win.troldesh (Back to overview)

Troldesh

aka: Shade
URLhaus            

There is no description at this point.

References
https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/
https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/
https://securelist.com/the-shade-encryptor-a-double-threat/72087/
https://support.kaspersky.com/13059
https://www.paloaltonetworks.jp/company/in-the-news/2019/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada
https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/
Yara Rules
[TLP:WHITE] win_troldesh_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 0f848d040000 83bec404000000 7420 8b86c0040000 }
            // n = 4, score = 5000
            //   0f848d040000         | je                  0x4608e1
            //   83bec404000000       | cmp                 dword ptr [esi + 0x4c4], 0
            //   7420                 | je                  0x46047d
            //   8b86c0040000         | mov                 eax, dword ptr [esi + 0x4c0]

        $sequence_1 = { 0f82b5fdffff 8a4701 884302 3c01 }
            // n = 4, score = 5000
            //   0f82b5fdffff         | jb                  0x483b51
            //   8a4701               | mov                 al, byte ptr [edi + 1]
            //   884302               | mov                 byte ptr [ebx + 2], al
            //   3c01                 | cmp                 al, 1

        $sequence_2 = { 0f849f000000 ff75f4 8d85f0fdffff 50 }
            // n = 4, score = 5000
            //   0f849f000000         | je                  0x461f96
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8d85f0fdffff         | lea                 eax, dword ptr [ebp - 0x210]
            //   50                   | push                eax

        $sequence_3 = { 0f8498040000 f7430800400000 0f858b040000 8b45e4 }
            // n = 4, score = 5000
            //   0f8498040000         | je                  0x47ff2e
            //   f7430800400000       | test                dword ptr [ebx + 8], 0x4000
            //   0f858b040000         | jne                 0x47ff2e
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_4 = { 01750c 897704 8b5d08 837d1000 }
            // n = 4, score = 5000
            //   01750c               | add                 dword ptr [ebp + 0xc], esi
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_5 = { 0f8411feffff 83477c32 807b2504 8b5b20 }
            // n = 4, score = 5000
            //   0f8411feffff         | je                  0x4a144e
            //   83477c32             | add                 dword ptr [edi + 0x7c], 0x32
            //   807b2504             | cmp                 byte ptr [ebx + 0x25], 4
            //   8b5b20               | mov                 ebx, dword ptr [ebx + 0x20]

        $sequence_6 = { 0f844dffffff ff75f4 8b4df8 ff75fc }
            // n = 4, score = 5000
            //   0f844dffffff         | je                  0x42c519
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_7 = { 0f8404010000 8b742418 833e40 7418 }
            // n = 4, score = 5000
            //   0f8404010000         | je                  0x43a5de
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   833e40               | cmp                 dword ptr [esi], 0x40
            //   7418                 | je                  0x43a4fb

        $sequence_8 = { 0f8458010000 ff7510 8bc7 ff750c }
            // n = 4, score = 5000
            //   0f8458010000         | je                  0x449e2f
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8bc7                 | mov                 eax, edi
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_9 = { 0145fc 8b3e 33c9 e83470ffff }
            // n = 4, score = 5000
            //   0145fc               | add                 dword ptr [ebp - 4], eax
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   33c9                 | xor                 ecx, ecx
            //   e83470ffff           | call                0x460e18

    condition:
        7 of them
}
Download all Yara Rules