SYMBOLCOMMON_NAMEaka. SYNONYMS
win.royal_ransom (Back to overview)

Royal Ransom


Ransomware

References
2022-11-27SecurityScorecardVlad Pasca
@online{pasca:20221127:technical:c2326cf, author = {Vlad Pasca}, title = {{A Technical Analysis of Royal Ransomware}}, date = {2022-11-27}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/research/the-royal-ransomware}, language = {English}, urldate = {2022-11-28} } A Technical Analysis of Royal Ransomware
Royal Ransom
2022-11-17YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20221117:reconstructing:5b546b1, author = {Luigi Martire and Carmelo Ragusa}, title = {{Reconstructing the last activities of Royal Ransomware}}, date = {2022-11-17}, organization = {Yoroi}, url = {https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/}, language = {English}, urldate = {2022-11-18} } Reconstructing the last activities of Royal Ransomware
Royal Ransom
2022-10-13FortinetShunichi Imano, James Slaughter
@online{imano:20221013:ransomware:d68098e, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Royal Ransomware}}, date = {2022-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware}, language = {English}, urldate = {2022-10-25} } Ransomware Roundup: Royal Ransomware
Royal Ransom
2022-09-29BleepingComputerLawrence Abrams
@online{abrams:20220929:new:6e43d69, author = {Lawrence Abrams}, title = {{New Royal Ransomware emerges in multi-million dollar attacks}}, date = {2022-09-29}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/}, language = {English}, urldate = {2022-11-03} } New Royal Ransomware emerges in multi-million dollar attacks
Royal Ransom
Yara Rules
[TLP:WHITE] win_royal_ransom_auto (20221125 | Detects win.royal_ransom.)
rule win_royal_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.royal_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb25 488b442450 c70010000000 48891f eb10 33c0 488907 }
            // n = 7, score = 100
            //   eb25                 | dec                 eax
            //   488b442450           | lea                 ecx, [0x14fbf6]
            //   c70010000000         | dec                 eax
            //   48891f               | cmp                 dword ptr [esi + 0x48], edi
            //   eb10                 | je                  0x1356
            //   33c0                 | lea                 edx, [ebp + 0xf]
            //   488907               | dec                 eax

        $sequence_1 = { e8???????? 4d8bc6 8bd5 8bcb e8???????? 498bcc e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4d8bc6               | shr                 eax, 0xd
            //   8bd5                 | inc                 ebp
            //   8bcb                 | mov                 byte ptr [esi + 3], cl
            //   e8????????           |                     
            //   498bcc               | inc                 ecx
            //   e8????????           |                     

        $sequence_2 = { ff15???????? 4881bf4008000050c30000 722e 0f1f4000 488bcf ff15???????? b988130000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4881bf4008000050c30000     | cmp    dword ptr [esi + 8], 0
            //   722e                 | jne                 0x1fc8
            //   0f1f4000             | dec                 eax
            //   488bcf               | cmp                 dword ptr [esi + 0x10], 0
            //   ff15????????         |                     
            //   b988130000           | je                  0x21c7

        $sequence_3 = { e8???????? 85c0 7445 488b9c2420010000 4b8d0437 488b4c2440 488d542450 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | add                 ecx, dword ptr [ebp - 0x38]
            //   7445                 | dec                 eax
            //   488b9c2420010000     | mov                 dword ptr [ebp + 0x20], eax
            //   4b8d0437             | xor                 eax, eax
            //   488b4c2440           | dec                 eax
            //   488d542450           | mov                 dword ptr [ebp + 0x40], ecx

        $sequence_4 = { e8???????? 4c8d05e7a70d00 ba1b000000 488d0dc3a70d00 e8???????? 4533c0 ba00010c00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d05e7a70d00       | mov                 byte ptr [ebp - 0x1e], bh
            //   ba1b000000           | inc                 ecx
            //   488d0dc3a70d00       | mov                 eax, ebp
            //   e8????????           |                     
            //   4533c0               | inc                 ecx
            //   ba00010c00           | setne               al

        $sequence_5 = { e9???????? 48837b4800 8b8c2488000000 448b842498000000 448b4c2420 448b542424 448b5c2428 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   48837b4800           | mov                 esp, eax
            //   8b8c2488000000       | test                eax, eax
            //   448b842498000000     | dec                 eax
            //   448b4c2420           | sub                 esp, eax
            //   448b542424           | dec                 eax
            //   448b5c2428           | mov                 edi, ecx

        $sequence_6 = { ba00010c00 418d4809 e8???????? 498bcc e8???????? 498bcf e8???????? }
            // n = 7, score = 100
            //   ba00010c00           | inc                 ecx
            //   418d4809             | lea                 ecx, [eax + 0x22]
            //   e8????????           |                     
            //   498bcc               | dec                 eax
            //   e8????????           |                     
            //   498bcf               | mov                 ebp, dword ptr [esp + 0x78]
            //   e8????????           |                     

        $sequence_7 = { e8???????? 85c0 0f8487000000 488b4b18 4533c0 483b7b20 0f8295000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | mov                 eax, ebx
            //   0f8487000000         | dec                 eax
            //   488b4b18             | mov                 ebx, dword ptr [esp + 0x40]
            //   4533c0               | inc                 ebp
            //   483b7b20             | mov                 eax, edi
            //   0f8295000000         | inc                 ecx

        $sequence_8 = { eb05 488b4c2468 4c8b5f10 4d85db 750a 48392b 743d }
            // n = 7, score = 100
            //   eb05                 | mov                 ecx, esi
            //   488b4c2468           | dec                 eax
            //   4c8b5f10             | mov                 dword ptr [esp + 0x20], eax
            //   4d85db               | dec                 ecx
            //   750a                 | mov                 edx, ebp
            //   48392b               | dec                 eax
            //   743d                 | sub                 ebp, ebx

        $sequence_9 = { b830000000 e8???????? 482be0 418bf0 4c8bf2 488bf9 4885d2 }
            // n = 7, score = 100
            //   b830000000           | inc                 ecx
            //   e8????????           |                     
            //   482be0               | mov                 edx, esp
            //   418bf0               | dec                 eax
            //   4c8bf2               | test                eax, eax
            //   488bf9               | je                  0xa40
            //   4885d2               | dec                 eax

    condition:
        7 of them and filesize < 6235136
}
Download all Yara Rules