TFlower (Malware Family)

TFlower

VTCollection

TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

References

2021-03-03 ⋅ SYGNIA ⋅ Amitai Ben Shushan, Amnon Kushnir, Boaz Wasserman, Martin Korman, Noam Lifshitz
Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower

2019-09-20 ⋅ Canadian Centre for Cyber Security ⋅ Canadian Centre for Cyber Security
TFlower Ransomware Campaign
TFlower

2019-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams
TFlower Ransomware - The Latest Attack Targeting Businesses
TFlower

Yara Rules

[TLP:WHITE] win_tflower_auto (20260504 | Detects win.tflower.)

rule win_tflower_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tflower."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85db 7423 895e04 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   85db                 | test                ebx, ebx
            //   7423                 | je                  0x25
            //   895e04               | mov                 dword ptr [esi + 4], ebx

        $sequence_1 = { 8bde ff36 8d85e8fdfdff c7460400000000 68???????? }
            // n = 5, score = 200
            //   8bde                 | mov                 ebx, esi
            //   ff36                 | push                dword ptr [esi]
            //   8d85e8fdfdff         | lea                 eax, [ebp - 0x20218]
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   68????????           |                     

        $sequence_2 = { 0001 0200 0103 0303 }
            // n = 4, score = 200
            //   0001                 | add                 byte ptr [ecx], al
            //   0200                 | add                 al, byte ptr [eax]
            //   0103                 | add                 dword ptr [ebx], eax
            //   0303                 | add                 eax, dword ptr [ebx]

        $sequence_3 = { 8bba446f4f00 c1e104 33b1416f4f00 33b9456f4f00 0fb6cc 8b842494000000 }
            // n = 6, score = 200
            //   8bba446f4f00         | mov                 edi, dword ptr [edx + 0x4f6f44]
            //   c1e104               | shl                 ecx, 4
            //   33b1416f4f00         | xor                 esi, dword ptr [ecx + 0x4f6f41]
            //   33b9456f4f00         | xor                 edi, dword ptr [ecx + 0x4f6f45]
            //   0fb6cc               | movzx               ecx, ah
            //   8b842494000000       | mov                 eax, dword ptr [esp + 0x94]

        $sequence_4 = { 0fb60c85167c4b00 0fb63485177c4b00 8bf9 8985b4f8ffff c1e702 57 }
            // n = 6, score = 200
            //   0fb60c85167c4b00     | movzx               ecx, byte ptr [eax*4 + 0x4b7c16]
            //   0fb63485177c4b00     | movzx               esi, byte ptr [eax*4 + 0x4b7c17]
            //   8bf9                 | mov                 edi, ecx
            //   8985b4f8ffff         | mov                 dword ptr [ebp - 0x74c], eax
            //   c1e702               | shl                 edi, 2
            //   57                   | push                edi

        $sequence_5 = { 0008 7408 0002 7408 }
            // n = 4, score = 200
            //   0008                 | add                 byte ptr [eax], cl
            //   7408                 | je                  0xa
            //   0002                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa

        $sequence_6 = { 0001 7708 00f3 7608 }
            // n = 4, score = 200
            //   0001                 | add                 byte ptr [ecx], al
            //   7708                 | ja                  0xa
            //   00f3                 | add                 bl, dh
            //   7608                 | jbe                 0xa

        $sequence_7 = { 000f 7708 0001 7708 }
            // n = 4, score = 200
            //   000f                 | add                 byte ptr [edi], cl
            //   7708                 | ja                  0xa
            //   0001                 | add                 byte ptr [ecx], al
            //   7708                 | ja                  0xa

        $sequence_8 = { 6a2f 68???????? 56 e8???????? 83c40c 5e }
            // n = 6, score = 200
            //   6a2f                 | push                0x2f
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5e                   | pop                 esi

        $sequence_9 = { 0010 740b 0021 740b }
            // n = 4, score = 200
            //   0010                 | add                 byte ptr [eax], dl
            //   740b                 | je                  0xd
            //   0021                 | add                 byte ptr [ecx], ah
            //   740b                 | je                  0xd

        $sequence_10 = { 001a 0c05 003c0c 05004e0c05 }
            // n = 4, score = 200
            //   001a                 | add                 byte ptr [edx], bl
            //   0c05                 | or                  al, 5
            //   003c0c               | add                 byte ptr [esp + ecx], bh
            //   05004e0c05           | add                 eax, 0x50c4e00

        $sequence_11 = { 330cb5189c4e00 8b5734 33e9 8b7730 33d5 c1ca04 }
            // n = 6, score = 200
            //   330cb5189c4e00       | xor                 ecx, dword ptr [esi*4 + 0x4e9c18]
            //   8b5734               | mov                 edx, dword ptr [edi + 0x34]
            //   33e9                 | xor                 ebp, ecx
            //   8b7730               | mov                 esi, dword ptr [edi + 0x30]
            //   33d5                 | xor                 edx, ebp
            //   c1ca04               | ror                 edx, 4

        $sequence_12 = { 000b 8605???????? 007885 0500788605 }
            // n = 4, score = 200
            //   000b                 | add                 byte ptr [ebx], cl
            //   8605????????         |                     
            //   007885               | add                 byte ptr [eax - 0x7b], bh
            //   0500788605           | add                 eax, 0x5867800

        $sequence_13 = { 0002 7408 00f7 7308 }
            // n = 4, score = 200
            //   0002                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa
            //   00f7                 | add                 bh, dh
            //   7308                 | jae                 0xa

        $sequence_14 = { 83e03f 330c8518964e00 330c95189d4e00 8b5764 }
            // n = 4, score = 200
            //   83e03f               | and                 eax, 0x3f
            //   330c8518964e00       | xor                 ecx, dword ptr [eax*4 + 0x4e9618]
            //   330c95189d4e00       | xor                 ecx, dword ptr [edx*4 + 0x4e9d18]
            //   8b5764               | mov                 edx, dword ptr [edi + 0x64]

        $sequence_15 = { 8bc2 c1e818 894efe 0fb60c8520dd4e00 }
            // n = 4, score = 200
            //   8bc2                 | mov                 eax, edx
            //   c1e818               | shr                 eax, 0x18
            //   894efe               | mov                 dword ptr [esi - 2], ecx
            //   0fb60c8520dd4e00     | movzx               ecx, byte ptr [eax*4 + 0x4edd20]

    condition:
        7 of them and filesize < 6578176
}

Download all Yara Rules

TFlower Propose Change

References

Yara Rules

TFlower