There is no description at this point.
rule win_polyvice_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.polyvice." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0fb62caa 2500ff0000 09e8 89dd c1ed10 400fb6ed } // n = 6, score = 200 // 0fb62caa | xor ebx, dword ptr [edx + ebx*4] // 2500ff0000 | movzx ebx, ah // 09e8 | mov eax, edi // 89dd | shr edi, 0x10 // c1ed10 | inc ebp // 400fb6ed | xor ebx, dword ptr [edi + ebx*4] $sequence_1 = { 4431d2 21c2 4431f2 01d1 89c2 c1ca06 } // n = 6, score = 200 // 4431d2 | mov edx, dword ptr [eax] // 21c2 | dec eax // 4431f2 | mov dword ptr [esp + 0x2a8], edx // 01d1 | dec eax // 89c2 | mov dword ptr [esp + 0x398], edx // c1ca06 | dec eax $sequence_2 = { 4589cc 4421cf 41c1cc06 31f7 8dac05015b8312 89442410 01fd } // n = 7, score = 200 // 4589cc | ror ebp, 2 // 4421cf | inc esp // 41c1cc06 | xor eax, dword ptr [esp + 0x28] // 31f7 | inc ecx // 8dac05015b8312 | xor edi, ebp // 89442410 | inc ebp // 01fd | add esi, eax $sequence_3 = { 44336908 410fb6580f 33590c c1e010 31c7 410fb64002 c1e008 } // n = 7, score = 200 // 44336908 | inc esp // 410fb6580f | xor ebx, ebx // 33590c | inc edi // c1e010 | lea esp, [esp + ebp + 0x6ed9eba1] // 31c7 | xor ebx, edi // 410fb64002 | ror edi, 2 // c1e008 | inc esp $sequence_4 = { 4489e6 21ee 4521d1 4109f1 4489c6 4101c9 c1c60f } // n = 7, score = 200 // 4489e6 | mov edx, edx // 21ee | inc ecx // 4521d1 | rol edx, 5 // 4109f1 | inc esp // 4489c6 | add eax, edx // 4101c9 | inc esp // c1c60f | mov dword ptr [esp + 0x28], ebx $sequence_5 = { ffd6 ff15???????? ba00010000 4889c1 ffd6 ff15???????? ba0f000000 } // n = 7, score = 200 // ffd6 | xor ecx, dword ptr [edx + 8] // ff15???????? | // ba00010000 | inc esi // 4889c1 | mov eax, dword ptr [eax + eax*4] // ffd6 | and ecx, 0xff00 // ff15???????? | // ba0f000000 | inc esp $sequence_6 = { 4189d2 83ea01 6641d1e9 6685c0 742f 4c8d4102 83e801 } // n = 7, score = 200 // 4189d2 | inc ecx // 83ea01 | mov ecx, edx // 6641d1e9 | inc ebp // 6685c0 | add ebx, edx // 742f | inc ecx // 4c8d4102 | mov edx, ebx // 83e801 | inc ecx $sequence_7 = { 4421da 4409f2 4401ea 4401e2 448b612c 410fcc 4589e5 } // n = 7, score = 200 // 4421da | inc esp // 4409f2 | movzx ecx, word ptr [ebp - 0x30] // 4401ea | test al, al // 4401e2 | jne 0xa9c // 448b612c | test bl, bl // 410fcc | mov eax, 7 // 4589e5 | cmove ebx, eax $sequence_8 = { 0fb7f2 488b4c1d00 89f2 4c8b041f 4883c308 e8???????? 4883fb20 } // n = 7, score = 200 // 0fb7f2 | inc ebp // 488b4c1d00 | or esi, esp // 89f2 | inc esp // 4c8b041f | mov esp, dword ptr [ecx + 0x34] // 4883c308 | inc ecx // e8???????? | // 4883fb20 | add esi, ebp $sequence_9 = { 44334c2408 894c240c 31eb 4131c0 4433442414 21fb c1cf02 } // n = 7, score = 200 // 44334c2408 | xor eax, ebx // 894c240c | inc ecx // 31eb | mov ebx, edx // 4131c0 | add esi, dword ptr [esp + 0x6c] // 4433442414 | inc ecx // 21fb | rol ebx, 0xa // c1cf02 | inc ebp condition: 7 of them and filesize < 369664 }
rule win_polyvice_w0 { meta: author = "Antonio Cocomazzi @ SentinelOne" description = "Detect a custom branded version of Vice Society ransomware" date = "2022-11-28" reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development" hash = "c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" malpedia_rule_date = "20230102" malpedia_hash = "" malpedia_version = "20230102" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $code1 = {4? 8B ?? 28 00 02 00 } $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00} $code3 = {(48|49) 8D 8? 58 00 02 00} $code4 = {(48|49) 8D 9? E8 02 02 00} $code5 = {(48|4C) 89 ?? 24 38} $code6 = {4? 8B ?? F8 02 02 00} $code7 = {C7 44 24 48 01 00 00 00} $string1 = "vsociet" nocase wide ascii condition: uint16(0) == 0x5A4D and all of them }
rule win_polyvice_w1 { meta: author = "Antonio Cocomazzi @ SentinelOne" description = "Detect a windows ransomware variant tracked as PolyVice adopted by multiple threat actors" date = "2022-11-28" reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development" hash1 = "c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac" hash2 = "6cfb5b4a68100678d95270e3d188572a30abd568" hash3 = "2b3fea431f342c7b8bcff4b89715002e44d662c7" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" malpedia_rule_date = "20230102" malpedia_hash = "" malpedia_version = "20230102" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $code1 = {4? 8B ?? 28 00 02 00 } $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00} $code3 = {(48|49) 8D 8? 58 00 02 00} $code4 = {(48|49) 8D 9? E8 02 02 00} $code5 = {(48|4C) 89 ?? 24 38} $code6 = {4? 8B ?? F8 02 02 00} $code7 = {C7 44 24 48 01 00 00 00} condition: uint16(0) == 0x5A4D and all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY