SYMBOLCOMMON_NAMEaka. SYNONYMS
win.troldesh (Back to overview)

Troldesh

aka: Shade
URLhaus            

According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.

References
2020-05-02BitdefenderBitdefender Team
@online{team:20200502:shade:a1481f9, author = {Bitdefender Team}, title = {{Shade / Troldesh Ransomware decryption tool}}, date = {2020-05-02}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/}, language = {English}, urldate = {2020-05-05} } Shade / Troldesh Ransomware decryption tool
Troldesh
2020-04-27ZDNetCatalin Cimpanu
@online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } Shade (Troldesh) ransomware shuts down and releases decryption keys
Troldesh
2020-04-26shade-team
@online{shadeteam:20200426:repository:25ac040, author = {shade-team}, title = {{Repository with Keys for Shade / Troldesh}}, date = {2020-04-26}, url = {https://github.com/shade-team/keys}, language = {English}, urldate = {2020-04-28} } Repository with Keys for Shade / Troldesh
Troldesh
2019-10-29Kaspersky LabsKaspersky
@online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } ShadeDecryptor tool
Troldesh
2019-06-25AvastJeff Elder
@online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } Ransomware strain Troldesh spikes again – Avast tracks new attacks
Troldesh
2019-05-22Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Troldesh
2019-02-20SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } More Russian language malspam pushing Shade (Troldesh) ransomware
Troldesh
2019-01-28ESET ResearchJuraj Jánošík
@online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } Russia hit by new wave of ransomware spam
Troldesh
2016-07-13MicrosoftMicrosoft Defender ATP Research Team
@online{team:20160713:troldesh:52c2dc3, author = {Microsoft Defender ATP Research Team}, title = {{Troldesh ransomware influenced by (the) Da Vinci code}}, date = {2016-07-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/}, language = {English}, urldate = {2020-01-13} } Troldesh ransomware influenced by (the) Da Vinci code
Troldesh
2015-09-14Kaspersky LabsVictor Alyushin, Fedor Sinitsyn
@online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } The Shade Encryptor: a Double Threat
CMSBrute Troldesh
2015-06-01Check PointCheck Point
@online{point:20150601:troldesh:19531cf, author = {Check Point}, title = {{“Troldesh” – New Ransomware from Russia}}, date = {2015-06-01}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/}, language = {English}, urldate = {2019-11-25} } “Troldesh” – New Ransomware from Russia
Troldesh
Yara Rules
[TLP:WHITE] win_troldesh_auto (20230715 | Detects win.troldesh.)
rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.troldesh."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8945f8 85c0 0f8447010000 8b4d0c 8d435c 50 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   85c0                 | test                eax, eax
            //   0f8447010000         | je                  0x14d
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8d435c               | lea                 eax, [ebx + 0x5c]
            //   50                   | push                eax

        $sequence_1 = { ebae 807d0401 731e 68???????? 53 6883120000 e8???????? }
            // n = 7, score = 600
            //   ebae                 | jmp                 0xffffffb0
            //   807d0401             | cmp                 byte ptr [ebp + 4], 1
            //   731e                 | jae                 0x20
            //   68????????           |                     
            //   53                   | push                ebx
            //   6883120000           | push                0x1283
            //   e8????????           |                     

        $sequence_2 = { 8bf9 85ff 7504 33c0 5f c3 85db }
            // n = 7, score = 600
            //   8bf9                 | mov                 edi, ecx
            //   85ff                 | test                edi, edi
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   c3                   | ret                 
            //   85db                 | test                ebx, ebx

        $sequence_3 = { e8???????? 8b475c 0fb788c8020000 0188c0020000 8b475c 8b770c 03c3 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b475c               | mov                 eax, dword ptr [edi + 0x5c]
            //   0fb788c8020000       | movzx               ecx, word ptr [eax + 0x2c8]
            //   0188c0020000         | add                 dword ptr [eax + 0x2c0], ecx
            //   8b475c               | mov                 eax, dword ptr [edi + 0x5c]
            //   8b770c               | mov                 esi, dword ptr [edi + 0xc]
            //   03c3                 | add                 eax, ebx

        $sequence_4 = { ff7508 e8???????? 8d45e0 50 e8???????? 8b4508 5f }
            // n = 7, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   5f                   | pop                 edi

        $sequence_5 = { e8???????? 85c0 7407 33c9 894dec eb02 33c9 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c9                 | xor                 ecx, ecx
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   eb02                 | jmp                 4
            //   33c9                 | xor                 ecx, ecx

        $sequence_6 = { e9???????? ff750c e8???????? 59 85c0 0f84f1000000 8b5710 }
            // n = 7, score = 600
            //   e9????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f84f1000000         | je                  0xf7
            //   8b5710               | mov                 edx, dword ptr [edi + 0x10]

        $sequence_7 = { ff74242c e8???????? 59 59 85c0 7533 837d1000 }
            // n = 7, score = 600
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7533                 | jne                 0x35
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_8 = { e8???????? 8b4e14 8d0448 3b442404 7604 b001 eb02 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   8d0448               | lea                 eax, [eax + ecx*2]
            //   3b442404             | cmp                 eax, dword ptr [esp + 4]
            //   7604                 | jbe                 6
            //   b001                 | mov                 al, 1
            //   eb02                 | jmp                 4

        $sequence_9 = { ff75fc e8???????? 59 ff7708 8d4f10 ff7704 891f }
            // n = 7, score = 600
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   ff7708               | push                dword ptr [edi + 8]
            //   8d4f10               | lea                 ecx, [edi + 0x10]
            //   ff7704               | push                dword ptr [edi + 4]
            //   891f                 | mov                 dword ptr [edi], ebx

    condition:
        7 of them and filesize < 3915776
}
Download all Yara Rules