // 4189eb | inc esp $sequence_8 = { 4589f7 e8???????? 84c0 0f8583000000 448b442448 48897c2430 4189d9 } // n = 7, score = 100 // 4589f7 | or ecx, eax // e8???????? | // 84c0 | inc esp // 0f8583000000 | mov eax, dword ptr [eax + ebp*4] // 448b442448 | xor ecx, dword ptr [edx] // 48897c2430 | inc ecx // 4189d9 | and edx, 0xff0000 $sequence_9 = { 56 53 4881ec48040000 31d2 41b808020000 488d6c2420 } // n = 6, score = 100 // 56 | movzx edi, bh // 53 | inc esp // 4881ec48040000 | movzx esp, bl // 31d2 | shr eax, 0x10 // 41b808020000 | mov edi, dword ptr [edx + edi*4] // 488d6c2420 | mov eax, ebx condition: 7 of them and filesize < 369664 }
rule win_polyvice_w0 { meta: author = "Antonio Cocomazzi @ SentinelOne" description = "Detect a custom branded version of Vice Society ransomware" date = "2022-11-28" reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development" hash = "c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" malpedia_rule_date = "20230102" malpedia_hash = "" malpedia_version = "20230102" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $code1 = {4? 8B ?? 28 00 02 00 } $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00} $code3 = {(48|49) 8D 8? 58 00 02 00} $code4 = {(48|49) 8D 9? E8 02 02 00} $code5 = {(48|4C) 89 ?? 24 38} $code6 = {4? 8B ?? F8 02 02 00} $code7 = {C7 44 24 48 01 00 00 00} $string1 = "vsociet" nocase wide ascii condition: uint16(0) == 0x5A4D and all of them }
rule win_polyvice_w1 { meta: author = "Antonio Cocomazzi @ SentinelOne" description = "Detect a windows ransomware variant tracked as PolyVice adopted by multiple threat actors" date = "2022-11-28" reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development" hash1 = "c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac" hash2 = "6cfb5b4a68100678d95270e3d188572a30abd568" hash3 = "2b3fea431f342c7b8bcff4b89715002e44d662c7" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" malpedia_rule_date = "20230102" malpedia_hash = "" malpedia_version = "20230102" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $code1 = {4? 8B ?? 28 00 02 00 } $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00} $code3 = {(48|49) 8D 8? 58 00 02 00} $code4 = {(48|49) 8D 9? E8 02 02 00} $code5 = {(48|4C) 89 ?? 24 38} $code6 = {4? 8B ?? F8 02 02 00} $code7 = {C7 44 24 48 01 00 00 00} condition: uint16(0) == 0x5A4D and all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY