SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tellyouthepass (Back to overview)

TellYouThePass

VTCollection    

According to PCrisk, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.

The program renames all encrypted files by adding the ".locked" extension and creates a ransom message in a text file called "README.html". For example, "1.jpg" is renamed by Tellyouthepass to "1.jpg.locked".

According to cyber criminals, this ransomware encrypts data using RSA-1024 and AES-256 cryptography algorithms.

References
2022-01-11CrowdStrikeAnmol Maurya
TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang
TellYouThePass
2021-12-23SymantecSiddhesh Chandrayan
Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass
Yara Rules
[TLP:WHITE] win_tellyouthepass_auto (20260504 | Detects win.tellyouthepass.)
rule win_tellyouthepass_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tellyouthepass."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 48c740100e000000 488d0d1f031400 48894808 833d????????00 7509 488905???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48c740100e000000     | mov                 ebp, dword ptr [esp + 0x398]
            //   488d0d1f031400       | dec                 eax
            //   48894808             | add                 esp, 0x3a0
            //   833d????????00       |                     
            //   7509                 | ret                 
            //   488905????????       |                     

        $sequence_1 = { e8???????? 488d05513f1800 bb13000000 0f1f440000 e8???????? 8b442424 89c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d05513f1800       | dec                 eax
            //   bb13000000           | mov                 ecx, dword ptr [edx + 0x20]
            //   0f1f440000           | dec                 eax
            //   e8????????           |                     
            //   8b442424             | lea                 eax, [0x1c440]
            //   89c0                 | dec                 eax

        $sequence_2 = { bb10000000 e8???????? 488b442428 e8???????? 488d0509dd1700 bb07000000 e8???????? }
            // n = 7, score = 100
            //   bb10000000           | jmp                 0x155d
            //   e8????????           |                     
            //   488b442428           | dec                 eax
            //   e8????????           |                     
            //   488d0509dd1700       | mov                 dword ptr [esp + 0x20], eax
            //   bb07000000           | dec                 eax
            //   e8????????           |                     

        $sequence_3 = { 833d????????00 7505 488910 eb08 4889c7 e8???????? 488d05ad720e00 }
            // n = 7, score = 100
            //   833d????????00       |                     
            //   7505                 | mov                 ebx, dword ptr [esp + 0x38]
            //   488910               | mov                 edx, 0xe
            //   eb08                 | dec                 eax
            //   4889c7               | lea                 esi, [0xb0ca9]
            //   e8????????           |                     
            //   488d05ad720e00       | dec                 eax

        $sequence_4 = { e8???????? 488b942488000000 48895a10 833d????????00 7506 48894208 eb09 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b942488000000     | lea                 ecx, [0x8d461]
            //   48895a10             | dec                 eax
            //   833d????????00       |                     
            //   7506                 | mov                 edi, eax
            //   48894208             | xor                 eax, eax
            //   eb09                 | dec                 eax

        $sequence_5 = { f0480fc102 ba01000000 4c8d0542853300 f0490fc110 eb32 4883fa02 751a }
            // n = 7, score = 100
            //   f0480fc102           | nop                 dword ptr [eax]
            //   ba01000000           | dec                 eax
            //   4c8d0542853300       | mov                 ebp, dword ptr [esp + 0x20]
            //   f0490fc110           | dec                 eax
            //   eb32                 | add                 esp, 0x28
            //   4883fa02             | ret                 
            //   751a                 | dec                 eax

        $sequence_6 = { 48c1fe3f 4921f3 4b8d1c18 4d85db 7412 4c89c0 4c89d1 }
            // n = 7, score = 100
            //   48c1fe3f             | mov                 ebx, dword ptr [esp + 0x78]
            //   4921f3               | dec                 eax
            //   4b8d1c18             | mov                 dword ptr [esp + 0x60], eax
            //   4d85db               | dec                 eax
            //   7412                 | mov                 dword ptr [esp + 0x40], ebx
            //   4c89c0               | dec                 eax
            //   4c89d1               | mov                 dword ptr [esp + 0x58], ecx

        $sequence_7 = { e8???????? eb0f 488d15b2060600 488bb424d0000000 4889942488000000 4889b42490000000 488b942488000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb0f                 | mov                 ebx, esp
            //   488d15b2060600       | nop                 
            //   488bb424d0000000     | dec                 esp
            //   4889942488000000     | mov                 edx, dword ptr [esp + 0x48]
            //   4889b42490000000     | dec                 esp
            //   488b942488000000     | mov                 ebp, dword ptr [esp + 0x60]

        $sequence_8 = { 8b9890000000 895c2414 0fb6b0b0000000 4080fe1b 720e be13000000 4c8d0502f31500 }
            // n = 7, score = 100
            //   8b9890000000         | dec                 eax
            //   895c2414             | cmp                 ecx, 0x1388
            //   0fb6b0b0000000       | jle                 0x30e
            //   4080fe1b             | dec                 eax
            //   720e                 | mov                 edx, dword ptr [esp + 0x20]
            //   be13000000           | dec                 eax
            //   4c8d0502f31500       | cmp                 edx, ecx

        $sequence_9 = { 7d74 4c8d1431 4d39d1 0f867e010000 470fb61410 4589d5 4183e2c0 }
            // n = 7, score = 100
            //   7d74                 | dec                 eax
            //   4c8d1431             | lea                 eax, [0x18a1f0]
            //   4d39d1               | mov                 ebx, 9
            //   0f867e010000         | dec                 eax
            //   470fb61410           | mov                 eax, dword ptr [esp + 0x10]
            //   4589d5               | dec                 eax
            //   4183e2c0             | mov                 eax, dword ptr [esp + 0x10]

    condition:
        7 of them and filesize < 7152640
}
Download all Yara Rules