There is no description at this point.
rule win_vohuk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.vohuk." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83fe44 72d3 57 e8???????? 83c404 8b0d???????? ba14102140 } // n = 7, score = 100 // 83fe44 | cmp esi, 0x44 // 72d3 | jb 0xffffffd5 // 57 | push edi // e8???????? | // 83c404 | add esp, 4 // 8b0d???????? | // ba14102140 | mov edx, 0x40211014 $sequence_1 = { 8b4508 53 56 57 5f 5e c7004d005d00 } // n = 7, score = 100 // 8b4508 | mov eax, dword ptr [ebp + 8] // 53 | push ebx // 56 | push esi // 57 | push edi // 5f | pop edi // 5e | pop esi // c7004d005d00 | mov dword ptr [eax], 0x5d004d $sequence_2 = { c7842402010000b100b600 c7842406010000b400fb00 c784240a010000f100e300 c784240e010000fe009900 c784241201000089008d00 c78424160100008700c300 c784241a010000a1008b00 } // n = 7, score = 100 // c7842402010000b100b600 | mov dword ptr [esp + 0x102], 0xb600b1 // c7842406010000b400fb00 | mov dword ptr [esp + 0x106], 0xfb00b4 // c784240a010000f100e300 | mov dword ptr [esp + 0x10a], 0xe300f1 // c784240e010000fe009900 | mov dword ptr [esp + 0x10e], 0x9900fe // c784241201000089008d00 | mov dword ptr [esp + 0x112], 0x8d0089 // c78424160100008700c300 | mov dword ptr [esp + 0x116], 0xc30087 // c784241a010000a1008b00 | mov dword ptr [esp + 0x11a], 0x8b00a1 $sequence_3 = { 6a4d e8???????? 8d4db8 51 56 ffd0 8bf8 } // n = 7, score = 100 // 6a4d | push 0x4d // e8???????? | // 8d4db8 | lea ecx, [ebp - 0x48] // 51 | push ecx // 56 | push esi // ffd0 | call eax // 8bf8 | mov edi, eax $sequence_4 = { b8e7000000 c745f2bd00b400 56 c745f68c008c00 33f6 c745fa90008d00 668945fe } // n = 7, score = 100 // b8e7000000 | mov eax, 0xe7 // c745f2bd00b400 | mov dword ptr [ebp - 0xe], 0xb400bd // 56 | push esi // c745f68c008c00 | mov dword ptr [ebp - 0xa], 0x8c008c // 33f6 | xor esi, esi // c745fa90008d00 | mov dword ptr [ebp - 6], 0x8d0090 // 668945fe | mov word ptr [ebp - 2], ax $sequence_5 = { c740747f013d01 c7407810011401 c7407c4f014c01 c7808000000044014301 c7808400000050014101 c7808800000005014001 c7808c0000004e014601 } // n = 7, score = 100 // c740747f013d01 | mov dword ptr [eax + 0x74], 0x13d017f // c7407810011401 | mov dword ptr [eax + 0x78], 0x1140110 // c7407c4f014c01 | mov dword ptr [eax + 0x7c], 0x14c014f // c7808000000044014301 | mov dword ptr [eax + 0x80], 0x1430144 // c7808400000050014101 | mov dword ptr [eax + 0x84], 0x1410150 // c7808800000005014001 | mov dword ptr [eax + 0x88], 0x1400105 // c7808c0000004e014601 | mov dword ptr [eax + 0x8c], 0x146014e $sequence_6 = { c5fd708560ffffff4e c5fe7f65c0 c5fdfee4 c5d5ef85e0fdffff c5fe7fa5c0fdffff c5ddefe1 c5f572f00c } // n = 7, score = 100 // c5fd708560ffffff4e | vpshufd ymm0, ymmword ptr [ebp - 0xa0], 0x4e // c5fe7f65c0 | vmovdqu ymmword ptr [ebp - 0x40], ymm4 // c5fdfee4 | vpaddd ymm4, ymm0, ymm4 // c5d5ef85e0fdffff | vpxor ymm0, ymm5, ymmword ptr [ebp - 0x220] // c5fe7fa5c0fdffff | vmovdqu ymmword ptr [ebp - 0x240], ymm4 // c5ddefe1 | vpxor ymm4, ymm4, ymm1 // c5f572f00c | vpslld ymm1, ymm0, 0xc $sequence_7 = { 6a20 ff75cc ff9520ffffff 85c0 0f8529010000 8b0d???????? ba43c7bfd0 } // n = 7, score = 100 // 6a20 | push 0x20 // ff75cc | push dword ptr [ebp - 0x34] // ff9520ffffff | call dword ptr [ebp - 0xe0] // 85c0 | test eax, eax // 0f8529010000 | jne 0x12f // 8b0d???????? | // ba43c7bfd0 | mov edx, 0xd0bfc743 $sequence_8 = { 6a00 6aff ffd0 8b0d???????? ba25000044 688c000000 a3???????? } // n = 7, score = 100 // 6a00 | push 0 // 6aff | push -1 // ffd0 | call eax // 8b0d???????? | // ba25000044 | mov edx, 0x44000025 // 688c000000 | push 0x8c // a3???????? | $sequence_9 = { 8bf2 8b5508 b908000000 57 8d7ddc f3a5 8a45fb } // n = 7, score = 100 // 8bf2 | mov esi, edx // 8b5508 | mov edx, dword ptr [ebp + 8] // b908000000 | mov ecx, 8 // 57 | push edi // 8d7ddc | lea edi, [ebp - 0x24] // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8a45fb | mov al, byte ptr [ebp - 5] condition: 7 of them and filesize < 260096 }
rule win_vohuk_w0 { meta: description = "Detect_Vohuk_ransomware" author = "@malgamy12" date = "8/12/2022" license = "DRL 1.1" hash= "e27b637abe523503b19e6b57b95489ea" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk" malpedia_rule_date = "20221212" malpedia_hash = "" malpedia_version = "20221212" malpedia_sharing = "TLP:WHITE" strings: $p1 = {B8 [4] 8B CE F7 EE C1 FA ?? 8B C2 C1 E8 ?? 03 C2 69 C0 [4] 2B C8 83 C1 ?? 66 31 4C 75 ?? 46 83 FE ?? 72} $p2 = {8B 34 B8 BA [4] 0F BE 04 1E 03 F3} condition: uint16(0) == 0x5A4D and all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY