Actor(s): RansomHub
Ransomware written in Golang and obfuscated with Gobfuscate, with significant code overlap to Knight ransomware.
rule win_ransomhub_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.ransomhub." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomhub" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 488d7810 e8???????? e8???????? 4889c1 4889df 488d05d9992200 } // n = 7, score = 100 // e8???????? | // 488d7810 | add esp, 0x30 // e8???????? | // e8???????? | // 4889c1 | ret // 4889df | dec eax // 488d05d9992200 | mov ebp, dword ptr [esp + 0x28] $sequence_1 = { 88442446 4c89d0 bf01000000 488d35d42c2a00 e8???????? 488b7c2458 48894f10 } // n = 7, score = 100 // 88442446 | dec eax // 4c89d0 | mov edx, 0x9010403 // bf01000000 | push es // 488d35d42c2a00 | push es // e8???????? | // 488b7c2458 | or al, 0xb // 48894f10 | dec eax $sequence_2 = { 48bad56e6ff840cf319f 4889542450 48ba85ddfddbb9232823 4889542458 440f117c242c 440f117c242e 0fb6542442 } // n = 7, score = 100 // 48bad56e6ff840cf319f | inc esp // 4889542450 | mov byte ptr [esp + 0x2a], bh // 48ba85ddfddbb9232823 | inc esp // 4889542458 | movzx edi, byte ptr [esp + 0x6e] // 440f117c242c | inc esp // 440f117c242e | mov byte ptr [esp + 0x29], bh // 0fb6542442 | inc esp $sequence_3 = { b801000000 eb0f 89d0 4c8b5c2448 488b942498000000 84c0 0f84d1010000 } // n = 7, score = 100 // b801000000 | dec eax // eb0f | mov edi, eax // 89d0 | dec eax // 4c8b5c2448 | mov ecx, dword ptr [esp + 0x1428] // 488b942498000000 | dec eax // 84c0 | lea edi, [0x33929b] // 0f84d1010000 | dec eax $sequence_4 = { 4c8d25aaa35600 4f8b2cd4 48d3e2 4c21ca 4f8d0452 4e8b4cc010 4e8b04c0 } // n = 7, score = 100 // 4c8d25aaa35600 | add dword ptr [eax], eax // 4f8b2cd4 | add bl, al // 48d3e2 | dec eax // 4c21ca | inc edx // 4f8d0452 | dec eax // 4e8b4cc010 | mov dword ptr [esp + 0x50], edx // 4e8b04c0 | dec esp $sequence_5 = { 752f 4889d8 4889cb 488d0d722c3800 e8???????? 84c0 7566 } // n = 7, score = 100 // 752f | ret // 4889d8 | dec eax // 4889cb | lea ecx, [edx + 1] // 488d0d722c3800 | dec eax // e8???????? | // 84c0 | mov eax, esi // 7566 | dec eax $sequence_6 = { 807e3100 0f8585010000 90 beffffffff 4c8d054f835d00 f0410fc130 488b7128 } // n = 7, score = 100 // 807e3100 | lea edi, [eax + 0x18] // 0f8585010000 | dec eax // 90 | mov ecx, dword ptr [esp + 0x1118] // beffffffff | dec eax // 4c8d054f835d00 | mov ecx, dword ptr [esp + 0x98] // f0410fc130 | dec eax // 488b7128 | mov dword ptr [eax + 0x10], ecx $sequence_7 = { e8???????? 0f1f00 4885c0 7444 90 48ba046957830785f12d 4889542471 } // n = 7, score = 100 // e8???????? | // 0f1f00 | jne 0x65f // 4885c0 | dec eax // 7444 | mov ecx, dword ptr [esp + 0x2178] // 90 | dec eax // 48ba046957830785f12d | mov dword ptr [esp + 0x2278], ecx // 4889542471 | dec eax $sequence_8 = { b805000000 488d0d09151a00 4889c3 4889c8 488b6c2430 4883c438 c3 } // n = 7, score = 100 // b805000000 | mov edi, eax // 488d0d09151a00 | dec eax // 4889c3 | mov ecx, dword ptr [esp + 0x1880] // 4889c8 | dec eax // 488b6c2430 | lea edi, [0x33e9c3] // 4883c438 | nop dword ptr [eax] // c3 | dec eax $sequence_9 = { 90 7512 488b4c2458 48894808 488905???????? eb1d 488d7808 } // n = 7, score = 100 // 90 | dec eax // 7512 | mov ebx, dword ptr [esp + 0x5e0] // 488b4c2458 | dec eax // 48894808 | mov dword ptr [eax + 8], 3 // 488905???????? | // eb1d | dec eax // 488d7808 | mov dword ptr [eax + 0x18], 3 condition: 7 of them and filesize < 12821504 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY