SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vhd_ransomware (Back to overview)

VHD Ransomware


There is no description at this point.

References
2021-08-17Seguranca InformaticaPedro Tavares
@online{tavares:20210817:secrets:e82be35, author = {Pedro Tavares}, title = {{Secrets behind the Lazarus’s VHD ransomware}}, date = {2021-08-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/}, language = {English}, urldate = {2021-08-24} } Secrets behind the Lazarus’s VHD ransomware
VHD Ransomware
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Félix Aime
@online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware
2020-03-22GrujaRS
@online{grujars:20200322:new:d94c371, author = {GrujaRS}, title = {{New #VHD (virtual hard disk)#Ransomware extension .vhd!}}, date = {2020-03-22}, url = {https://twitter.com/GrujaRS/status/1241657443282825217}, language = {English}, urldate = {2020-03-27} } New #VHD (virtual hard disk)#Ransomware extension .vhd!
VHD Ransomware
Yara Rules
[TLP:WHITE] win_vhd_ransomware_auto (20210616 | Detects win.vhd_ransomware.)
rule win_vhd_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.vhd_ransomware."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 6800e1f505 e8???????? 33f6 83c404 3bc6 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   6800e1f505           | push                0x5f5e100
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   83c404               | add                 esp, 4
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { 8b0485c0d44100 8bfa 83e71f c1e706 8b0407 }
            // n = 5, score = 100
            //   8b0485c0d44100       | mov                 eax, dword ptr [eax*4 + 0x41d4c0]
            //   8bfa                 | mov                 edi, edx
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b0407               | mov                 eax, dword ptr [edi + eax]

        $sequence_2 = { 83c104 3b85d0fcffff 7ceb 33c0 8d4b04 8d9b00000000 8b11 }
            // n = 7, score = 100
            //   83c104               | add                 ecx, 4
            //   3b85d0fcffff         | cmp                 eax, dword ptr [ebp - 0x330]
            //   7ceb                 | jl                  0xffffffed
            //   33c0                 | xor                 eax, eax
            //   8d4b04               | lea                 ecx, dword ptr [ebx + 4]
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]
            //   8b11                 | mov                 edx, dword ptr [ecx]

        $sequence_3 = { 8d9b00000000 0fb65c8602 0fb64c8603 0fb63c86 0fb69798744100 0fb6149598854100 894df4 }
            // n = 7, score = 100
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]
            //   0fb65c8602           | movzx               ebx, byte ptr [esi + eax*4 + 2]
            //   0fb64c8603           | movzx               ecx, byte ptr [esi + eax*4 + 3]
            //   0fb63c86             | movzx               edi, byte ptr [esi + eax*4]
            //   0fb69798744100       | movzx               edx, byte ptr [edi + 0x417498]
            //   0fb6149598854100     | movzx               edx, byte ptr [edx*4 + 0x418598]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_4 = { 2bc2 6a00 d1f8 8d8d38b4ffff 51 8d1400 a1???????? }
            // n = 7, score = 100
            //   2bc2                 | sub                 eax, edx
            //   6a00                 | push                0
            //   d1f8                 | sar                 eax, 1
            //   8d8d38b4ffff         | lea                 ecx, dword ptr [ebp - 0x4bc8]
            //   51                   | push                ecx
            //   8d1400               | lea                 edx, dword ptr [eax + eax]
            //   a1????????           |                     

        $sequence_5 = { 8930 8b75f4 c1ee18 0fb6b698744100 }
            // n = 4, score = 100
            //   8930                 | mov                 dword ptr [eax], esi
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]
            //   c1ee18               | shr                 esi, 0x18
            //   0fb6b698744100       | movzx               esi, byte ptr [esi + 0x417498]

        $sequence_6 = { 894c2458 8954245c 66895c2460 897c241c }
            // n = 4, score = 100
            //   894c2458             | mov                 dword ptr [esp + 0x58], ecx
            //   8954245c             | mov                 dword ptr [esp + 0x5c], edx
            //   66895c2460           | mov                 word ptr [esp + 0x60], bx
            //   897c241c             | mov                 dword ptr [esp + 0x1c], edi

        $sequence_7 = { 0fb6f9 0fb6bf98744100 33f7 8b7d08 33b7e0000000 c1eb10 8970f8 }
            // n = 7, score = 100
            //   0fb6f9               | movzx               edi, cl
            //   0fb6bf98744100       | movzx               edi, byte ptr [edi + 0x417498]
            //   33f7                 | xor                 esi, edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33b7e0000000         | xor                 esi, dword ptr [edi + 0xe0]
            //   c1eb10               | shr                 ebx, 0x10
            //   8970f8               | mov                 dword ptr [eax - 8], esi

        $sequence_8 = { 48 79ef 8b4dfc 5f 5e 8bc3 33cd }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   79ef                 | jns                 0xfffffff1
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8bc3                 | mov                 eax, ebx
            //   33cd                 | xor                 ecx, ebp

        $sequence_9 = { 8bc1 83e01f 8bd1 c1fa05 c1e006 030495c0d44100 eb05 }
            // n = 7, score = 100
            //   8bc1                 | mov                 eax, ecx
            //   83e01f               | and                 eax, 0x1f
            //   8bd1                 | mov                 edx, ecx
            //   c1fa05               | sar                 edx, 5
            //   c1e006               | shl                 eax, 6
            //   030495c0d44100       | add                 eax, dword ptr [edx*4 + 0x41d4c0]
            //   eb05                 | jmp                 7

    condition:
        7 of them and filesize < 275456
}
Download all Yara Rules