RegretLocker (Malware Family)

RegretLocker

VTCollection
According to PCrisk, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".mouse" extension.
References

2020-11-17 ⋅ Chuongdong blog ⋅ Chuong Dong
RegretLocker
RegretLocker
2020-11-03 ⋅ BleepingComputer ⋅ Lawrence Abrams
New RegretLocker ransomware targets Windows virtual machines
RegretLocker
2020-10-28 ⋅ MalwareHunterTeam
Tweet about RegretLocker from MHT
RegretLocker
Yara Rules

[TLP:WHITE] win_regretlocker_auto (20230808 | Detects win.regretlocker.)
rule win_regretlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.regretlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945e0 3bd8 742a 83ec18 8bcc 53 }
            // n = 6, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   3bd8                 | cmp                 ebx, eax
            //   742a                 | je                  0x2c
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   53                   | push                ebx

        $sequence_1 = { 8d8568ffffff 50 e8???????? 83ec10 c645fc04 8bcc 6a06 }
            // n = 7, score = 100
            //   8d8568ffffff         | lea                 eax, [ebp - 0x98]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83ec10               | sub                 esp, 0x10
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   8bcc                 | mov                 ecx, esp
            //   6a06                 | push                6

        $sequence_2 = { e8???????? 6aff 8bcb e8???????? 8d8df4feffff e8???????? 8d8d78ffffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6aff                 | push                -1
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8d8df4feffff         | lea                 ecx, [ebp - 0x10c]
            //   e8????????           |                     
            //   8d8d78ffffff         | lea                 ecx, [ebp - 0x88]

        $sequence_3 = { 8d4510 50 8d8578fdffff 50 8d45ec 50 e8???????? }
            // n = 7, score = 100
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax
            //   8d8578fdffff         | lea                 eax, [ebp - 0x288]
            //   50                   | push                eax
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 2b45fc 6a18 59 99 f7f9 ff750c 6bc018 }
            // n = 7, score = 100
            //   2b45fc               | sub                 eax, dword ptr [ebp - 4]
            //   6a18                 | push                0x18
            //   59                   | pop                 ecx
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6bc018               | imul                eax, eax, 0x18

        $sequence_5 = { 3bf0 59 59 0f95c0 5f 5e }
            // n = 6, score = 100
            //   3bf0                 | cmp                 esi, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   0f95c0               | setne               al
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { 50 f2c3 55 8bec 8b4508 56 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   f2c3                 | bnd ret             
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi

        $sequence_7 = { 83ec18 8bcc 57 e8???????? e8???????? 83c418 8d4dbc }
            // n = 7, score = 100
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   57                   | push                edi
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]

        $sequence_8 = { 50 57 ff15???????? 85c0 0f8529ffffff 57 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8529ffffff         | jne                 0xffffff2f
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_9 = { 64890d00000000 5b c9 c21800 8b411c 8b10 85d2 }
            // n = 7, score = 100
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c21800               | ret                 0x18
            //   8b411c               | mov                 eax, dword ptr [ecx + 0x1c]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   85d2                 | test                edx, edx

    condition:
        7 of them and filesize < 1021952
}
Download all Yara Rules
RegretLocker Propose Change

References

Yara Rules

RegretLocker
