SYMBOLCOMMON_NAMEaka. SYNONYMS
win.troldesh (Back to overview)

Troldesh

aka: Shade
URLhaus            

There is no description at this point.

References
2020-05-02BitdefenderBitdefender Team
@online{team:20200502:shade:a1481f9, author = {Bitdefender Team}, title = {{Shade / Troldesh Ransomware decryption tool}}, date = {2020-05-02}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/}, language = {English}, urldate = {2020-05-05} } Shade / Troldesh Ransomware decryption tool
Troldesh
2020-04-27ZDNetCatalin Cimpanu
@online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } Shade (Troldesh) ransomware shuts down and releases decryption keys
Troldesh
2020-04-26shade-team
@online{shadeteam:20200426:repository:25ac040, author = {shade-team}, title = {{Repository with Keys for Shade / Troldesh}}, date = {2020-04-26}, url = {https://github.com/shade-team/keys}, language = {English}, urldate = {2020-04-28} } Repository with Keys for Shade / Troldesh
Troldesh
2019-10-29Kaspersky LabsKaspersky
@online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } ShadeDecryptor tool
Troldesh
2019-06-25AvastJeff Elder
@online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } Ransomware strain Troldesh spikes again – Avast tracks new attacks
Troldesh
2019-05-22Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Troldesh
2019-02-20SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } More Russian language malspam pushing Shade (Troldesh) ransomware
Troldesh
2019-01-28ESET ResearchJuraj Jánošík
@online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } Russia hit by new wave of ransomware spam
Troldesh
2016-07-13MicrosoftMicrosoft Defender ATP Research Team
@online{team:20160713:troldesh:52c2dc3, author = {Microsoft Defender ATP Research Team}, title = {{Troldesh ransomware influenced by (the) Da Vinci code}}, date = {2016-07-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/}, language = {English}, urldate = {2020-01-13} } Troldesh ransomware influenced by (the) Da Vinci code
Troldesh
2015-09-14Kaspersky LabsVictor Alyushin, Fedor Sinitsyn
@online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } The Shade Encryptor: a Double Threat
CMSBrute Troldesh
2015-06-01Check PointCheck Point
@online{point:20150601:troldesh:19531cf, author = {Check Point}, title = {{“Troldesh” – New Ransomware from Russia}}, date = {2015-06-01}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/}, language = {English}, urldate = {2019-11-25} } “Troldesh” – New Ransomware from Russia
Troldesh
Yara Rules
[TLP:WHITE] win_troldesh_auto (20210616 | Detects win.troldesh.)
rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.troldesh."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7d8 1bc0 40 89879c000000 c745f401000000 ff7518 e8???????? }
            // n = 7, score = 600
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   40                   | inc                 eax
            //   89879c000000         | mov                 dword ptr [edi + 0x9c], eax
            //   c745f401000000       | mov                 dword ptr [ebp - 0xc], 1
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   e8????????           |                     

        $sequence_1 = { eb95 8d45e4 50 8d5d90 e8???????? 59 85c0 }
            // n = 7, score = 600
            //   eb95                 | jmp                 0xffffff97
            //   8d45e4               | lea                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   8d5d90               | lea                 ebx, dword ptr [ebp - 0x70]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_2 = { e9???????? 33c0 33ff 397df4 0f94c0 8945f8 397df4 }
            // n = 7, score = 600
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   33ff                 | xor                 edi, edi
            //   397df4               | cmp                 dword ptr [ebp - 0xc], edi
            //   0f94c0               | sete                al
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   397df4               | cmp                 dword ptr [ebp - 0xc], edi

        $sequence_3 = { 8b4c2414 8bde e8???????? 56 e8???????? 59 8b4504 }
            // n = 7, score = 600
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8bde                 | mov                 ebx, esi
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4504               | mov                 eax, dword ptr [ebp + 4]

        $sequence_4 = { e9???????? f6c30e 0f84f5000000 0fb617 0fb65f01 c1e208 0bd3 }
            // n = 7, score = 600
            //   e9????????           |                     
            //   f6c30e               | test                bl, 0xe
            //   0f84f5000000         | je                  0xfb
            //   0fb617               | movzx               edx, byte ptr [edi]
            //   0fb65f01             | movzx               ebx, byte ptr [edi + 1]
            //   c1e208               | shl                 edx, 8
            //   0bd3                 | or                  edx, ebx

        $sequence_5 = { eb48 8b36 8b1e e8???????? 85c0 7507 68???????? }
            // n = 7, score = 600
            //   eb48                 | jmp                 0x4a
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b1e                 | mov                 ebx, dword ptr [esi]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   68????????           |                     

        $sequence_6 = { e8???????? dd05???????? dd1c24 ffb54cffffff 8d854cffffff 50 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   dd05????????         |                     
            //   dd1c24               | fstp                qword ptr [esp]
            //   ffb54cffffff         | push                dword ptr [ebp - 0xb4]
            //   8d854cffffff         | lea                 eax, dword ptr [ebp - 0xb4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { e8???????? 8bf8 85ff 7426 8b4508 8d485c 51 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7426                 | je                  0x28
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d485c               | lea                 ecx, dword ptr [eax + 0x5c]
            //   51                   | push                ecx

        $sequence_8 = { 8d85f8fbffff 6a00 50 e8???????? 83c40c 56 8d85f0fdffff }
            // n = 7, score = 600
            //   8d85f8fbffff         | lea                 eax, dword ptr [ebp - 0x408]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   8d85f0fdffff         | lea                 eax, dword ptr [ebp - 0x210]

        $sequence_9 = { e8???????? 8b75e8 e8???????? 8b75e4 e8???????? 8b75e0 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   8b75e0               | mov                 esi, dword ptr [ebp - 0x20]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 3915776
}
Download all Yara Rules