win.troldesh (Back to overview)

Troldesh

aka: Shade
URLhaus            

There is no description at this point.

References
2019-10-29 ⋅ Kaspersky LabsKaspersky
@online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } ShadeDecryptor tool
Troldesh
2019-06-25 ⋅ AvastJeff Elder
@online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } Ransomware strain Troldesh spikes again – Avast tracks new attacks
Troldesh
2019-05-22 ⋅ Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Troldesh
2019-02-20 ⋅ SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } More Russian language malspam pushing Shade (Troldesh) ransomware
Troldesh
2019-01-28 ⋅ ESET ResearchJuraj Jánošík
@online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } Russia hit by new wave of ransomware spam
Troldesh
2016-07-13 ⋅ MicrosoftMicrosoft Defender ATP Research Team
@online{team:20160713:troldesh:52c2dc3, author = {Microsoft Defender ATP Research Team}, title = {{Troldesh ransomware influenced by (the) Da Vinci code}}, date = {2016-07-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/}, language = {English}, urldate = {2020-01-13} } Troldesh ransomware influenced by (the) Da Vinci code
Troldesh
2015-09-14 ⋅ Kaspersky LabsVictor Alyushin, Fedor Sinitsyn
@online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } The Shade Encryptor: a Double Threat
CMSBrute Troldesh
2015-06-01 ⋅ Check PointCheck Point
@online{point:20150601:troldesh:19531cf, author = {Check Point}, title = {{“Troldesh” – New Ransomware from Russia}}, date = {2015-06-01}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/}, language = {English}, urldate = {2019-11-25} } “Troldesh” – New Ransomware from Russia
Troldesh
Yara Rules
[TLP:WHITE] win_troldesh_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e8???????? 8bf8 2b7c2438 8b442430 59 8d440701 50 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   2b7c2438             | sub                 edi, dword ptr [esp + 0x38]
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   59                   | pop                 ecx
            //   8d440701             | lea                 eax, [edi + eax + 1]
            //   50                   | push                eax

        $sequence_1 = { e8???????? 5f 5e 5b c3 837c240400 7529 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   837c240400           | cmp                 dword ptr [esp + 4], 0
            //   7529                 | jne                 0x2b

        $sequence_2 = { ff742424 eb04 ff742420 ff750c e8???????? 59 8bf0 }
            // n = 7, score = 500
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   eb04                 | jmp                 6
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bf0                 | mov                 esi, eax

        $sequence_3 = { ff45fc 8b4618 59 59 8b4dfc 3b08 72d9 }
            // n = 7, score = 500
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   3b08                 | cmp                 ecx, dword ptr [eax]
            //   72d9                 | jb                  0xffffffdb

        $sequence_4 = { ff7514 ff750c ff7510 ffd2 83c418 eb1c ffb1f4000000 }
            // n = 7, score = 500
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ffd2                 | call                edx
            //   83c418               | add                 esp, 0x18
            //   eb1c                 | jmp                 0x1e
            //   ffb1f4000000         | push                dword ptr [ecx + 0xf4]

        $sequence_5 = { e9???????? 8b7d08 8b4704 33f6 3bc6 7503 56 }
            // n = 7, score = 500
            //   e9????????           |                     
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   33f6                 | xor                 esi, esi
            //   3bc6                 | cmp                 eax, esi
            //   7503                 | jne                 5
            //   56                   | push                esi

        $sequence_6 = { ff75f8 a3???????? e8???????? 83c40c a3???????? b8008c0a00 3905???????? }
            // n = 7, score = 500
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   a3????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   a3????????           |                     
            //   b8008c0a00           | mov                 eax, 0xa8c00
            //   3905????????         |                     

        $sequence_7 = { e9???????? 81e901000100 6a01 5b 0f8443010000 49 0f84d5000000 }
            // n = 7, score = 500
            //   e9????????           |                     
            //   81e901000100         | sub                 ecx, 0x10001
            //   6a01                 | push                1
            //   5b                   | pop                 ebx
            //   0f8443010000         | je                  0x149
            //   49                   | dec                 ecx
            //   0f84d5000000         | je                  0xdb

        $sequence_8 = { ff36 e8???????? 59 85c0 7403 ff45fc 83c604 }
            // n = 7, score = 500
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   83c604               | add                 esi, 4

        $sequence_9 = { ff7514 47 03c7 50 e8???????? 83c40c 03fb }
            // n = 7, score = 500
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   47                   | inc                 edi
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   03fb                 | add                 edi, ebx

    condition:
        7 of them
}
Download all Yara Rules