RegretLocker (Malware Family)

RegretLocker

VTCollection
According to PCrisk, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".mouse" extension.
References

2020-11-17 ⋅ Chuongdong blog ⋅ Chuong Dong
RegretLocker
RegretLocker
2020-11-03 ⋅ BleepingComputer ⋅ Lawrence Abrams
New RegretLocker ransomware targets Windows virtual machines
RegretLocker
2020-10-28 ⋅ MalwareHunterTeam
Tweet about RegretLocker from MHT
RegretLocker
Yara Rules

[TLP:WHITE] win_regretlocker_auto (20260504 | Detects win.regretlocker.)
rule win_regretlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.regretlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd6 83e03f c1fa06 6bc830 8b049558d74600 f644082801 7414 }
            // n = 7, score = 100
            //   8bd6                 | mov                 edx, esi
            //   83e03f               | and                 eax, 0x3f
            //   c1fa06               | sar                 edx, 6
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b049558d74600       | mov                 eax, dword ptr [edx*4 + 0x46d758]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   7414                 | je                  0x16

        $sequence_1 = { 84c0 753b 837e1410 7202 8b36 56 68???????? }
            // n = 7, score = 100
            //   84c0                 | test                al, al
            //   753b                 | jne                 0x3d
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   56                   | push                esi
            //   68????????           |                     

        $sequence_2 = { e8???????? 8d4da0 e8???????? 8d8de8feffff c645fc08 e8???????? 8b4db8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   e8????????           |                     
            //   8d8de8feffff         | lea                 ecx, [ebp - 0x118]
            //   c645fc08             | mov                 byte ptr [ebp - 4], 8
            //   e8????????           |                     
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]

        $sequence_3 = { 83e63f c1f806 6bce30 8945f4 8b048558d74600 894df0 8a440129 }
            // n = 7, score = 100
            //   83e63f               | and                 esi, 0x3f
            //   c1f806               | sar                 eax, 6
            //   6bce30               | imul                ecx, esi, 0x30
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b048558d74600       | mov                 eax, dword ptr [eax*4 + 0x46d758]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8a440129             | mov                 al, byte ptr [ecx + eax + 0x29]

        $sequence_4 = { 57 e8???????? 837e1408 8bce 7202 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   8bce                 | mov                 ecx, esi
            //   7202                 | jb                  4

        $sequence_5 = { 8d4f20 e8???????? 8d4dd4 e8???????? 8b4df4 5f }
            // n = 6, score = 100
            //   8d4f20               | lea                 ecx, [edi + 0x20]
            //   e8????????           |                     
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   5f                   | pop                 edi

        $sequence_6 = { 75ca eb07 33ff eb03 83ceff 893b 807df400 }
            // n = 7, score = 100
            //   75ca                 | jne                 0xffffffcc
            //   eb07                 | jmp                 9
            //   33ff                 | xor                 edi, edi
            //   eb03                 | jmp                 5
            //   83ceff               | or                  esi, 0xffffffff
            //   893b                 | mov                 dword ptr [ebx], edi
            //   807df400             | cmp                 byte ptr [ebp - 0xc], 0

        $sequence_7 = { 51 8d1c42 e8???????? 53 ff7508 8945f0 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   8d1c42               | lea                 ebx, [edx + eax*2]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_8 = { e8???????? 83a55cffffff00 8d96b0010000 8bca c78560ffffff0f000000 c6854cffffff00 8d4101 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83a55cffffff00       | and                 dword ptr [ebp - 0xa4], 0
            //   8d96b0010000         | lea                 edx, [esi + 0x1b0]
            //   8bca                 | mov                 ecx, edx
            //   c78560ffffff0f000000     | mov    dword ptr [ebp - 0xa0], 0xf
            //   c6854cffffff00       | mov                 byte ptr [ebp - 0xb4], 0
            //   8d4101               | lea                 eax, [ecx + 1]

        $sequence_9 = { 8d4de0 e8???????? 8d4d0c e8???????? e9???????? 837d2008 }
            // n = 6, score = 100
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]
            //   e8????????           |                     
            //   e9????????           |                     
            //   837d2008             | cmp                 dword ptr [ebp + 0x20], 8

    condition:
        7 of them and filesize < 1021952
}
Download all Yara Rules
RegretLocker Propose Change

References

Yara Rules

RegretLocker
