SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yanluowang (Back to overview)

Yanluowang

aka: Dryxiphia
VTCollection    

According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the "README.txt" file containing a ransom note. It appends the ".yanluowang" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.

Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).

References
2022-11-22The RecordDina Temple-Raston
The Yanluowang ransomware group in their own words
Yanluowang
2022-11-07DarktraceDillon Ashmore, Taisiia Garkava
Inside the Yanluowang Leak: Organization, Members, and Tactics
Yanluowang
2022-10-31Twitter (@CryptoInsane)CryptoInsane
Tweet about Yanluowang Leaks
Yanluowang
2022-08-10CiscoNick Biasini
Cisco Talos shares insights related to recent cyber attack on Cisco
Yanluowang UNC2447
2022-04-18Bleeping ComputerSergiu Gatlan
Free decryptor released for Yanluowang ransomware victims
Yanluowang
2022-04-18KasperskyAMR
How to recover files encrypted by Yanlouwang
Yanluowang
2022-04-06Github (albertzsigovits)Albert Zsigovits
Yanluowang Ransomware Analysis
Yanluowang
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2021-10-14SymantecThreat Hunter Team
New Yanluowang ransomware used in targeted attacks
Yanluowang
Yara Rules
[TLP:WHITE] win_yanluowang_auto (20260504 | Detects win.yanluowang.)
rule win_yanluowang_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.yanluowang."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c70600000000 c7461000000000 c7461407000000 895dec 83f807 7614 c645f000 }
            // n = 7, score = 100
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   83f807               | cmp                 eax, 7
            //   7614                 | jbe                 0x16
            //   c645f000             | mov                 byte ptr [ebp - 0x10], 0

        $sequence_1 = { b9???????? 8d8584f4ffff 0f1f440000 8a10 3a11 0f85f1000000 }
            // n = 6, score = 100
            //   b9????????           |                     
            //   8d8584f4ffff         | lea                 eax, [ebp - 0xb7c]
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   3a11                 | cmp                 dl, byte ptr [ecx]
            //   0f85f1000000         | jne                 0xf7

        $sequence_2 = { 8bd6 33f9 894238 8bc6 8b484c 8b5044 89783c }
            // n = 7, score = 100
            //   8bd6                 | mov                 edx, esi
            //   33f9                 | xor                 edi, ecx
            //   894238               | mov                 dword ptr [edx + 0x38], eax
            //   8bc6                 | mov                 eax, esi
            //   8b484c               | mov                 ecx, dword ptr [eax + 0x4c]
            //   8b5044               | mov                 edx, dword ptr [eax + 0x44]
            //   89783c               | mov                 dword ptr [eax + 0x3c], edi

        $sequence_3 = { 33e9 89afa0000000 bd01000000 23ea f7dd 23eb 33d8 }
            // n = 7, score = 100
            //   33e9                 | xor                 ebp, ecx
            //   89afa0000000         | mov                 dword ptr [edi + 0xa0], ebp
            //   bd01000000           | mov                 ebp, 1
            //   23ea                 | and                 ebp, edx
            //   f7dd                 | neg                 ebp
            //   23eb                 | and                 ebp, ebx
            //   33d8                 | xor                 ebx, eax

        $sequence_4 = { 03048d38034600 50 ff15???????? 5d c3 8bff }
            // n = 6, score = 100
            //   03048d38034600       | add                 eax, dword ptr [ecx*4 + 0x460338]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_5 = { 8b45fc 03c1 894db4 8b4de4 33c6 8b7db4 8945c4 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   03c1                 | add                 eax, ecx
            //   894db4               | mov                 dword ptr [ebp - 0x4c], ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   33c6                 | xor                 eax, esi
            //   8b7db4               | mov                 edi, dword ptr [ebp - 0x4c]
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax

        $sequence_6 = { 8b7d08 33db 8b450c 8945e4 897ddc 8b0f 895de0 }
            // n = 7, score = 100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   897ddc               | mov                 dword ptr [ebp - 0x24], edi
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx

        $sequence_7 = { 235dc0 33ca 334dc0 335df8 894de4 03de }
            // n = 6, score = 100
            //   235dc0               | and                 ebx, dword ptr [ebp - 0x40]
            //   33ca                 | xor                 ecx, edx
            //   334dc0               | xor                 ecx, dword ptr [ebp - 0x40]
            //   335df8               | xor                 ebx, dword ptr [ebp - 8]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   03de                 | add                 ebx, esi

        $sequence_8 = { 8b4df8 33c6 8945dc 83e701 0fb6c1 f7df 237de8 }
            // n = 7, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   33c6                 | xor                 eax, esi
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   83e701               | and                 edi, 1
            //   0fb6c1               | movzx               eax, cl
            //   f7df                 | neg                 edi
            //   237de8               | and                 edi, dword ptr [ebp - 0x18]

        $sequence_9 = { 7402 8938 8d7904 33d2 85ff 7402 }
            // n = 6, score = 100
            //   7402                 | je                  4
            //   8938                 | mov                 dword ptr [eax], edi
            //   8d7904               | lea                 edi, [ecx + 4]
            //   33d2                 | xor                 edx, edx
            //   85ff                 | test                edi, edi
            //   7402                 | je                  4

    condition:
        7 of them and filesize < 834560
}
Download all Yara Rules