SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tellyouthepass (Back to overview)

TellYouThePass

According to PCrisk, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.

The program renames all encrypted files by adding the ".locked" extension and creates a ransom message in a text file called "README.html". For example, "1.jpg" is renamed by Tellyouthepass to "1.jpg.locked".

According to cyber criminals, this ransomware encrypts data using RSA-1024 and AES-256 cryptography algorithms.

References
2022-01-11CrowdStrikeAnmol Maurya
@online{maurya:20220111:tellyouthepass:b31fcb8, author = {Anmol Maurya}, title = {{TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang}}, date = {2022-01-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/}, language = {English}, urldate = {2022-01-18} } TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang
TellYouThePass
2021-12-23SymantecSiddhesh Chandrayan
@online{chandrayan:20211223:log4j:58ea562, author = {Siddhesh Chandrayan}, title = {{Log4j Vulnerabilities: Attack Insights}}, date = {2021-12-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks}, language = {English}, urldate = {2022-01-25} } Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass
Yara Rules
[TLP:WHITE] win_tellyouthepass_auto (20230715 | Detects win.tellyouthepass.)
rule win_tellyouthepass_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.tellyouthepass."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? b900001000 e8???????? b900001000 e8???????? b900001000 6690 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   b900001000           | dec                 esp
            //   e8????????           |                     
            //   b900001000           | mov                 ecx, dword ptr [esp + 0xf0]
            //   e8????????           |                     
            //   b900001000           | dec                 esp
            //   6690                 | mov                 edi, dword ptr [esp + 0xa8]

        $sequence_1 = { 7505 488910 eb09 4889c7 90 e8???????? 488d0514440e00 }
            // n = 7, score = 100
            //   7505                 | jne                 0x1a65
            //   488910               | dec                 eax
            //   eb09                 | mov                 dword ptr [eax], ecx
            //   4889c7               | dec                 eax
            //   90                   | lea                 eax, [0x2c491b]
            //   e8????????           |                     
            //   488d0514440e00       | nop                 dword ptr [eax]

        $sequence_2 = { 7509 488905???????? eb0e 488d3dba671f00 6690 e8???????? 488b6c2410 }
            // n = 7, score = 100
            //   7509                 | dec                 eax
            //   488905????????       |                     
            //   eb0e                 | mov                 eax, dword ptr [esp + 0x118]
            //   488d3dba671f00       | xor                 ecx, ecx
            //   6690                 | dec                 eax
            //   e8????????           |                     
            //   488b6c2410           | lea                 eax, [0x3f930]

        $sequence_3 = { e8???????? 488d05b49e0a00 488d1d8d641100 e8???????? 90 4889442408 6690 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d05b49e0a00       | dec                 esp
            //   488d1d8d641100       | mov                 esp, dword ptr [esp + 0x130]
            //   e8????????           |                     
            //   90                   | inc                 edi
            //   4889442408           | movzx               ebp, byte ptr [edx + 1]
            //   6690                 | nop                 

        $sequence_4 = { 4c89a424e8000000 4c899c24e0000000 4180f8c2 754b 4f8d1c39 4d8d5b01 4c39da }
            // n = 7, score = 100
            //   4c89a424e8000000     | ret                 
            //   4c899c24e0000000     | dec                 eax
            //   4180f8c2             | lea                 eax, [0x178b39]
            //   754b                 | mov                 ebx, 0x3d
            //   4f8d1c39             | nop                 dword ptr [eax + eax]
            //   4d8d5b01             | dec                 eax
            //   4c39da               | mov                 ebp, dword ptr [esp + 0x10]

        $sequence_5 = { 833c2403 7531 0fb644244b 488b4c2460 8801 e8???????? 488d05d3571900 }
            // n = 7, score = 100
            //   833c2403             | dec                 eax
            //   7531                 | lea                 eax, [0x32fae2]
            //   0fb644244b           | movzx               ecx, byte ptr [esp + 0x1d]
            //   488b4c2460           | cmp                 cl, 1
            //   8801                 | dec                 eax
            //   e8????????           |                     
            //   488d05d3571900       | lea                 eax, [0x2ebd9]

        $sequence_6 = { 488b442470 488b4030 488b88c8000000 48894c2450 488b80d0000000 4889442428 0f1f4000 }
            // n = 7, score = 100
            //   488b442470           | test                esi, esi
            //   488b4030             | dec                 eax
            //   488b88c8000000       | cmovne              edi, ebx
            //   48894c2450           | dec                 eax
            //   488b80d0000000       | mov                 ebx, dword ptr [esp + 0x98]
            //   4889442428           | dec                 eax
            //   0f1f4000             | mov                 esi, dword ptr [esp + 0x40]

        $sequence_7 = { c3 488d054b3d1600 bb24000000 e8???????? 90 4889442408 e8???????? }
            // n = 7, score = 100
            //   c3                   | mov                 ecx, dword ptr [esp + 0x208]
            //   488d054b3d1600       | dec                 eax
            //   bb24000000           | lea                 edx, [0x2735a2]
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   4889442408           | cmp                 ecx, edx
            //   e8????????           |                     

        $sequence_8 = { 488d4aff 48898c2498000000 488d0596140e00 31db e8???????? 488b9424e0000000 488bb424e8000000 }
            // n = 7, score = 100
            //   488d4aff             | mov                 dword ptr [esp + 0x138], ecx
            //   48898c2498000000     | dec                 eax
            //   488d0596140e00       | mov                 edx, dword ptr [esp + 0x130]
            //   31db                 | dec                 eax
            //   e8????????           |                     
            //   488b9424e0000000     | test                edx, edx
            //   488bb424e8000000     | je                  0x36e

        $sequence_9 = { 488d150b050b00 488910 eb0f 4889c7 488d15fc040b00 e8???????? 488d0502960800 }
            // n = 7, score = 100
            //   488d150b050b00       | mov                 edx, dword ptr [esp + 0x70]
            //   488910               | dec                 eax
            //   eb0f                 | mov                 dword ptr [esp + 0x70], ebx
            //   4889c7               | dec                 eax
            //   488d15fc040b00       | mov                 edx, dword ptr [eax + 0x18]
            //   e8????????           |                     
            //   488d0502960800       | dec                 eax

    condition:
        7 of them and filesize < 7152640
}
Download all Yara Rules