SYMBOLCOMMON_NAMEaka. SYNONYMS
win.torrentlocker (Back to overview)

TorrentLocker

aka: Teerac

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2014-09-11BleepingComputer ForumsDecrypterFixer
@online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } TorrentLocker Ransomware Cracked and Decrypter has been made
TorrentLocker
Yara Rules
[TLP:WHITE] win_torrentlocker_auto (20221125 | Detects win.torrentlocker.)
rule win_torrentlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.torrentlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 83f801 7405 83f802 }
            // n = 4, score = 500
            //   c3                   | ret                 
            //   83f801               | cmp                 eax, 1
            //   7405                 | je                  7
            //   83f802               | cmp                 eax, 2

        $sequence_1 = { 750b 68???????? ff15???????? 8bc3 }
            // n = 4, score = 400
            //   750b                 | jne                 0xd
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bc3                 | mov                 eax, ebx

        $sequence_2 = { 6a00 52 ff15???????? 5e 8bc7 }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   52                   | push                edx
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8bc7                 | mov                 eax, edi

        $sequence_3 = { 6a03 e8???????? 83c410 83f8ff 7404 a810 }
            // n = 6, score = 400
            //   6a03                 | push                3
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   83f8ff               | cmp                 eax, -1
            //   7404                 | je                  6
            //   a810                 | test                al, 0x10

        $sequence_4 = { c705????????00000000 eb39 8b15???????? 6a0c 6a00 52 }
            // n = 6, score = 400
            //   c705????????00000000     |     
            //   eb39                 | jmp                 0x3b
            //   8b15????????         |                     
            //   6a0c                 | push                0xc
            //   6a00                 | push                0
            //   52                   | push                edx

        $sequence_5 = { 6a00 6a00 68???????? ffd6 83f801 7502 }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   83f801               | cmp                 eax, 1
            //   7502                 | jne                 4

        $sequence_6 = { 52 ffd6 a3???????? 85c0 741e 8b0d???????? }
            // n = 6, score = 400
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   741e                 | je                  0x20
            //   8b0d????????         |                     

        $sequence_7 = { 85c9 740e 51 50 a1???????? 50 }
            // n = 6, score = 400
            //   85c9                 | test                ecx, ecx
            //   740e                 | je                  0x10
            //   51                   | push                ecx
            //   50                   | push                eax
            //   a1????????           |                     
            //   50                   | push                eax

        $sequence_8 = { 85c9 7410 8b15???????? 51 6a00 }
            // n = 5, score = 400
            //   85c9                 | test                ecx, ecx
            //   7410                 | je                  0x12
            //   8b15????????         |                     
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_9 = { 68???????? ffd6 83f801 7526 68400000f0 50 6a00 }
            // n = 7, score = 400
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   83f801               | cmp                 eax, 1
            //   7526                 | jne                 0x28
            //   68400000f0           | push                0xf0000040
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_10 = { 41 81f9f1ff0000 7206 81e9f1ff0000 8bc1 }
            // n = 5, score = 400
            //   41                   | inc                 ecx
            //   81f9f1ff0000         | cmp                 ecx, 0xfff1
            //   7206                 | jb                  8
            //   81e9f1ff0000         | sub                 ecx, 0xfff1
            //   8bc1                 | mov                 eax, ecx

        $sequence_11 = { 68???????? ffd6 85c0 751f ff15???????? }
            // n = 5, score = 400
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x21
            //   ff15????????         |                     

        $sequence_12 = { 5e 5f c3 be03000000 8bc6 5e 5f }
            // n = 7, score = 400
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c3                   | ret                 
            //   be03000000           | mov                 esi, 3
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_13 = { 751f ff15???????? 3d16000980 753d 68080000f0 6a18 6a00 }
            // n = 7, score = 400
            //   751f                 | jne                 0x21
            //   ff15????????         |                     
            //   3d16000980           | cmp                 eax, 0x80090016
            //   753d                 | jne                 0x3f
            //   68080000f0           | push                0xf0000008
            //   6a18                 | push                0x18
            //   6a00                 | push                0

        $sequence_14 = { 7510 6a78 50 68???????? e8???????? }
            // n = 5, score = 400
            //   7510                 | jne                 0x12
            //   6a78                 | push                0x78
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_15 = { 6685d2 75f1 8bcf 8bf7 668b11 }
            // n = 5, score = 400
            //   6685d2               | test                dx, dx
            //   75f1                 | jne                 0xfffffff3
            //   8bcf                 | mov                 ecx, edi
            //   8bf7                 | mov                 esi, edi
            //   668b11               | mov                 dx, word ptr [ecx]

    condition:
        7 of them and filesize < 933888
}
Download all Yara Rules