SYMBOLCOMMON_NAMEaka. SYNONYMS
win.troldesh (Back to overview)

Troldesh

aka: Shade
VTCollection     URLhaus            

According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.

References
2020-05-02BitdefenderBitdefender Team
Shade / Troldesh Ransomware decryption tool
Troldesh
2020-04-27ZDNetCatalin Cimpanu
Shade (Troldesh) ransomware shuts down and releases decryption keys
Troldesh
2020-04-26shade-team
Repository with Keys for Shade / Troldesh
Troldesh
2019-10-29Kaspersky LabsKaspersky
ShadeDecryptor tool
Troldesh
2019-06-25AvastJeff Elder
Ransomware strain Troldesh spikes again – Avast tracks new attacks
Troldesh
2019-05-22Palo Alto Networks Unit 42Brad Duncan
Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Troldesh
2019-02-20SANS ISC InfoSec ForumsBrad Duncan
More Russian language malspam pushing Shade (Troldesh) ransomware
Troldesh
2019-01-28ESET ResearchJuraj Jánošík
Russia hit by new wave of ransomware spam
Troldesh
2016-07-13MicrosoftMicrosoft Defender ATP Research Team
Troldesh ransomware influenced by (the) Da Vinci code
Troldesh
2015-09-14Kaspersky LabsFedor Sinitsyn, Victor Alyushin
The Shade Encryptor: a Double Threat
CMSBrute Troldesh
2015-06-01Check PointCheck Point
“Troldesh” – New Ransomware from Russia
Troldesh
Yara Rules
[TLP:WHITE] win_troldesh_auto (20230808 | Detects win.troldesh.)
rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.troldesh."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff74241c 8d44247c ff74241c 50 e8???????? 8b8e18050000 83c40c }
            // n = 7, score = 600
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   8d44247c             | lea                 eax, [esp + 0x7c]
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b8e18050000         | mov                 ecx, dword ptr [esi + 0x518]
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { e8???????? 8b4510 8b4008 68ffffff7f 6a00 6a0a ff30 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   68ffffff7f           | push                0x7fffffff
            //   6a00                 | push                0
            //   6a0a                 | push                0xa
            //   ff30                 | push                dword ptr [eax]

        $sequence_2 = { eb17 51 50 8d45d8 50 e8???????? 8b4514 }
            // n = 7, score = 600
            //   eb17                 | jmp                 0x19
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]

        $sequence_3 = { ff7314 e8???????? 59 8b4df4 89431c 85c0 7511 }
            // n = 7, score = 600
            //   ff7314               | push                dword ptr [ebx + 0x14]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   89431c               | mov                 dword ptr [ebx + 0x1c], eax
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13

        $sequence_4 = { e9???????? 8b4ddc e8???????? 33c0 83c604 8975f8 8b7508 }
            // n = 7, score = 600
            //   e9????????           |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   83c604               | add                 esi, 4
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_5 = { e8???????? a3???????? e8???????? 8bf0 8974242c e8???????? 6a00 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8974242c             | mov                 dword ptr [esp + 0x2c], esi
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_6 = { ff7720 89742414 56 e8???????? 59 59 85c0 }
            // n = 7, score = 600
            //   ff7720               | push                dword ptr [edi + 0x20]
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_7 = { ff7508 8bcf 56 ffb754010000 6a04 e8???????? 83c410 }
            // n = 7, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi
            //   56                   | push                esi
            //   ffb754010000         | push                dword ptr [edi + 0x154]
            //   6a04                 | push                4
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_8 = { e8???????? 85c0 7419 6a14 8d500c 8d4de0 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   6a14                 | push                0x14
            //   8d500c               | lea                 edx, [eax + 0xc]
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     

        $sequence_9 = { e8???????? 8b4514 660fbe00 0fb7c0 50 6a01 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   660fbe00             | movsx               ax, byte ptr [eax]
            //   0fb7c0               | movzx               eax, ax
            //   50                   | push                eax
            //   6a01                 | push                1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 3915776
}
Download all Yara Rules