Troldesh (Malware Family)

Troldesh

aka: Shade

VTCollection URLhaus

According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.

References

2020-05-02 ⋅ Bitdefender ⋅ Bitdefender Team
Shade / Troldesh Ransomware decryption tool
Troldesh

2020-04-27 ⋅ ZDNet ⋅ Catalin Cimpanu
Shade (Troldesh) ransomware shuts down and releases decryption keys
Troldesh

2020-04-26 ⋅ shade-team
Repository with Keys for Shade / Troldesh
Troldesh

2019-10-29 ⋅ Kaspersky Labs ⋅ Kaspersky
ShadeDecryptor tool
Troldesh

2019-06-25 ⋅ Avast ⋅ Jeff Elder
Ransomware strain Troldesh spikes again – Avast tracks new attacks
Troldesh

2019-05-22 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Troldesh

2019-02-20 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan
More Russian language malspam pushing Shade (Troldesh) ransomware
Troldesh

2019-01-28 ⋅ ESET Research ⋅ Juraj Jánošík
Russia hit by new wave of ransomware spam
Troldesh

2016-07-13 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team
Troldesh ransomware influenced by (the) Da Vinci code
Troldesh

2015-09-14 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Victor Alyushin
The Shade Encryptor: a Double Threat
CMSBrute Troldesh

2015-06-01 ⋅ Check Point ⋅ Check Point
“Troldesh” – New Ransomware from Russia
Troldesh

Yara Rules

[TLP:WHITE] win_troldesh_auto (20230808 | Detects win.troldesh.)

rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.troldesh."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff74241c 8d44247c ff74241c 50 e8???????? 8b8e18050000 83c40c }
            // n = 7, score = 600
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   8d44247c             | lea                 eax, [esp + 0x7c]
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b8e18050000         | mov                 ecx, dword ptr [esi + 0x518]
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { e8???????? 8b4510 8b4008 68ffffff7f 6a00 6a0a ff30 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   68ffffff7f           | push                0x7fffffff
            //   6a00                 | push                0
            //   6a0a                 | push                0xa
            //   ff30                 | push                dword ptr [eax]

        $sequence_2 = { eb17 51 50 8d45d8 50 e8???????? 8b4514 }
            // n = 7, score = 600
            //   eb17                 | jmp                 0x19
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]

        $sequence_3 = { ff7314 e8???????? 59 8b4df4 89431c 85c0 7511 }
            // n = 7, score = 600
            //   ff7314               | push                dword ptr [ebx + 0x14]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   89431c               | mov                 dword ptr [ebx + 0x1c], eax
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13

        $sequence_4 = { e9???????? 8b4ddc e8???????? 33c0 83c604 8975f8 8b7508 }
            // n = 7, score = 600
            //   e9????????           |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   83c604               | add                 esi, 4
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_5 = { e8???????? a3???????? e8???????? 8bf0 8974242c e8???????? 6a00 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8974242c             | mov                 dword ptr [esp + 0x2c], esi
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_6 = { ff7720 89742414 56 e8???????? 59 59 85c0 }
            // n = 7, score = 600
            //   ff7720               | push                dword ptr [edi + 0x20]
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_7 = { ff7508 8bcf 56 ffb754010000 6a04 e8???????? 83c410 }
            // n = 7, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi
            //   56                   | push                esi
            //   ffb754010000         | push                dword ptr [edi + 0x154]
            //   6a04                 | push                4
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_8 = { e8???????? 85c0 7419 6a14 8d500c 8d4de0 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   6a14                 | push                0x14
            //   8d500c               | lea                 edx, [eax + 0xc]
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     

        $sequence_9 = { e8???????? 8b4514 660fbe00 0fb7c0 50 6a01 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   660fbe00             | movsx               ax, byte ptr [eax]
            //   0fb7c0               | movzx               eax, ax
            //   50                   | push                eax
            //   6a01                 | push                1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 3915776
}

Download all Yara Rules

Troldesh Propose Change

References

Yara Rules

Troldesh