SYMBOLCOMMON_NAMEaka. SYNONYMS
win.torrentlocker (Back to overview)

TorrentLocker

aka: Teerac

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2014-09-11BleepingComputer ForumsDecrypterFixer
@online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } TorrentLocker Ransomware Cracked and Decrypter has been made
TorrentLocker
Yara Rules
[TLP:WHITE] win_torrentlocker_auto (20230125 | Detects win.torrentlocker.)
rule win_torrentlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.torrentlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 83f801 7405 83f802 }
            // n = 4, score = 500
            //   c3                   | ret                 
            //   83f801               | cmp                 eax, 1
            //   7405                 | je                  7
            //   83f802               | cmp                 eax, 2

        $sequence_1 = { 740a 48 85c0 7ff4 5f 33c0 5e }
            // n = 7, score = 400
            //   740a                 | je                  0xc
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff4                 | jg                  0xfffffff6
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi

        $sequence_2 = { 7514 e8???????? 3d00000600 1bc0 40 }
            // n = 5, score = 400
            //   7514                 | jne                 0x16
            //   e8????????           |                     
            //   3d00000600           | cmp                 eax, 0x60000
            //   1bc0                 | sbb                 eax, eax
            //   40                   | inc                 eax

        $sequence_3 = { 6a01 6a00 0d00800000 50 6a00 }
            // n = 5, score = 400
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   0d00800000           | or                  eax, 0x8000
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_4 = { be03000000 8bc6 5e 5f c3 be02000000 8bc6 }
            // n = 7, score = 400
            //   be03000000           | mov                 esi, 3
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c3                   | ret                 
            //   be02000000           | mov                 esi, 2
            //   8bc6                 | mov                 eax, esi

        $sequence_5 = { 7522 68???????? ff15???????? 85c0 7413 }
            // n = 5, score = 400
            //   7522                 | jne                 0x24
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15

        $sequence_6 = { 50 a1???????? 56 50 ff15???????? 85c0 8d4601 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   a1????????           |                     
            //   56                   | push                esi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   8d4601               | lea                 eax, [esi + 1]

        $sequence_7 = { 6a00 51 ff15???????? 8bc6 5e 5f }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_8 = { c3 b904000000 8bc1 5e }
            // n = 4, score = 400
            //   c3                   | ret                 
            //   b904000000           | mov                 ecx, 4
            //   8bc1                 | mov                 eax, ecx
            //   5e                   | pop                 esi

        $sequence_9 = { 85c0 7525 68???????? b8???????? bb???????? e8???????? }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   7525                 | jne                 0x27
            //   68????????           |                     
            //   b8????????           |                     
            //   bb????????           |                     
            //   e8????????           |                     

        $sequence_10 = { 68???????? 895608 ffd7 85c0 753c }
            // n = 5, score = 400
            //   68????????           |                     
            //   895608               | mov                 dword ptr [esi + 8], edx
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   753c                 | jne                 0x3e

        $sequence_11 = { 75ef 03fb b8???????? 8d143f 2bd0 }
            // n = 5, score = 400
            //   75ef                 | jne                 0xfffffff1
            //   03fb                 | add                 edi, ebx
            //   b8????????           |                     
            //   8d143f               | lea                 edx, [edi + edi]
            //   2bd0                 | sub                 edx, eax

        $sequence_12 = { 7519 8b0d???????? 51 ff15???????? c705????????00000000 eb39 8b15???????? }
            // n = 7, score = 400
            //   7519                 | jne                 0x1b
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   c705????????00000000     |     
            //   eb39                 | jmp                 0x3b
            //   8b15????????         |                     

        $sequence_13 = { 750b 68???????? ff15???????? 8bc3 }
            // n = 4, score = 400
            //   750b                 | jne                 0xd
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bc3                 | mov                 eax, ebx

        $sequence_14 = { 8bcf c1e90b 33c8 c1e908 }
            // n = 4, score = 400
            //   8bcf                 | mov                 ecx, edi
            //   c1e90b               | shr                 ecx, 0xb
            //   33c8                 | xor                 ecx, eax
            //   c1e908               | shr                 ecx, 8

        $sequence_15 = { 6a01 68???????? ff15???????? 85c0 7522 68???????? }
            // n = 6, score = 400
            //   6a01                 | push                1
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7522                 | jne                 0x24
            //   68????????           |                     

    condition:
        7 of them and filesize < 933888
}
Download all Yara Rules