SYMBOLCOMMON_NAMEaka. SYNONYMS
win.torrentlocker (Back to overview)

TorrentLocker

aka: Teerac

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2014-09-11BleepingComputer ForumsDecrypterFixer
@online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } TorrentLocker Ransomware Cracked and Decrypter has been made
TorrentLocker
Yara Rules
[TLP:WHITE] win_torrentlocker_auto (20220516 | Detects win.torrentlocker.)
rule win_torrentlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.torrentlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 83f801 7405 83f802 }
            // n = 4, score = 500
            //   c3                   | ret                 
            //   83f801               | cmp                 eax, 1
            //   7405                 | je                  7
            //   83f802               | cmp                 eax, 2

        $sequence_1 = { 40 83f806 72f1 33f6 }
            // n = 4, score = 400
            //   40                   | inc                 eax
            //   83f806               | cmp                 eax, 6
            //   72f1                 | jb                  0xfffffff3
            //   33f6                 | xor                 esi, esi

        $sequence_2 = { 0102 0102 0201 0202 0202 0202 }
            // n = 6, score = 400
            //   0102                 | add                 dword ptr [edx], eax
            //   0102                 | add                 dword ptr [edx], eax
            //   0201                 | add                 al, byte ptr [ecx]
            //   0202                 | add                 al, byte ptr [edx]
            //   0202                 | add                 al, byte ptr [edx]
            //   0202                 | add                 al, byte ptr [edx]

        $sequence_3 = { ffd6 83f801 7502 5e c3 }
            // n = 5, score = 400
            //   ffd6                 | call                esi
            //   83f801               | cmp                 eax, 1
            //   7502                 | jne                 4
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_4 = { 85db 7412 ff15???????? 33c9 3db7000000 }
            // n = 5, score = 400
            //   85db                 | test                ebx, ebx
            //   7412                 | je                  0x14
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   3db7000000           | cmp                 eax, 0xb7

        $sequence_5 = { c705????????ffffffff 8b15???????? 6a00 6a01 68???????? 895608 }
            // n = 6, score = 400
            //   c705????????ffffffff     |     
            //   8b15????????         |                     
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   68????????           |                     
            //   895608               | mov                 dword ptr [esi + 8], edx

        $sequence_6 = { 83f801 7526 68400000f0 50 6a00 6a00 68???????? }
            // n = 7, score = 400
            //   83f801               | cmp                 eax, 1
            //   7526                 | jne                 0x28
            //   68400000f0           | push                0xf0000040
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_7 = { 85c0 7510 6a78 50 68???????? }
            // n = 5, score = 400
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   6a78                 | push                0x78
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_8 = { b801000000 81f9170000c0 7415 81f9340000c0 7407 85c9 750e }
            // n = 7, score = 400
            //   b801000000           | mov                 eax, 1
            //   81f9170000c0         | cmp                 ecx, 0xc0000017
            //   7415                 | je                  0x17
            //   81f9340000c0         | cmp                 ecx, 0xc0000034
            //   7407                 | je                  9
            //   85c9                 | test                ecx, ecx
            //   750e                 | jne                 0x10

        $sequence_9 = { 85c0 7412 83c8ff 5f }
            // n = 4, score = 400
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   83c8ff               | or                  eax, 0xffffffff
            //   5f                   | pop                 edi

        $sequence_10 = { ff15???????? 85c0 8d4601 7502 8bc6 5e }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   8d4601               | lea                 eax, [esi + 1]
            //   7502                 | jne                 4
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_11 = { 8b35???????? 68000000f0 6a18 6a00 6a00 68???????? ffd6 }
            // n = 7, score = 400
            //   8b35????????         |                     
            //   68000000f0           | push                0xf0000000
            //   6a18                 | push                0x18
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   ffd6                 | call                esi

        $sequence_12 = { 85c0 751f ff15???????? 3d16000980 753d }
            // n = 5, score = 400
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x21
            //   ff15????????         |                     
            //   3d16000980           | cmp                 eax, 0x80090016
            //   753d                 | jne                 0x3f

        $sequence_13 = { 3d16000980 753d 68080000f0 6a18 6a00 6a00 }
            // n = 6, score = 400
            //   3d16000980           | cmp                 eax, 0x80090016
            //   753d                 | jne                 0x3f
            //   68080000f0           | push                0xf0000008
            //   6a18                 | push                0x18
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_14 = { eb39 8b15???????? 6a0c 6a00 52 ffd6 }
            // n = 6, score = 400
            //   eb39                 | jmp                 0x3b
            //   8b15????????         |                     
            //   6a0c                 | push                0xc
            //   6a00                 | push                0
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_15 = { 740e 51 50 a1???????? }
            // n = 4, score = 400
            //   740e                 | je                  0x10
            //   51                   | push                ecx
            //   50                   | push                eax
            //   a1????????           |                     

    condition:
        7 of them and filesize < 933888
}
Download all Yara Rules