SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rtm_locker (Back to overview)

RTM Locker

aka: Read The Manual Locker
VTCollection    

There is no description at this point.

References
2023-05-01Quorum CyberQuorum Cyber
RTM Locker ransomware targets VMware ESXi servers
RTM Locker
2023-04-26UptycsUptycs Threat Research
RTM Locker Ransomware as a Service (RaaS) Now Suits Up for Linux Architecture
RTM Locker
2023-04-13TrellixMax Kersten
Read The Manual Locker: A Private RaaS Provider
RTM Locker
Yara Rules
[TLP:WHITE] win_rtm_locker_auto (20260504 | Detects win.rtm_locker.)
rule win_rtm_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rtm_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm_locker"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f289d60ffffff 8d5640 8d458c 33ff 3bf0 7711 8d8550ffffff }
            // n = 7, score = 100
            //   0f289d60ffffff       | movaps              xmm3, xmmword ptr [ebp - 0xa0]
            //   8d5640               | lea                 edx, [esi + 0x40]
            //   8d458c               | lea                 eax, [ebp - 0x74]
            //   33ff                 | xor                 edi, edi
            //   3bf0                 | cmp                 esi, eax
            //   7711                 | ja                  0x13
            //   8d8550ffffff         | lea                 eax, [ebp - 0xb0]

        $sequence_1 = { 885c012e 8b0495500f4200 804c012d04 46 ebb3 ff15???????? 8945a8 }
            // n = 7, score = 100
            //   885c012e             | mov                 byte ptr [ecx + eax + 0x2e], bl
            //   8b0495500f4200       | mov                 eax, dword ptr [edx*4 + 0x420f50]
            //   804c012d04           | or                  byte ptr [ecx + eax + 0x2d], 4
            //   46                   | inc                 esi
            //   ebb3                 | jmp                 0xffffffb5
            //   ff15????????         |                     
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax

        $sequence_2 = { 8d0c9500000000 23d1 8955d8 8b55e4 81f2ffffff03 f7d2 8bca }
            // n = 7, score = 100
            //   8d0c9500000000       | lea                 ecx, [edx*4]
            //   23d1                 | and                 edx, ecx
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   81f2ffffff03         | xor                 edx, 0x3ffffff
            //   f7d2                 | not                 edx
            //   8bca                 | mov                 ecx, edx

        $sequence_3 = { 0f104598 0f118580fcffff 0f1045a8 0f118590fcffff e8???????? 8d8d68ffffff }
            // n = 6, score = 100
            //   0f104598             | movups              xmm0, xmmword ptr [ebp - 0x68]
            //   0f118580fcffff       | movups              xmmword ptr [ebp - 0x380], xmm0
            //   0f1045a8             | movups              xmm0, xmmword ptr [ebp - 0x58]
            //   0f118590fcffff       | movups              xmmword ptr [ebp - 0x370], xmm0
            //   e8????????           |                     
            //   8d8d68ffffff         | lea                 ecx, [ebp - 0x98]

        $sequence_4 = { 6a03 8d44241c 50 6a00 6a14 ff15???????? 5f }
            // n = 7, score = 100
            //   6a03                 | push                3
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a14                 | push                0x14
            //   ff15????????         |                     
            //   5f                   | pop                 edi

        $sequence_5 = { f7d7 23d9 81f6ffffff03 8bcb f7d6 c1e108 81f2ffffff01 }
            // n = 7, score = 100
            //   f7d7                 | not                 edi
            //   23d9                 | and                 ebx, ecx
            //   81f6ffffff03         | xor                 esi, 0x3ffffff
            //   8bcb                 | mov                 ecx, ebx
            //   f7d6                 | not                 esi
            //   c1e108               | shl                 ecx, 8
            //   81f2ffffff01         | xor                 edx, 0x1ffffff

        $sequence_6 = { 8d8540fdffff 50 0f1185f0fcffff 8d95f0fcffff }
            // n = 4, score = 100
            //   8d8540fdffff         | lea                 eax, [ebp - 0x2c0]
            //   50                   | push                eax
            //   0f1185f0fcffff       | movups              xmmword ptr [ebp - 0x310], xmm0
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]

        $sequence_7 = { 8d9518ffffff 0f104588 8d8d68ffffff 0f118538ffffff 0f104598 0f118548ffffff }
            // n = 6, score = 100
            //   8d9518ffffff         | lea                 edx, [ebp - 0xe8]
            //   0f104588             | movups              xmm0, xmmword ptr [ebp - 0x78]
            //   8d8d68ffffff         | lea                 ecx, [ebp - 0x98]
            //   0f118538ffffff       | movups              xmmword ptr [ebp - 0xc8], xmm0
            //   0f104598             | movups              xmm0, xmmword ptr [ebp - 0x68]
            //   0f118548ffffff       | movups              xmmword ptr [ebp - 0xb8], xmm0

        $sequence_8 = { 56 50 8b45e4 0345fc 50 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   50                   | push                eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax

        $sequence_9 = { 8be5 5d c3 b801000000 8b4df0 64890d00000000 5f }
            // n = 7, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   b801000000           | mov                 eax, 1
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules