There is no description at this point.
rule win_vhd_ransomware_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.vhd_ransomware." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f3ab 8b8530030000 8902 33c0 89a54cf3ffff 398530030000 7e1b } // n = 7, score = 100 // f3ab | rep stosd dword ptr es:[edi], eax // 8b8530030000 | mov eax, dword ptr [ebp + 0x330] // 8902 | mov dword ptr [edx], eax // 33c0 | xor eax, eax // 89a54cf3ffff | mov dword ptr [ebp - 0xcb4], esp // 398530030000 | cmp dword ptr [ebp + 0x330], eax // 7e1b | jle 0x1d $sequence_1 = { c78520e6ffff70020000 e8???????? 8b8520e6ffff 8b848524e6ffff 8bc8 c1e90b 238da4f9ffff } // n = 7, score = 100 // c78520e6ffff70020000 | mov dword ptr [ebp - 0x19e0], 0x270 // e8???????? | // 8b8520e6ffff | mov eax, dword ptr [ebp - 0x19e0] // 8b848524e6ffff | mov eax, dword ptr [ebp + eax*4 - 0x19dc] // 8bc8 | mov ecx, eax // c1e90b | shr ecx, 0xb // 238da4f9ffff | and ecx, dword ptr [ebp - 0x65c] $sequence_2 = { 8845ea 8b45e4 48 8855e9 33d2 8955e0 8945dc } // n = 7, score = 100 // 8845ea | mov byte ptr [ebp - 0x16], al // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 48 | dec eax // 8855e9 | mov byte ptr [ebp - 0x17], dl // 33d2 | xor edx, edx // 8955e0 | mov dword ptr [ebp - 0x20], edx // 8945dc | mov dword ptr [ebp - 0x24], eax $sequence_3 = { 8d4a04 8d9b00000000 8bb485a8f9ffff 8931 40 83c104 } // n = 6, score = 100 // 8d4a04 | lea ecx, [edx + 4] // 8d9b00000000 | lea ebx, [ebx] // 8bb485a8f9ffff | mov esi, dword ptr [ebp + eax*4 - 0x658] // 8931 | mov dword ptr [ecx], esi // 40 | inc eax // 83c104 | add ecx, 4 $sequence_4 = { 89a5f4fcffff c60600 e8???????? 8db5f8fcffff } // n = 4, score = 100 // 89a5f4fcffff | mov dword ptr [ebp - 0x30c], esp // c60600 | mov byte ptr [esi], 0 // e8???????? | // 8db5f8fcffff | lea esi, [ebp - 0x308] $sequence_5 = { b801000000 5b 5d c3 8b7d08 e8???????? } // n = 6, score = 100 // b801000000 | mov eax, 1 // 5b | pop ebx // 5d | pop ebp // c3 | ret // 8b7d08 | mov edi, dword ptr [ebp + 8] // e8???????? | $sequence_6 = { 8b45f8 c9 c3 8bff 55 8bec 5d } // n = 7, score = 100 // 8b45f8 | mov eax, dword ptr [ebp - 8] // c9 | leave // c3 | ret // 8bff | mov edi, edi // 55 | push ebp // 8bec | mov ebp, esp // 5d | pop ebp $sequence_7 = { 8b8534f3ffff 40 898534f3ffff 83f820 0f8c23fdffff 8b8538f3ffff 83853cf3ffff04 } // n = 7, score = 100 // 8b8534f3ffff | mov eax, dword ptr [ebp - 0xccc] // 40 | inc eax // 898534f3ffff | mov dword ptr [ebp - 0xccc], eax // 83f820 | cmp eax, 0x20 // 0f8c23fdffff | jl 0xfffffd29 // 8b8538f3ffff | mov eax, dword ptr [ebp - 0xcc8] // 83853cf3ffff04 | add dword ptr [ebp - 0xcc4], 4 $sequence_8 = { 8345e404 ebe6 c745e0bc514100 817de0c0514100 } // n = 4, score = 100 // 8345e404 | add dword ptr [ebp - 0x1c], 4 // ebe6 | jmp 0xffffffe8 // c745e0bc514100 | mov dword ptr [ebp - 0x20], 0x4151bc // 817de0c0514100 | cmp dword ptr [ebp - 0x20], 0x4151c0 $sequence_9 = { 897de4 8955e0 c60600 895dd8 3bc2 7416 } // n = 6, score = 100 // 897de4 | mov dword ptr [ebp - 0x1c], edi // 8955e0 | mov dword ptr [ebp - 0x20], edx // c60600 | mov byte ptr [esi], 0 // 895dd8 | mov dword ptr [ebp - 0x28], ebx // 3bc2 | cmp eax, edx // 7416 | je 0x18 condition: 7 of them and filesize < 275456 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY