SYMBOLCOMMON_NAMEaka. SYNONYMS
win.troldesh (Back to overview)

Troldesh

aka: Shade
VTCollection     URLhaus            

According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.

References
2020-05-02BitdefenderBitdefender Team
Shade / Troldesh Ransomware decryption tool
Troldesh
2020-04-27ZDNetCatalin Cimpanu
Shade (Troldesh) ransomware shuts down and releases decryption keys
Troldesh
2020-04-26shade-team
Repository with Keys for Shade / Troldesh
Troldesh
2019-10-29Kaspersky LabsKaspersky
ShadeDecryptor tool
Troldesh
2019-06-25AvastJeff Elder
Ransomware strain Troldesh spikes again – Avast tracks new attacks
Troldesh
2019-05-22Palo Alto Networks Unit 42Brad Duncan
Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Troldesh
2019-02-20SANS ISC InfoSec ForumsBrad Duncan
More Russian language malspam pushing Shade (Troldesh) ransomware
Troldesh
2019-01-28ESET ResearchJuraj Jánošík
Russia hit by new wave of ransomware spam
Troldesh
2016-07-13MicrosoftMicrosoft Defender ATP Research Team
Troldesh ransomware influenced by (the) Da Vinci code
Troldesh
2015-09-14Kaspersky LabsFedor Sinitsyn, Victor Alyushin
The Shade Encryptor: a Double Threat
CMSBrute Troldesh
2015-06-01Check PointCheck Point
“Troldesh” – New Ransomware from Russia
Troldesh
Yara Rules
[TLP:WHITE] win_troldesh_auto (20260504 | Detects win.troldesh.)
rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.troldesh."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff742404 8b54240c 2bc1 d1f8 8bc8 e8???????? c20800 }
            // n = 7, score = 600
            //   ff742404             | push                dword ptr [esp + 4]
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   2bc1                 | sub                 eax, ecx
            //   d1f8                 | sar                 eax, 1
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   c20800               | ret                 8

        $sequence_1 = { e8???????? 83bed001000000 8bf8 740b 8b4508 832000 e9???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   83bed001000000       | cmp                 dword ptr [esi + 0x1d0], 0
            //   8bf8                 | mov                 edi, eax
            //   740b                 | je                  0xd
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   832000               | and                 dword ptr [eax], 0
            //   e9????????           |                     

        $sequence_2 = { e9???????? 68???????? e8???????? 8b869c000000 8b4014 c1e804 f7d0 }
            // n = 7, score = 600
            //   e9????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   8b869c000000         | mov                 eax, dword ptr [esi + 0x9c]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   c1e804               | shr                 eax, 4
            //   f7d0                 | not                 eax

        $sequence_3 = { eb0e 6a26 b989000000 eb05 6a26 6a43 59 }
            // n = 7, score = 600
            //   eb0e                 | jmp                 0x10
            //   6a26                 | push                0x26
            //   b989000000           | mov                 ecx, 0x89
            //   eb05                 | jmp                 7
            //   6a26                 | push                0x26
            //   6a43                 | push                0x43
            //   59                   | pop                 ecx

        $sequence_4 = { eb61 8b4758 39b018040000 7510 f7870001000000000400 0f8445010000 8b87e4000000 }
            // n = 7, score = 600
            //   eb61                 | jmp                 0x63
            //   8b4758               | mov                 eax, dword ptr [edi + 0x58]
            //   39b018040000         | cmp                 dword ptr [eax + 0x418], esi
            //   7510                 | jne                 0x12
            //   f7870001000000000400     | test    dword ptr [edi + 0x100], 0x40000
            //   0f8445010000         | je                  0x14b
            //   8b87e4000000         | mov                 eax, dword ptr [edi + 0xe4]

        $sequence_5 = { e8???????? 59 397dbc 7415 68???????? e8???????? 59 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   397dbc               | cmp                 dword ptr [ebp - 0x44], edi
            //   7415                 | je                  0x17
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_6 = { e8???????? 8bf8 47 68bf010000 8bf7 68???????? c1e602 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   47                   | inc                 edi
            //   68bf010000           | push                0x1bf
            //   8bf7                 | mov                 esi, edi
            //   68????????           |                     
            //   c1e602               | shl                 esi, 2

        $sequence_7 = { e8???????? ffb000020000 8b45e0 2b4748 8d75fc 50 8d45cc }
            // n = 7, score = 600
            //   e8????????           |                     
            //   ffb000020000         | push                dword ptr [eax + 0x200]
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   2b4748               | sub                 eax, dword ptr [edi + 0x48]
            //   8d75fc               | lea                 esi, [ebp - 4]
            //   50                   | push                eax
            //   8d45cc               | lea                 eax, [ebp - 0x34]

        $sequence_8 = { eb02 8bcb 57 51 e8???????? 8b7d0c 83c404 }
            // n = 7, score = 600
            //   eb02                 | jmp                 4
            //   8bcb                 | mov                 ecx, ebx
            //   57                   | push                edi
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83c404               | add                 esp, 4

        $sequence_9 = { e8???????? 59 85c0 7427 68???????? 68???????? 68e2020000 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7427                 | je                  0x29
            //   68????????           |                     
            //   68????????           |                     
            //   68e2020000           | push                0x2e2

    condition:
        7 of them and filesize < 3915776
}
Download all Yara Rules