{
	"id": "1acb57fb-1a5a-4eaf-92e1-8bce730c8590",
	"created_at": "2026-04-06T00:06:59.223164Z",
	"updated_at": "2026-04-10T03:23:54.891882Z",
	"deleted_at": null,
	"sha1_hash": "e5c51c7da778d2d4744ba32a47027743deb571a2",
	"title": "Malware analysis: part 8. Yara rule example for MurmurHash2. MurmurHash2 in Conti ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1195853,
	"plain_text": "Malware analysis: part 8. Yara rule example for MurmurHash2.\r\nMurmurHash2 in Conti ransomware\r\nBy cocomelonc\r\nPublished: 2023-02-10 · Archived: 2026-04-02 12:24:38 UTC\r\n5 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the result of my own research on Yara rule for Murmurhash2 hashing. How to use it for malware\r\nanalysis in practice.\r\nMurmurHashPermalink\r\nMurmurHash2A is a non-cryptographic hash function optimized for performance and speed. It divides the input\r\ndata into 4-byte blocks, applies bitwise operations and XORs to each block, and then uses a finalizer to produce\r\nthe final hash result.\r\nHere’s a high-level overview of the algorithm:\r\n1. divide the input data into 4-byte blocks.\r\n2. initialize a seed value, which is used to influence the final hash value.\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 1 of 7\n\n3. for each block, perform bitwise operations such as XORs, multiplications, and bit rotations to produce a\r\nnew intermediate value, the calculation of the intermediate value includes the constant value 0x5bd1e995 .\r\n4. XOR the intermediate value with the seed.\r\n5. Repeat steps 3 and 4 for each block.\r\n6. Use a finalizer to mix the intermediate value and produce the final hash value.\r\nSo as you can see, MurmurHash2A with a constant value of 0x5bd1e995 is a variation of the MurmurHash2A\r\nalgorithm. The constant value is incorporated into the calculation.\r\nThe MurmurHash2 algorithm was created by Austin Appleby.\r\npractical examplePermalink\r\nThis algorithm is also often used for hashing function names.\r\nFor example, if you look at the source code of the Conti ransomware leak, you can see Murmurhash2A function.\r\nIt might look something like this ( hack.cpp ):\r\n/*\r\n * hack.cpp - hashing Win32API functions via MurmurHash2A. C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\n*/\r\n#include \u003cstdint.h\u003e\r\n#include \u003cstdlib.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003cstring.h\u003e\r\n#include \u003cwindows.h\u003e\r\ntypedef UINT(CALLBACK* fnMessageBoxA)(\r\n HWND hWnd,\r\n LPCSTR lpText,\r\n LPCSTR lpCaption,\r\n UINT uType\r\n);\r\n// MurmurHash is a non-cryptographic hash function and was written by Austin Appleby.\r\nunsigned int MurmurHash2A(const void *key, size_t len, unsigned int seed) {\r\n const unsigned int m = 0x5bd1e995;\r\n const int r = 24;\r\n unsigned int h = seed ^ len;\r\n const unsigned char *data = (const unsigned char *)key;\r\n while (len \u003e= 4) {\r\n unsigned int k = *(unsigned int *)data;\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 2 of 7\n\nk *= m;\r\n k ^= k \u003e\u003e r;\r\n k *= m;\r\n h *= m;\r\n h ^= k;\r\n data += 4;\r\n len -= 4;\r\n }\r\n switch (len) {\r\n case 3:\r\n h ^= data[2] \u003c\u003c 16;\r\n case 2:\r\n h ^= data[1] \u003c\u003c 8;\r\n case 1:\r\n h ^= data[0];\r\n h *= m;\r\n };\r\n h ^= h \u003e\u003e 13;\r\n h *= m;\r\n h ^= h \u003e\u003e 15;\r\n return h;\r\n}\r\nstatic LPVOID getAPIAddr(HMODULE h, unsigned int myHash) {\r\n PIMAGE_DOS_HEADER img_dos_header = (PIMAGE_DOS_HEADER)h;\r\n PIMAGE_NT_HEADERS img_nt_header = (PIMAGE_NT_HEADERS)((LPBYTE)h + img_dos_header-\u003ee_lfanew);\r\n PIMAGE_EXPORT_DIRECTORY img_edt = (PIMAGE_EXPORT_DIRECTORY)(\r\n (LPBYTE)h + img_nt_header-\u003eOptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);\r\n PDWORD fAddr = (PDWORD)((LPBYTE)h + img_edt-\u003eAddressOfFunctions);\r\n PDWORD fNames = (PDWORD)((LPBYTE)h + img_edt-\u003eAddressOfNames);\r\n PWORD fOrd = (PWORD)((LPBYTE)h + img_edt-\u003eAddressOfNameOrdinals);\r\n for (DWORD i = 0; i \u003c img_edt-\u003eAddressOfFunctions; i++) {\r\n LPSTR pFuncName = (LPSTR)((LPBYTE)h + fNames[i]);\r\n if (MurmurHash2A(pFuncName, strlen(pFuncName), 0) == myHash) {\r\n printf(\"successfully found! %s - %x\\n\", pFuncName, myHash);\r\n return (LPVOID)((LPBYTE)h + fAddr[fOrd[i]]);\r\n }\r\n }\r\n return nullptr;\r\n}\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 3 of 7\n\nint main() {\r\n // const char *key = \"MessageBoxA\";\r\n // size_t len = strlen(key);\r\n // unsigned int seed = 0;\r\n // unsigned int hash = MurmurHash2A(key, len, seed);\r\n // printf(\"hash value: %u\\n\", hash);\r\n HMODULE mod = LoadLibrary(\"user32.dll\");\r\n LPVOID addr = getAPIAddr(mod, 4115069285);\r\n printf(\"0x%p\\n\", addr);\r\n fnMessageBoxA myMessageBoxA = (fnMessageBoxA)addr;\r\n myMessageBoxA(NULL, \"Meow-meow!\",\"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAs you can see, as usually I used MessageBoxA WinAPI function for experiment.\r\ndemoPermalink\r\nLet’s go see using MurmurHash for hashing function names in action.\r\nCompile our “malware”:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nRun it at the victim’s machine:\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 4 of 7\n\nAs you can see, everything is worked perfectly! =^..^=\r\nLet’s go to upload our “malware” to VirusTotal:\r\nSo, 4 of 70 AV engines detect our file as malicious.\r\nhttps://www.virustotal.com/gui/file/3975c386fedf96000f97e20675f76a23407b41f7e9909eaf22fbf90cf03fa211/details\r\nyara rulePermalink\r\nIn the simplest implementation, the Yara rule will look like this:\r\nrule murmurhash2_rule {\r\n meta:\r\n author = \"cocomelonc\"\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 5 of 7\n\ndescription = \"example rule using MurmurHash2A with constant 0x5bd1e995\"\r\n strings:\r\n $hash = { 95 e9 d1 5b }\r\n condition:\r\n $hash\r\n}\r\nAs you can see, we just add algorithm’s constant for identity:\r\nhexdump -C ./hack.exe | grep \"95 e9 d1 5b\"\r\nRun it:\r\nyarar -w ./murmur.yar -r ./\r\nThis constant is commonly used in MurmurHash implementations, but the specific constants, instructions, and\r\ntheir ordering may vary between different implementations. To write a good YARA rule, you need to know a lot\r\nabout the architecture and instruction set, as well as the algorithm and how it can change.\r\nSo, what are the advantages of the MurmurHash2 algorithm? MurmurHash2 is fast and efficient and is suitable for\r\nhashing large amounts of data in real-time applications. MurmurHash2 has good collision resistance, which means\r\nthat it generates unique hash values for different input data, making it suitable for use in hash tables and other data\r\nstructures where hash collisions need to be avoided. MurmurHash2 is a cross-platform algorithm that can be easily\r\nimplemented in different programming languages and environments. For example, python implementation:\r\ndef murmurhash2(key: bytes, seed: int) -\u003e int:\r\n m = 0x5bd1e995\r\n r = 24\r\n h = seed ^ len(key)\r\n data = bytearray(key) + b'\\x00' * (4 - (len(key) \u0026 3))\r\n data = memoryview(data).cast(\"I\")\r\n for i in range(len(data) // 4):\r\n k = data[i]\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 6 of 7\n\nk *= m\r\n k ^= k \u003e\u003e r\r\n k *= m\r\n h *= m\r\n h ^= k\r\n h ^= h \u003e\u003e 13\r\n h *= m\r\n h ^= h \u003e\u003e 15\r\n return h\r\nh = murmurhash2(b\"meow-meow\", 0)\r\nprint (\"%x\" % h)\r\nprint (\"%d\" % h)\r\nNote that MurmurHash2 is not designed to be a cryptographic hash function and should not be used for secure\r\napplications that require cryptographic-strength hash functions, such as password storage or digital signatures.\r\nThis hash is used by Conti ransomware and Win32/Potao malware family at the wild.\r\nI hope this post spreads awareness to the blue teamers of this interesting hashing technique, and adds a weapon to\r\nthe red teamers arsenal.\r\nThis is a practical case for educational purposes only.\r\nAV engines evasion techniques - part 5\r\nMurmurhash\r\nConti\r\nOperation Potao Express\r\nsource code in github\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nhttps://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html"
	],
	"report_names": [
		"malware-analysis-8.html"
	],
	"threat_actors": [
		{
			"id": "4a892faf-3d4d-4615-b7b6-cdbc2ce42d8d",
			"created_at": "2022-10-25T16:07:23.99045Z",
			"updated_at": "2026-04-10T02:00:04.824683Z",
			"deleted_at": null,
			"main_name": "Operation Potao Express",
			"aliases": [],
			"source_name": "ETDA:Operation Potao Express",
			"tools": [
				"FakeTC",
				"Patao"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434019,
	"ts_updated_at": 1775791434,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5c51c7da778d2d4744ba32a47027743deb571a2.pdf",
		"text": "https://archive.orkl.eu/e5c51c7da778d2d4744ba32a47027743deb571a2.txt",
		"img": "https://archive.orkl.eu/e5c51c7da778d2d4744ba32a47027743deb571a2.jpg"
	}
}