[ { Malware : Agent Tesla , Description : A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. , YARA : [ rule win_agent_tesla_w0 { meta: author = \ InQuest Labs\ source = \ https://www.inquest.net\ created = \ 05/18/2018\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\ malpedia_version = \ 20190731\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $s0 = \ SecretId1\ ascii $s1 = \ #GUID\ ascii $s2 = \ #Strings\ ascii $s3 = \ #Blob\ ascii $s4 = \ get_URL\ ascii $s5 = \ set_URL\ ascii $s6 = \ DecryptIePassword\ ascii $s8 = \ GetURLHashString\ ascii $s9 = \ DoesURLMatchWithHash\ ascii $f0 = \ GetSavedPasswords\ ascii $f1 = \ IESecretHeader\ ascii $f2 = \ RecoveredBrowserAccount\ ascii $f4 = \ PasswordDerivedBytes\ ascii $f5 = \ get_ASCII\ ascii $f6 = \ get_ComputerName\ ascii $f7 = \ get_WebServices\ ascii $f8 = \ get_UserName\ ascii $f9 = \ get_OSFullName\ ascii $f10 = \ ComputerInfo\ ascii $f11 = \ set_Sendwebcam\ ascii $f12 = \ get_Clipboard\ ascii $f13 = \ get_TotalFreeSpace\ ascii $f14 = \ get_IsAttached\ ascii $x0 = \ IELibrary.dll\ ascii wide $x1 = \ webpanel\ ascii wide nocase $x2 = \ smtp\ ascii wide nocase $v5 = \ vmware\ ascii wide nocase $v6 = \ VirtualBox\ ascii wide nocase $v7 = \ vbox\ ascii wide nocase $v9 = \ avghookx.dll\ ascii wide nocase $pdb = \ IELibrary.pdb\ ascii condition: ( ( 5 of ($s*) or 7 of ($f*) ) and all of ($x*) and all of ($v*) and $pdb ) } , rule win_agent_tesla_w1 { meta: description = \ Detect Agent Tesla based on common .NET code sequences\ author = \ govcert_ch\ date = \ 20200429\ hash = \ 2b68a3f88fbd394d572081397e3d8d349746a88e3e67a2ffbfac974dd4c27c6a\ hash = \ abadca4d00c0dc4636e382991e070847077c1d19d50153487da791d3be9cc401\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\ malpedia_version = \ 20200506\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $sequence_0 = { 20 ?? ?? ?? ?? 61 25 FE 0E 01 00 20 05 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 51 00 00 00} $sequence_1 = { 20 ?? ?? ?? ?? 61 25 FE 0E 06 00 20 03 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 1C 00 00 00 } $sequence_2 = { 04 02 7B 33 04 00 04 03 8F 36 00 00 02 7B 38 04 00 04 8E B7 3F 21 00 00 00 20 ?? ?? ?? ?? 38 97 FF FF FF } condition: any of them } ] }, { Malware : AsyncRAT , Description : AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. , YARA : [ rule win_asyncrat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2020-10-14\ version = \ 1\ description = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.5.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\ malpedia_rule_date = \ 20201014\ malpedia_hash = \ a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9\ malpedia_version = \ 20201014\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 03c0 01ff 03b701ff03cb 01ff 03cc 01ff 03cb } // n = 7, score = 100 // 03c0 | add eax, eax // 01ff | add edi, edi // 03b701ff03cb | add esi, dword ptr [edi - 0x34fc00ff] // 01ff | add edi, edi // 03cc | add ecx, esp // 01ff | add edi, edi // 03cb | add ecx, ebx $sequence_1 = { 03bd01ff03cc 01ff 03e7 01ff 01e5 02e6 01ff } // n = 7, score = 100 // 03bd01ff03cc | add edi, dword ptr [ebp - 0x33fc00ff] // 01ff | add edi, edi // 03e7 | add esp, edi // 01ff | add edi, edi // 01e5 | add ebp, esp // 02e6 | add ah, dh // 01ff | add edi, edi $sequence_2 = { 01ff 03e3 01ff 03e1 01ff } // n = 5, score = 100 // 01ff | add edi, edi // 03e3 | add esp, ebx // 01ff | add edi, edi // 03e1 | add esp, ecx // 01ff | add edi, edi $sequence_3 = { 019c016e018201 8601 f1 019301e001fd } // n = 4, score = 100 // 019c016e018201 | add dword ptr [ecx + eax + 0x182016e], ebx // 8601 | xchg byte ptr [ecx], al // f1 | int1 // 019301e001fd | add dword ptr [ebx - 0x2fe1fff], edx $sequence_4 = { f8 01ff 018501d601f9 01ff } // n = 4, score = 100 // f8 | clc // 01ff | add edi, edi // 018501d601f9 | add dword ptr [ebp - 0x6fe29ff], eax // 01ff | add edi, edi $sequence_5 = { 018101cf01f0 01ff 018801d101f1 01ff } // n = 4, score = 100 // 018101cf01f0 | add dword ptr [ecx - 0xffe30ff], eax // 01ff | add edi, edi // 018801d101f1 | add dword ptr [eax - 0xefe2eff], ecx // 01ff | add edi, edi $sequence_6 = { 01ff 018501d301f3 01ff 018c01d601f501 } // n = 4, score = 100 // 01ff | add edi, edi // 018501d301f3 | add dword ptr [ebp - 0xcfe2cff], eax // 01ff | add edi, edi // 018c01d601f501 | add dword ptr [ecx + eax + 0x1f501d6], ecx $sequence_7 = { 018e01d801f8 01ff 018b01d601f7 01ff } // n = 4, score = 100 // 018e01d801f8 | add dword ptr [esi - 0x7fe27ff], ecx // 01ff | add edi, edi // 018b01d601f7 | add dword ptr [ebx - 0x8fe29ff], ecx // 01ff | add edi, edi $sequence_8 = { 03e3 01ff 03e3 01ff 03e2 01ff 03e2 } // n = 7, score = 100 // 03e3 | add esp, ebx // 01ff | add edi, edi // 03e3 | add esp, ebx // 01ff | add edi, edi // 03e2 | add esp, edx // 01ff | add edi, edi // 03e2 | add esp, edx $sequence_9 = { db01 ff03 da01 ff03 } // n = 4, score = 100 // db01 | fild dword ptr [ecx] // ff03 | inc dword ptr [ebx] // da01 | fiadd dword ptr [ecx] // ff03 | inc dword ptr [ebx] condition: 7 of them and filesize < 2605056 } , rule win_asyncrat_w0 { meta: description = \ detect AsyncRat in memory\ author = \ JPCERT/CC Incident Response Group\ rule_usage = \ memory scan\ reference = \ internal research\ hash = \ 1167207bfa1fed44e120dc2c298bd25b7137563fdc9853e8403027b645e52c19\ hash = \ 588c77a3907163c3c6de0e59f4805df41001098a428c226f102ed3b74b14b3cc\ source = \ https://github.com/JPCERTCC/MalConfScan/blob/master/yara/rule.yara\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\ malpedia_rule_date = \ 20201006\ malpedia_hash = \ \ malpedia_version = \ 20201006\ malpedia_license = \ CC NC-BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $salt = {BF EB 1E 56 FB CD 97 3B B2 19 02 24 30 A5 78 43 00 3D 56 44 D2 1E 62 B9 D4 F1 80 E7 E6 C3 39 41} $b1 = {00 00 00 0D 53 00 48 00 41 00 32 00 35 00 36 00 00} $b2 = {09 50 00 6F 00 6E 00 67 00 00} $s1 = \ pastebin\ ascii wide nocase $s2 = \ pong\ wide $s3 = \ Stub.exe\ ascii wide condition: ($salt and (2 of ($s*) or 1 of ($b*))) or (all of ($b*) and 2 of ($s*)) } ] }, { Malware : Babuk , Description : Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. , YARA : [ rule win_babuk_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.babuk.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 6800000100 e8???????? 83c404 } // n = 4, score = 800 // ff15???????? | // 6800000100 | push 0x10000 // e8???????? | // 83c404 | add esp, 4 $sequence_1 = { 50 ff15???????? 83f803 7502 } // n = 4, score = 800 // 50 | push eax // ff15???????? | // 83f803 | cmp eax, 3 // 7502 | jne 4 $sequence_2 = { 8b45fc 83c002 8945fc 837dfc0a 0f83dc000000 8b4dfc } // n = 6, score = 600 // 8b45fc | mov eax, dword ptr [ebp - 4] // 83c002 | add eax, 2 // 8945fc | mov dword ptr [ebp - 4], eax // 837dfc0a | cmp dword ptr [ebp - 4], 0xa // 0f83dc000000 | jae 0xe2 // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_3 = { 8b4d08 8b540104 52 8b0401 50 e8???????? } // n = 6, score = 600 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 8b540104 | mov edx, dword ptr [ecx + eax + 4] // 52 | push edx // 8b0401 | mov eax, dword ptr [ecx + eax] // 50 | push eax // e8???????? | $sequence_4 = { 8b4dfc c1e108 ba01000000 d1e2 8b4508 } // n = 5, score = 600 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // c1e108 | shl ecx, 8 // ba01000000 | mov edx, 1 // d1e2 | shl edx, 1 // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_5 = { 8b95ccfdffff 83c201 8995ccfdffff 83bdccfdffff1f 735f 8d85f4fdffff } // n = 6, score = 600 // 8b95ccfdffff | mov edx, dword ptr [ebp - 0x234] // 83c201 | add edx, 1 // 8995ccfdffff | mov dword ptr [ebp - 0x234], edx // 83bdccfdffff1f | cmp dword ptr [ebp - 0x234], 0x1f // 735f | jae 0x61 // 8d85f4fdffff | lea eax, [ebp - 0x20c] $sequence_6 = { 8b4dfc 8b5508 8b44ca04 50 } // n = 4, score = 600 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b5508 | mov edx, dword ptr [ebp + 8] // 8b44ca04 | mov eax, dword ptr [edx + ecx*8 + 4] // 50 | push eax $sequence_7 = { 8b4d08 c7040100000000 c744010400000000 ba08000000 } // n = 4, score = 600 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // c7040100000000 | mov dword ptr [ecx + eax], 0 // c744010400000000 | mov dword ptr [ecx + eax + 4], 0 // ba08000000 | mov edx, 8 $sequence_8 = { 0bca 894dfc 8b45fc c1e008 b901000000 } // n = 5, score = 600 // 0bca | or ecx, edx // 894dfc | mov dword ptr [ebp - 4], ecx // 8b45fc | mov eax, dword ptr [ebp - 4] // c1e008 | shl eax, 8 // b901000000 | mov ecx, 1 $sequence_9 = { 8b0401 50 e8???????? 83c408 8945ec 8955f0 } // n = 6, score = 600 // 8b0401 | mov eax, dword ptr [ecx + eax] // 50 | push eax // e8???????? | // 83c408 | add esp, 8 // 8945ec | mov dword ptr [ebp - 0x14], eax // 8955f0 | mov dword ptr [ebp - 0x10], edx $sequence_10 = { c744010400000000 ba08000000 6bc200 8b4d08 } // n = 4, score = 600 // c744010400000000 | mov dword ptr [ecx + eax + 4], 0 // ba08000000 | mov edx, 8 // 6bc200 | imul eax, edx, 0 // 8b4d08 | mov ecx, dword ptr [ebp + 8] $sequence_11 = { 8b4508 c704107465206b c745fc00000000 eb09 } // n = 4, score = 600 // 8b4508 | mov eax, dword ptr [ebp + 8] // c704107465206b | mov dword ptr [eax + edx], 0x6b206574 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // eb09 | jmp 0xb $sequence_12 = { 744a 837dd801 7444 8b55ec 52 ff15???????? 8d45ac } // n = 7, score = 600 // 744a | je 0x4c // 837dd801 | cmp dword ptr [ebp - 0x28], 1 // 7444 | je 0x46 // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 52 | push edx // ff15???????? | // 8d45ac | lea eax, [ebp - 0x54] $sequence_13 = { e8???????? 83c410 c78574ffffff00000000 eb0f } // n = 4, score = 600 // e8???????? | // 83c410 | add esp, 0x10 // c78574ffffff00000000 | mov dword ptr [ebp - 0x8c], 0 // eb0f | jmp 0x11 $sequence_14 = { 57 b808000000 6bc80a 8b5508 c7040a00000000 c7440a0400000000 c745fc00000000 } // n = 7, score = 600 // 57 | push edi // b808000000 | mov eax, 8 // 6bc80a | imul ecx, eax, 0xa // 8b5508 | mov edx, dword ptr [ebp + 8] // c7040a00000000 | mov dword ptr [edx + ecx], 0 // c7440a0400000000 | mov dword ptr [edx + ecx + 4], 0 // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_15 = { 51 e8???????? 83c408 8945f4 8955f8 } // n = 5, score = 600 // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 8945f4 | mov dword ptr [ebp - 0xc], eax // 8955f8 | mov dword ptr [ebp - 8], edx condition: 7 of them and filesize < 183296 } ] }, { Malware : Cobalt Strike , Description : Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit. The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. , YARA : [ rule win_cobalt_strike_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.cobalt_strike.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3bc7 750d ff15???????? 3d33270000 } // n = 4, score = 1900 // 3bc7 | cmp eax, edi // 750d | jne 0xf // ff15???????? | // 3d33270000 | cmp eax, 0x2733 $sequence_1 = { e9???????? eb0a b801000000 e9???????? } // n = 4, score = 1900 // e9???????? | // eb0a | jmp 0xc // b801000000 | mov eax, 1 // e9???????? | $sequence_2 = { eb06 0fb6c0 83e07f 85c0 745a } // n = 5, score = 1100 // eb06 | jmp 8 // 0fb6c0 | movzx eax, al // 83e07f | and eax, 0x7f // 85c0 | test eax, eax // 745a | je 0x5c $sequence_3 = { eb68 8b45d4 8b482c 894de0 8b45e0 } // n = 5, score = 1100 // eb68 | jmp 0x6a // 8b45d4 | mov eax, dword ptr [ebp - 0x2c] // 8b482c | mov ecx, dword ptr [eax + 0x2c] // 894de0 | mov dword ptr [ebp - 0x20], ecx // 8b45e0 | mov eax, dword ptr [ebp - 0x20] $sequence_4 = { ff35???????? ffd6 5e e9???????? 55 } // n = 5, score = 1100 // ff35???????? | // ffd6 | call esi // 5e | pop esi // e9???????? | // 55 | push ebp $sequence_5 = { eb4e 83f824 7f09 c745f403000000 } // n = 4, score = 1100 // eb4e | jmp 0x50 // 83f824 | cmp eax, 0x24 // 7f09 | jg 0xb // c745f403000000 | mov dword ptr [ebp - 0xc], 3 $sequence_6 = { ff761c 83c004 e8???????? 59 59 83f8ff } // n = 6, score = 1100 // ff761c | push dword ptr [esi + 0x1c] // 83c004 | add eax, 4 // e8???????? | // 59 | pop ecx // 59 | pop ecx // 83f8ff | cmp eax, -1 $sequence_7 = { f3a6 744c 8bf0 6a03 bf???????? 59 } // n = 6, score = 1100 // f3a6 | repe cmpsb byte ptr [esi], byte ptr es:[edi] // 744c | je 0x4e // 8bf0 | mov esi, eax // 6a03 | push 3 // bf???????? | // 59 | pop ecx $sequence_8 = { 85c0 741d ff15???????? 85c0 7513 } // n = 5, score = 1000 // 85c0 | test eax, eax // 741d | je 0x1f // ff15???????? | // 85c0 | test eax, eax // 7513 | jne 0x15 $sequence_9 = { e9???????? 833d????????01 7505 e8???????? } // n = 4, score = 1000 // e9???????? | // 833d????????01 | // 7505 | jne 7 // e8???????? | $sequence_10 = { 8bd0 e8???????? 85c0 7e0e } // n = 4, score = 1000 // 8bd0 | mov edx, eax // e8???????? | // 85c0 | test eax, eax // 7e0e | jle 0x10 $sequence_11 = { 85c0 7405 e8???????? 8b0d???????? 85c9 } // n = 5, score = 900 // 85c0 | test eax, eax // 7405 | je 7 // e8???????? | // 8b0d???????? | // 85c9 | test ecx, ecx $sequence_12 = { f3c3 cc 488bc4 48895808 48896810 48897018 } // n = 6, score = 800 // f3c3 | ret // cc | int3 // 488bc4 | dec eax // 48895808 | mov eax, esp // 48896810 | dec eax // 48897018 | mov dword ptr [eax + 8], ebx $sequence_13 = { c1e903 ffc1 03c1 3d80000000 } // n = 4, score = 800 // c1e903 | dec eax // ffc1 | mov dword ptr [eax + 0x10], ebp // 03c1 | dec eax // 3d80000000 | mov dword ptr [eax + 0x18], esi $sequence_14 = { 49ffc7 413bcc 72e9 41894d00 } // n = 4, score = 800 // 49ffc7 | test eax, eax // 413bcc | jne 0x1b // 72e9 | test eax, eax // 41894d00 | je 0x21 $sequence_15 = { 48895c2448 48895c2440 4889442438 498b06 } // n = 4, score = 800 // 48895c2448 | je 0x21 // 48895c2440 | test eax, eax // 4889442438 | test eax, eax // 498b06 | je 0x21 condition: 7 of them and filesize < 1015808 } ] }, { Malware : DarkGate , Description : First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. , YARA : [ rule win_darkgate_w0 { meta: author = \ RussianPanda\ description = \ Detects DarkGate\ date = \ 2023-09-17\ source=\ https://www.esentire.com/blog/from-darkgate-to-danabot\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate\ malpedia_rule_date = \ 20230917\ malpedia_hash = \ \ malpedia_version = \ 20231204\ malpedia_sharing = \ TLP:WHITE\ strings: $s1 = \ hanydesk\ $s2 = \ darkgate.com\ $s3 = \ zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=\ $s4 = {80 e3 30 81 e3 ff 00 00 00 c1 eb 04} $s5 = {80 e3 3c 81 e3 ff 00 00 00 c1 eb 02} $s6 = {80 e1 03 c1 e1 06} condition: all of ($s*) and uint16(0) == 0x5A4D } , rule win_darkgate_w1 { meta: author = \ enzok\ description = \ DarkGate Payload\ cape_type = \ DarkGate Payload\ source=\ https://github.com/kevoreilly/CAPEv2/blob/8689f9f05dec4500d7becd03e9939444f3be3a8f/data/yara/CAPE/DarkGate.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate\ malpedia_rule_date = \ 20230917\ malpedia_hash = \ \ malpedia_version = \ 20231204\ malpedia_sharing = \ TLP:WHITE\ strings: $part1 = {8B 55 ?? 8A 4D ?? 80 E1 3F C1 E1 02 8A 5D ?? 80 E3 30 81 E3 FF [3] C1 EB 04 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40} $part2 = {8B 55 ?? 8A 4D ?? 80 E1 0F C1 E1 04 8A 5D ?? 80 E3 3C 81 E3 FF [3] C1 EB 02 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40} $part3 = {8B 55 ?? 8A 4D ?? 80 E1 03 C1 E1 06 8A 5D ?? 80 E3 3F 02 CB 88 4C 10 FF FF 45} $alphabet = \ zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=\ condition: ($alphabet) and any of ($part*) } ] }, { Malware : Emotet , Description : While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. , YARA : [ rule win_emotet_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.emotet.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3c41 7c04 3c5a 7e03 c60158 } // n = 5, score = 2900 // 3c41 | cmp al, 0x41 // 7c04 | jl 6 // 3c5a | cmp al, 0x5a // 7e03 | jle 5 // c60158 | mov byte ptr [ecx], 0x58 $sequence_1 = { 7e13 3c61 7c04 3c7a 7e0b 3c41 7c04 } // n = 7, score = 2900 // 7e13 | jle 0x15 // 3c61 | cmp al, 0x61 // 7c04 | jl 6 // 3c7a | cmp al, 0x7a // 7e0b | jle 0xd // 3c41 | cmp al, 0x41 // 7c04 | jl 6 $sequence_2 = { 3c30 7c04 3c39 7e13 3c61 } // n = 5, score = 2900 // 3c30 | cmp al, 0x30 // 7c04 | jl 6 // 3c39 | cmp al, 0x39 // 7e13 | jle 0x15 // 3c61 | cmp al, 0x61 $sequence_3 = { c60158 41 803900 75dd } // n = 4, score = 2400 // c60158 | mov byte ptr [ecx], 0x58 // 41 | inc ecx // 803900 | cmp byte ptr [ecx], 0 // 75dd | jne 0xffffffdf $sequence_4 = { 33c0 3903 5f 5e 0f95c0 5b 8be5 } // n = 7, score = 2400 // 33c0 | xor eax, eax // 3903 | cmp dword ptr [ebx], eax // 5f | pop edi // 5e | pop esi // 0f95c0 | setne al // 5b | pop ebx // 8be5 | mov esp, ebp $sequence_5 = { 83c020 eb03 0fb7c0 69d23f000100 } // n = 4, score = 2300 // 83c020 | add eax, 0x20 // eb03 | jmp 5 // 0fb7c0 | movzx eax, ax // 69d23f000100 | imul edx, edx, 0x1003f $sequence_6 = { c1e808 8d5204 c1e910 8842fd 884afe } // n = 5, score = 2100 // c1e808 | cmp al, 0x41 // 8d5204 | jl 0xc // c1e910 | cmp al, 0x5a // 8842fd | cmp al, 0x7a // 884afe | jle 0xd $sequence_7 = { 880a 8bc1 c1e808 8d5204 } // n = 4, score = 2100 // 880a | jle 0x17 // 8bc1 | cmp al, 0x39 // c1e808 | jle 0x15 // 8d5204 | cmp al, 0x61 $sequence_8 = { 8d5801 f6c30f 7406 83e3f0 } // n = 4, score = 2000 // 8d5801 | lea ebx, [eax + 1] // f6c30f | test bl, 0xf // 7406 | je 8 // 83e3f0 | and ebx, 0xfffffff0 $sequence_9 = { 8b4604 8b16 8945fc 8d45f8 } // n = 4, score = 1900 // 8b4604 | mov eax, dword ptr [esi + 4] // 8b16 | mov edx, dword ptr [esi] // 8945fc | mov dword ptr [ebp - 4], eax // 8d45f8 | lea eax, [ebp - 8] $sequence_10 = { 83c410 8b45fc 0106 294604 } // n = 4, score = 1900 // 83c410 | push esi // 8b45fc | push esi // 0106 | push eax // 294604 | push esi $sequence_11 = { 03878c000000 50 ff15???????? 017758 } // n = 4, score = 1900 // 03878c000000 | cmp dword ptr [ebx], eax // 50 | pop edi // ff15???????? | // 017758 | pop esi $sequence_12 = { 8bfa 8bf1 ff15???????? 8b17 83c40c } // n = 5, score = 1900 // 8bfa | push esi // 8bf1 | push 0xf0000040 // ff15???????? | // 8b17 | push 0x18 // 83c40c | xor esi, esi $sequence_13 = { 8945fc 8d45f8 6a04 50 ff760c } // n = 5, score = 1900 // 8945fc | push dword ptr [ebp - 4] // 8d45f8 | push 0x400 // 6a04 | push 0 // 50 | push 0 // ff760c | sub esp, 8 $sequence_14 = { 8b17 83c40c 8b4d0c 8bc2 0bc1 83f8ff } // n = 6, score = 1900 // 8b17 | movzx eax, ax // 83c40c | add eax, 0x20 // 8b4d0c | jmp 0xb // 8bc2 | movzx eax, ax // 0bc1 | imul edx, edx, 0x1003f // 83f8ff | add eax, 0x20 $sequence_15 = { c745fc04000000 50 8d45f8 81ca00000020 50 52 51 } // n = 7, score = 1800 // c745fc04000000 | cmp al, 0x39 // 50 | jle 0x15 // 8d45f8 | cmp al, 0x61 // 81ca00000020 | jl 0xa // 50 | cmp al, 0x7a // 52 | jle 0x15 // 51 | cmp al, 0x41 $sequence_16 = { 66c1e808 4d8d4004 418840fd 418848fe } // n = 4, score = 1700 // 66c1e808 | mov dword ptr [eax + 0x10], edx // 4d8d4004 | dec esp // 418840fd | mov dword ptr [eax + 0x18], eax // 418848fe | dec esp $sequence_17 = { 418848fe 66c1e908 418848ff 4d3bd9 72cf } // n = 5, score = 1700 // 418848fe | inc ecx // 66c1e908 | mov byte ptr [eax - 2], cl // 418848ff | shr cx, 8 // 4d3bd9 | inc ecx // 72cf | mov byte ptr [eax - 1], cl $sequence_18 = { 2bca d1e9 03ca c1e906 894c2430 } // n = 5, score = 1700 // 2bca | lea eax, [eax + 4] // d1e9 | inc ecx // 03ca | mov byte ptr [eax - 3], al // c1e906 | inc ecx // 894c2430 | mov byte ptr [eax - 2], cl $sequence_19 = { 418bd0 d3e2 418bcb d3e0 } // n = 4, score = 1700 // 418bd0 | cmp ebx, ecx // d3e2 | jb 0xffffffe8 // 418bcb | dec ebp // d3e0 | lea eax, [eax + 4] $sequence_20 = { 488bd3 488bcf 488b5c2460 4883c450 } // n = 4, score = 1700 // 488bd3 | mov dword ptr [esp + 0x30], ecx // 488bcf | inc ecx // 488b5c2460 | mov byte ptr [eax - 2], cl // 4883c450 | shr cx, 8 $sequence_21 = { d3e7 83f841 7208 83f85a } // n = 4, score = 1700 // d3e7 | jle 9 // 83f841 | mov byte ptr [ecx], 0x58 // 7208 | jl 6 // 83f85a | cmp al, 0x39 $sequence_22 = { 418808 0fb7c1 c1e910 66c1e808 } // n = 4, score = 1700 // 418808 | ret // 0fb7c1 | dec eax // c1e910 | mov dword ptr [eax + 8], ecx // 66c1e808 | dec eax $sequence_23 = { 49895b08 49896b10 49897318 49897b20 4156 4883ec70 } // n = 6, score = 1700 // 49895b08 | inc ecx // 49896b10 | mov byte ptr [eax - 1], cl // 49897318 | sub ecx, edx // 49897b20 | shr ecx, 1 // 4156 | add ecx, edx // 4883ec70 | shr ecx, 6 $sequence_24 = { 48895010 4c894018 4c894820 c3 } // n = 4, score = 1700 // 48895010 | dec ebp // 4c894018 | cmp ebx, ecx // 4c894820 | jb 0xffffffd4 // c3 | dec eax $sequence_25 = { c1e807 46 83f87f 77f7 } // n = 4, score = 1600 // c1e807 | dec eax // 46 | mov dword ptr [eax + 0x10], edx // 83f87f | dec esp // 77f7 | mov dword ptr [eax + 0x18], eax $sequence_26 = { 84c0 75f2 eb03 c60100 } // n = 4, score = 1500 // 84c0 | mov dword ptr [eax + 8], ecx // 75f2 | dec eax // eb03 | mov dword ptr [eax + 0x10], edx // c60100 | dec esp $sequence_27 = { f7e1 b84fecc44e 2bca d1e9 } // n = 4, score = 1500 // f7e1 | cmp al, 0x39 // b84fecc44e | jle 0x15 // 2bca | cmp al, 0x61 // d1e9 | jl 0xa $sequence_28 = { 8bd3 8b0f e8???????? 85c0 } // n = 4, score = 1400 // 8bd3 | cmp al, 0x39 // 8b0f | jle 0x17 // e8???????? | // 85c0 | cmp al, 0x61 $sequence_29 = { 7423 8a01 3c30 7c04 } // n = 4, score = 1300 // 7423 | jl 0xe // 8a01 | cmp al, 0x41 // 3c30 | jl 6 // 7c04 | cmp al, 0x5a $sequence_30 = { 83c104 894e04 8b00 85c0 } // n = 4, score = 1200 // 83c104 | jle 7 // 894e04 | mov byte ptr [ecx], 0x58 // 8b00 | cmp al, 0x7a // 85c0 | jle 0xd $sequence_31 = { 7907 83c107 3bf7 72e8 } // n = 4, score = 1200 // 7907 | shr cx, 8 // 83c107 | inc ecx // 3bf7 | mov byte ptr [eax - 1], cl // 72e8 | dec ebp $sequence_32 = { 56 57 6a1e 8d45e0 } // n = 4, score = 1100 // 56 | sub dword ptr [esi + 4], eax // 57 | mov esi, ecx // 6a1e | mov edx, dword ptr [edi] // 8d45e0 | add esp, 0xc $sequence_33 = { 52 52 52 52 68???????? 52 } // n = 6, score = 1100 // 52 | cmp ebx, ecx // 52 | jb 0xffffffd4 // 52 | dec ebp // 52 | lea eax, [eax + 4] // 68???????? | // 52 | inc ecx $sequence_34 = { 83ec48 53 56 57 6a44 } // n = 5, score = 1100 // 83ec48 | cmp eax, 0x7f // 53 | jbe 0xe // 56 | shr eax, 7 // 57 | inc ecx // 6a44 | cmp eax, 0x7f $sequence_35 = { 83f87f 760d 8d642400 c1e807 } // n = 4, score = 1000 // 83f87f | shr ax, 8 // 760d | dec ebp // 8d642400 | lea eax, [eax + 4] // c1e807 | inc ecx $sequence_36 = { 83f87f 7609 c1e807 41 83f87f 77f7 } // n = 6, score = 900 // 83f87f | inc ecx // 7609 | mov edx, eax // c1e807 | shl edx, cl // 41 | inc ecx // 83f87f | mov ecx, ebx // 77f7 | shl eax, cl $sequence_37 = { 6a00 6aff 50 51 ff15???????? } // n = 5, score = 800 // 6a00 | mov byte ptr [eax], cl // 6aff | movzx eax, cx // 50 | shr ecx, 0x10 // 51 | shr ax, 8 // ff15???????? | $sequence_38 = { 50 6a00 6a01 6a00 ff15???????? a3???????? } // n = 6, score = 800 // 50 | movzx eax, cx // 6a00 | shr ecx, 0x10 // 6a01 | shr ax, 8 // 6a00 | inc ecx // ff15???????? | // a3???????? | $sequence_39 = { 6a00 ff75fc 6800040000 6a00 6a00 6a00 } // n = 6, score = 600 // 6a00 | mov dword ptr [esi + 0x20], ecx // ff75fc | add esp, 0x18 // 6800040000 | pop esi // 6a00 | ret // 6a00 | mov ebx, ecx // 6a00 | add ebx, 0x10 $sequence_40 = { 50 56 6800800000 6a6a } // n = 4, score = 600 // 50 | shr eax, 7 // 56 | inc ecx // 6800800000 | cmp eax, 0x7f // 6a6a | mov ecx, 1 $sequence_41 = { 53 56 8bf1 bb00c34c84 } // n = 4, score = 600 // 53 | ja 5 // 56 | jbe 0xb // 8bf1 | shr eax, 7 // bb00c34c84 | inc ecx $sequence_42 = { 56 68400000f0 6a18 33f6 56 56 } // n = 6, score = 600 // 56 | add ebx, 0x3c // 68400000f0 | mov dword ptr [edx + 4], esi // 6a18 | mov dword ptr [edx], esi // 33f6 | mov dword ptr [esp + 0x7c], eax // 56 | movsd qword ptr [esp + 0x70], xmm0 // 56 | mov ecx, dword ptr [edx + 0x48] $sequence_43 = { 55 89e5 648b0d18000000 8b4130 83b8a400000006 } // n = 5, score = 500 // 55 | mov dword ptr [esi + 0x34], ebx // 89e5 | mov dword ptr [esp], eax // 648b0d18000000 | mov eax, dword ptr [esp + 0x50] // 8b4130 | mov dword ptr [esp + 0x14], ecx // 83b8a400000006 | mov ecx, dword ptr [esp + 0x18] $sequence_44 = { 8b5508 befbffffff c600e9 29d6 01ce 897001 } // n = 6, score = 500 // 8b5508 | and ebx, 0xfffffff0 // befbffffff | lea ebx, [eax + 1] // c600e9 | test bl, 0xf // 29d6 | je 0xb // 01ce | and ebx, 0xfffffff0 // 897001 | add ebx, 0x10 $sequence_45 = { 50 51 52 01c8 01d0 } // n = 5, score = 500 // 50 | mov ebx, 0x844cc300 // 51 | push edi // 52 | xor edi, edi // 01c8 | push ebx // 01d0 | push esi $sequence_46 = { 8b7d08 83fe00 8945f0 894dec } // n = 4, score = 500 // 8b7d08 | push esi // 83fe00 | push eax // 8945f0 | mov eax, dword ptr [edi + 0x74] // 894dec | add eax, dword ptr [edi + 0x8c] $sequence_47 = { 89d6 83c60c 8b7df4 8b4c0f0c } // n = 4, score = 500 // 89d6 | imul edx, edx, 0x1003f // 83c60c | add eax, 0x20 // 8b7df4 | jmp 8 // 8b4c0f0c | movzx eax, ax $sequence_48 = { 8bec 83ec08 56 57 8bf1 33ff } // n = 6, score = 500 // 8bec | push 0 // 83ec08 | push 1 // 56 | push 0 // 57 | push esi // 8bf1 | mov edi, eax // 33ff | test edi, edi $sequence_49 = { 51 8d4df8 51 ff75f8 50 6a03 6a30 } // n = 7, score = 500 // 51 | push -1 // 8d4df8 | push eax // 51 | push ecx // ff75f8 | push eax // 50 | push 0 // 6a03 | push 1 // 6a30 | push 0 $sequence_50 = { 8b466c 5f 5e 5b 8be5 5d } // n = 6, score = 500 // 8b466c | cmp eax, 0x7f // 5f | push 0 // 5e | push -1 // 5b | push eax // 8be5 | push ecx // 5d | push eax $sequence_51 = { 8b5d08 b8afa96e5e 56 57 00b807000000 008b45fc33d2 00b871800780 } // n = 7, score = 500 // 8b5d08 | mov edx, dword ptr [edi] // b8afa96e5e | add esp, 0xc // 56 | mov ecx, dword ptr [ebp + 0xc] // 57 | mov eax, edx // 00b807000000 | or eax, ecx // 008b45fc33d2 | cmp eax, -1 // 00b871800780 | test eax, eax $sequence_52 = { 8bf1 bb00c34c84 57 33ff } // n = 4, score = 500 // 8bf1 | mov edx, esp // bb00c34c84 | xor esi, esi // 57 | mov dword ptr [edx + 0xc], esi // 33ff | mov dword ptr [edx + 8], esi $sequence_53 = { 83ec10 53 6a00 8d45fc } // n = 4, score = 500 // 83ec10 | mov dword ptr [esp + 4], ecx // 53 | mov ecx, dword ptr [esp + 0x1c] // 6a00 | cmove ecx, eax // 8d45fc | sub edx, dword ptr [ecx + 0x34] $sequence_54 = { 6a03 6a00 6a00 ff7508 53 50 } // n = 6, score = 500 // 6a03 | xor esi, esi // 6a00 | mov dword ptr [edx + 0xc], esi // 6a00 | mov dword ptr [edx + 8], esi // ff7508 | xor ecx, ecx // 53 | mov edx, esp // 50 | xor esi, esi $sequence_55 = { 8b7020 8b7840 89c3 83c33c } // n = 4, score = 300 // 8b7020 | shr eax, 7 // 8b7840 | shr eax, 7 // 89c3 | inc ebx // 83c33c | cmp eax, 0x7f $sequence_56 = { c605????????00 0fb6d8 e8???????? 0fb6c3 } // n = 4, score = 200 // c605????????00 | // 0fb6d8 | add ecx, edx // e8???????? | // 0fb6c3 | shr ecx, 6 $sequence_57 = { e8???????? 84c0 7519 33c9 } // n = 4, score = 200 // e8???????? | // 84c0 | shl eax, cl // 7519 | sub ecx, edx // 33c9 | shr ecx, 1 $sequence_58 = { ff15???????? 83f803 7405 83f802 751e } // n = 5, score = 200 // ff15???????? | // 83f803 | inc ecx // 7405 | mov ecx, ebx // 83f802 | shl eax, cl // 751e | add edx, eax $sequence_59 = { 7519 33c9 0f1f4000 0fb6840c30010000 } // n = 4, score = 200 // 7519 | inc ecx // 33c9 | mov byte ptr [eax - 3], al // 0f1f4000 | inc ecx // 0fb6840c30010000 | mov byte ptr [eax - 2], cl $sequence_60 = { 743e 8b5c2430 85db 741d } // n = 4, score = 200 // 743e | mov dword ptr [ebp + 0x20], ecx // 8b5c2430 | inc ecx // 85db | mov edx, eax // 741d | shl edx, cl $sequence_61 = { 8bf8 e8???????? eb04 8b7c2430 } // n = 4, score = 200 // 8bf8 | shl edx, cl // e8???????? | // eb04 | inc ecx // 8b7c2430 | mov ecx, ebx $sequence_62 = { 31c9 89e2 31f6 89720c 897208 } // n = 5, score = 200 // 31c9 | ja 0 // 89e2 | shr eax, 7 // 31f6 | inc edi // 89720c | cmp eax, 0x7f // 897208 | ja 0 $sequence_63 = { 488d15e70f0000 e8???????? 84c0 0f84f1000000 48899c2480030000 } // n = 5, score = 100 // 488d15e70f0000 | inc ecx // e8???????? | // 84c0 | mov byte ptr [eax - 2], cl // 0f84f1000000 | shr cx, 8 // 48899c2480030000 | inc ecx $sequence_64 = { 84c0 7466 0f1f4000 488b9c2448040000 4885db } // n = 5, score = 100 // 84c0 | cmp ebx, ecx // 7466 | dec ebp // 0f1f4000 | lea eax, [eax + 4] // 488b9c2448040000 | inc ecx // 4885db | mov byte ptr [eax - 3], al $sequence_65 = { 8b4a48 894e20 83c418 5e c3 } // n = 5, score = 100 // 8b4a48 | setne al // 894e20 | pop ebx // 83c418 | mov esp, ebp // 5e | add eax, 0x20 // c3 | jmp 5 $sequence_66 = { 8b4c241c 0f44c8 2b5134 8b442420 890424 89542404 894c2418 } // n = 7, score = 100 // 8b4c241c | inc ecx // 0f44c8 | cmp eax, 0x7f // 2b5134 | ja 5 // 8b442420 | jbe 0xb // 890424 | shr eax, 7 // 89542404 | inc ecx // 894c2418 | cmp eax, 0x7f $sequence_67 = { 897204 8932 8b15???????? 8944247c f20f11442470 } // n = 5, score = 100 // 897204 | mov esp, ebp // 8932 | cmp dword ptr [ebx], eax // 8b15???????? | // 8944247c | pop edi // f20f11442470 | pop esi $sequence_68 = { 813c3850450000 0f44f5 895e34 890424 } // n = 4, score = 100 // 813c3850450000 | push 1 // 0f44f5 | push 0 // 895e34 | push esi // 890424 | mov edi, eax $sequence_69 = { e8???????? 8d0d2231d800 890424 894c2404 e8???????? 8b4c242c 894130 } // n = 7, score = 100 // e8???????? | // 8d0d2231d800 | inc ecx // 890424 | mov ecx, 1 // 894c2404 | cmp eax, 0x7f // e8???????? | // 8b4c242c | jbe 0xe // 894130 | shr eax, 7 $sequence_70 = { 8bf8 85ff 7443 be???????? e8???????? } // n = 5, score = 100 // 8bf8 | movzx eax, cx // 85ff | shr ecx, 0x10 // 7443 | shr ax, 8 // be???????? | // e8???????? | $sequence_71 = { 8b442450 894c2414 8b4c2418 8908 } // n = 4, score = 100 // 8b442450 | test edi, edi // 894c2414 | je 0x41 // 8b4c2418 | push ebx // 8908 | xor eax, eax $sequence_72 = { 8b5010 51 52 c745f48072e601 e8???????? 8bd8 85db } // n = 7, score = 100 // 8b5010 | mov byte ptr [eax], cl // 51 | movzx eax, cx // 52 | shr ecx, 0x10 // c745f48072e601 | shr ax, 8 // e8???????? | // 8bd8 | inc ecx // 85db | mov byte ptr [eax], cl condition: 7 of them and filesize < 733184 } , rule win_emotet_w0 { meta: author = \ press inquiries , technical contact \ source = \ https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html\ description = \ The modified emotet binary replaces the original emotet on the system of the victim. The original emotet is copied to a quarantine for evidence-preservation.\ note = \ The quarantine folder depends on the scope of the initial emotet infection (user or administrator). It is the temporary folder as returned by GetTempPathW under a filename starting with UDP as returned by GetTempFileNameW. To prevent accidental reinfection by a user, the quarantined emotet is encrypted using RC4 and a 0x20 bytes long key found at the start of the quarantined file (see $key).\ sharing = \ TLP:WHITE\ version = \ 20210323\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet\ malpedia_rule_date = \ 20210421\ malpedia_hash = \ \ malpedia_version = \ 20210421\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 } condition: $key at 0 } , rule win_emotet_w1 { meta: author = \ press inquiries , technical contact \ source = \ https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html\ description = \ This rule targets a modified emotet binary deployed by the Bundeskriminalamt on the 26th of January 2021.\ note = \ The binary will replace the original emotet by copying it to a quarantine. It also contains a routine to perform a self-deinstallation on the 25th of April 2021. The three-month timeframe between rollout and self- deinstallation was chosen primarily for evidence purposes as well as to allow remediation.\ sharing = \ TLP:WHITE\ version = \ 20210323\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet\ malpedia_rule_date = \ 20210421\ malpedia_hash = \ \ malpedia_version = \ 20210421\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 } condition: filesize > 300KB and filesize < 700KB and uint16(0) == 0x5A4D and $key } ] }, { Malware : Lumma Stealer , Description : Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor \ Shamel\ , who goes by the alias \ Lumma\ . Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent \ TeslaBrowser/5.5\ .\ The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor \ Shamel\ , who goes by the alias \ Lumma\ . Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent \ TeslaBrowser/5.5\ .\ The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. , YARA : [ rule win_lumma_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lumma.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 53 ff767c ff7678 } // n = 4, score = 1100 // 57 | push edi // 53 | push ebx // ff767c | push dword ptr [esi + 0x7c] // ff7678 | push dword ptr [esi + 0x78] $sequence_1 = { ffd0 83c40c 894648 85c0 } // n = 4, score = 1000 // ffd0 | call eax // 83c40c | add esp, 0xc // 894648 | mov dword ptr [esi + 0x48], eax // 85c0 | test eax, eax $sequence_2 = { ff5130 83c410 85c0 7407 } // n = 4, score = 1000 // ff5130 | call dword ptr [ecx + 0x30] // 83c410 | add esp, 0x10 // 85c0 | test eax, eax // 7407 | je 9 $sequence_3 = { ff7678 ff7644 ff563c 83c414 } // n = 4, score = 1000 // ff7678 | push dword ptr [esi + 0x78] // ff7644 | push dword ptr [esi + 0x44] // ff563c | call dword ptr [esi + 0x3c] // 83c414 | add esp, 0x14 $sequence_4 = { ff770c ff37 ff7134 ff5130 } // n = 4, score = 1000 // ff770c | push dword ptr [edi + 0xc] // ff37 | push dword ptr [edi] // ff7134 | push dword ptr [ecx + 0x34] // ff5130 | call dword ptr [ecx + 0x30] $sequence_5 = { ff7608 ff7044 ff503c 83c414 } // n = 4, score = 1000 // ff7608 | push dword ptr [esi + 8] // ff7044 | push dword ptr [eax + 0x44] // ff503c | call dword ptr [eax + 0x3c] // 83c414 | add esp, 0x14 $sequence_6 = { 894610 8b461c c1e002 50 } // n = 4, score = 1000 // 894610 | mov dword ptr [esi + 0x10], eax // 8b461c | mov eax, dword ptr [esi + 0x1c] // c1e002 | shl eax, 2 // 50 | push eax $sequence_7 = { 833800 740a e8???????? 833822 } // n = 4, score = 1000 // 833800 | cmp dword ptr [eax], 0 // 740a | je 0xc // e8???????? | // 833822 | cmp dword ptr [eax], 0x22 $sequence_8 = { 83c40c 6a02 6804010000 e8???????? } // n = 4, score = 800 // 83c40c | add esp, 0xc // 6a02 | push 2 // 6804010000 | push 0x104 // e8???????? | $sequence_9 = { 017e78 83567c00 017e68 83566c00 } // n = 4, score = 800 // 017e78 | add dword ptr [esi + 0x78], edi // 83567c00 | adc dword ptr [esi + 0x7c], 0 // 017e68 | add dword ptr [esi + 0x68], edi // 83566c00 | adc dword ptr [esi + 0x6c], 0 $sequence_10 = { 89e5 8b550c 6bd204 89d1 } // n = 4, score = 700 // 89e5 | mov ebp, esp // 8b550c | mov edx, dword ptr [ebp + 0xc] // 6bd204 | imul edx, edx, 4 // 89d1 | mov ecx, edx $sequence_11 = { 41 5d 41 5b 41 5c } // n = 6, score = 700 // 41 | inc ecx // 5d | pop ebp // 41 | inc ecx // 5b | pop ebx // 41 | inc ecx // 5c | pop esp $sequence_12 = { 48 83ec28 0f05 48 83c428 49 } // n = 6, score = 700 // 48 | dec eax // 83ec28 | sub esp, 0x28 // 0f05 | syscall // 48 | dec eax // 83c428 | add esp, 0x28 // 49 | dec ecx condition: 7 of them and filesize < 1115136 } , rule win_lumma_w0 { meta: description = \ detect_Lumma_stealer\ author = \ @malgamy12\ date = \ 2022-11-3\ license = \ DRL 1.1\ hunting = \ https://www.hybrid-analysis.com/sample/f18d0cd673fd0bd3b071987b53b5f97391a56f6e4f0c309a6c1cee6160f671c0\ hash1 = \ 19b937654065f5ee8baee95026f6ea7466ee2322\ hash2 = \ 987f93e6fa93c0daa0ef2cf4a781ca53a02b65fe\ hash3 = \ 70517a53551269d68b969a9328842cea2e1f975c\ hash4 = \ 9b7b72c653d07a611ce49457c73ee56ed4c4756e\ hash5 = \ 4992ebda2b069281c924288122f76556ceb5ae02\ hash6 = \ 5c67078819246f45ff37d6db81328be12f8fc192\ hash7 = \ 87fe98a00e1c3ed433e7ba6a6eedee49eb7a9cf9\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\ malpedia_rule_date = \ 20230118\ malpedia_hash = \ \ malpedia_version = \ 20230118\ malpedia_license = \ DRL 1.1\ malpedia_sharing = \ TLP:WHITE\ strings: $m1 = \ LummaC\\Release\\LummaC.pdb\ ascii fullword $s1 = \ Cookies.txt\ ascii $s2 = \ Autofills.txt\ ascii $s3 = \ ProgramData\\config.txt\ ascii $s4 = \ ProgramData\\softokn3.dll\ ascii $s5 = \ ProgramData\\winrarupd.zip\ ascii $chunk_1 = {C1 E8 ?? 33 C6 69 C8 ?? ?? ?? ?? 5F 5E 8B C1 C1 E8 ??} condition: $m1 or (4 of ($s*) and $chunk_1 ) } , rule win_lumma_w1 { meta: author = \ Matthew @ Embee_Research\ yarahub_author_twitter = \ @embee_research\ desc = \ Detects obfuscation methods observed in Lumma Stealer Payloads\ sha_256 = \ 277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf\ sha_256 = \ 7f18cf601b818b11068bb8743283ae378f547a1581682ea3cc163186aae7c55d\ sha_256 = \ 03796740db48a98a4438c36d7b8c14b0a871bf8c692e787f1bf093b2d584999f\ date = \ 2023-09-13\ source = \ https://github.com/embee-research/Yara-detection-rules/blob/main/Rules/win_lumma%20_simple.yar\ yarahub_uuid = \ 39c32477-9a80-485b-b17a-4adf05f66cf8\ yarahub_license = \ CC BY-NC 4.0\ malpedia_family = \ win.lumma\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\ malpedia_version = \ 20230918\ malpedia_license = \ \ malpedia_sharing = \ TLP:WHITE\ strings: $o1 = {57 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 62 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00} $o2 = {4f 00 70 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 72 00 61 00 20 00 4e 00 65 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 6e 00} $o3 = {4c 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 67 00 69 00 6e 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00} condition: uint16(0) == 0x5a4d and filesize < 5000KB and (all of ($o*)) } ] }, { Malware : Nanocore RAT , Description : Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors. Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors. , YARA : [ rule win_nanocore_w0 { meta: author = \ Kevin Breen \ date = \ 2014/04\ ref = \ http://malwareconfig.com/stats/NanoCore\ maltype = \ Remote Access Trojan\ filetype = \ exe\ source = \ https://github.com/mattulm/sfiles_yara/blob/master/malware/NanoCore.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\ malpedia_version = \ 20170517\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $a = \ NanoCore\ $b = \ ClientPlugin\ $c = \ ProjectData\ $d = \ DESCrypto\ $e = \ KeepAlive\ $f = \ IPNETROW\ $g = \ LogClientMessage\ $h = \ |ClientHost\ $i = \ get_Connected\ $j = \ #=q\ $key = {43 6f 24 cb 95 30 38 39} condition: 6 of them } ] }, { Malware : OriginLogger , Description : There is no description at this point. , YARA : [ rule win_originlogger_w0 { meta: author = \ Johannes Bader @viql\ date = \ 2022-09-20\ description = \ detects Orign Logger\ tlp = \ TLP:WHITE\ version = \ v1.0\ hash_sha256 = \ 595a7ea981a3948c4f387a5a6af54a70a41dd604685c72cbd2a55880c2b702ed\ hash_md5 = \ bd9981b13c37d3ba04e55152243b1e3e\ hash_sha1 = \ 4669160ec356a8640cef92ddbaf7247d717a3ef1\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.originlogger\ malpedia_rule_date = \ 20220920\ malpedia_hash = \ \ malpedia_version = \ 20220920\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $name = \ OriginLogger\ wide $exe = \ OriginLogger.exe\ wide $cfg_section_0 = \ [LOGSETTINGS]\ $cfg_section_1 = \ [ASSEMBLY]\ $cfg_section_2 = \ [STEALER]\ $cfg_section_3 = \ [BINDER]\ $cfg_section_4 = \ [INSTALLATION]\ $cfg_section_5 = \ [OPTIONS]\ $cfg_section_6 = \ [DOWNLOADER]\ $cfg_section_7 = \ [EXTENSION]\ $cfg_section_8 = \ [FILEPUMPER]\ $cfg_section_9 = \ [FAKEMSG]\ $cfg_section_10 = \ [HOST]\ $cfg_section_11 = \ [BUILD]\ $cfg_entries_0 = \ BinderON=\ $cfg_entries_1 = \ blackhawk=\ $cfg_entries_2 = \ centbrowser=\ $cfg_entries_3 = \ chedot=\ $cfg_entries_4 = \ citrio=\ $cfg_entries_5 = \ clawsmail=\ $cfg_entries_6 = \ CloneON=\ $cfg_entries_7 = \ coccoc=\ $cfg_entries_8 = \ Coolnovo=\ $cfg_entries_9 = \ coowon=\ $cfg_entries_10 = \ cyberfox=\ $cfg_entries_11 = \ Delaysec=\ $cfg_entries_12 = \ dest_date=\ $cfg_entries_13 = \ Disablecp=\ $cfg_entries_14 = \ Disablemsconfig=\ $cfg_entries_15 = \ Disablesysrestore=\ $cfg_entries_16 = \ DownloaderON=\ $cfg_entries_17 = \ emclient=\ $cfg_entries_18 = \ epicpb=\ $cfg_entries_19 = \ estensionON=\ $cfg_entries_20 = \ Eudora=\ $cfg_entries_21 = \ falkon=\ $cfg_entries_22 = \ FileassemblyON=\ $cfg_entries_23 = \ FlashFXP=\ $cfg_entries_24 = \ FPRadiobut=\ $cfg_entries_25 = \ HostON=\ $cfg_entries_26 = \ icecat=\ $cfg_entries_27 = \ icedragon=\ $cfg_entries_28 = \ IconON=\ $cfg_entries_29 = \ IncrediMail=\ $cfg_entries_30 = \ iridium=\ $cfg_entries_31 = \ JustOne=\ $cfg_entries_32 = \ kmeleon=\ $cfg_entries_33 = \ kometa=\ $cfg_entries_34 = \ liebao=\ $cfg_entries_35 = \ orbitum=\ $cfg_entries_36 = \ palemoon=\ $cfg_entries_37 = \ pumderON=\ $cfg_entries_38 = \ pumpertext=\ $cfg_entries_39 = \ qqbrowser=\ $cfg_entries_40 = \ screeninterval=\ $cfg_entries_41 = \ SelectFolder=\ $cfg_entries_42 = \ sleipnir=\ $cfg_entries_43 = \ SmartLogger=\ $cfg_entries_44 = \ smartLoggerType=\ $cfg_entries_45 = \ SmartWords=\ $cfg_entries_46 = \ sputnik=\ $cfg_entries_47 = \ telegram_api=\ $cfg_entries_48 = \ telegram_chatid=\ $cfg_entries_49 = \ toemail=\ $cfg_entries_50 = \ trillian=\ $cfg_entries_51 = \ UCBrowser=\ $cfg_entries_52 = \ USBSpread=\ $cfg_entries_53 = \ vivaldi=\ $cfg_entries_54 = \ waterfox=\ $cfg_entries_55 = \ WebFilterON=\ condition: (uint16(0) == 0x5A4D or uint32(0) == 0x04034b50) and (#name >= 4 or #exe >= 2) and 10 of ($cfg_section_*) and 50 of ($cfg_entries_*) } ] }, { Malware : Pikabot , Description : Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options. Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options. , YARA : [ rule win_pikabot_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.pikabot.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8945f8 8b4510 8945f4 8b4510 48 } // n = 5, score = 900 // 8945f8 | mov dword ptr [ebp - 8], eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 8945f4 | mov dword ptr [ebp - 0xc], eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 48 | dec eax $sequence_1 = { 894510 837df400 741a 8b45fc 8b4df8 8a09 } // n = 6, score = 900 // 894510 | mov dword ptr [ebp + 0x10], eax // 837df400 | cmp dword ptr [ebp - 0xc], 0 // 741a | je 0x1c // 8b45fc | mov eax, dword ptr [ebp - 4] // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 8a09 | mov cl, byte ptr [ecx] $sequence_2 = { 8b4df8 8a09 8808 8b45fc } // n = 4, score = 900 // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 8a09 | mov cl, byte ptr [ecx] // 8808 | mov byte ptr [eax], cl // 8b45fc | mov eax, dword ptr [ebp - 4] $sequence_3 = { 40 8945fc 8b45f8 40 8945f8 ebd3 8b4508 } // n = 7, score = 900 // 40 | inc eax // 8945fc | mov dword ptr [ebp - 4], eax // 8b45f8 | mov eax, dword ptr [ebp - 8] // 40 | inc eax // 8945f8 | mov dword ptr [ebp - 8], eax // ebd3 | jmp 0xffffffd5 // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_4 = { 8945f8 ebd3 8b4508 c9 c3 55 } // n = 6, score = 900 // 8945f8 | mov dword ptr [ebp - 8], eax // ebd3 | jmp 0xffffffd5 // 8b4508 | mov eax, dword ptr [ebp + 8] // c9 | leave // c3 | ret // 55 | push ebp $sequence_5 = { 83ec0c 8b4508 8945fc 8b450c 8945f8 8b4510 } // n = 6, score = 900 // 83ec0c | sub esp, 0xc // 8b4508 | mov eax, dword ptr [ebp + 8] // 8945fc | mov dword ptr [ebp - 4], eax // 8b450c | mov eax, dword ptr [ebp + 0xc] // 8945f8 | mov dword ptr [ebp - 8], eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] $sequence_6 = { 7ce9 8b4214 2b420c 5f } // n = 4, score = 800 // 7ce9 | jl 0xffffffeb // 8b4214 | mov eax, dword ptr [edx + 0x14] // 2b420c | sub eax, dword ptr [edx + 0xc] // 5f | pop edi $sequence_7 = { e8???????? ffd0 c9 c3 55 8bec } // n = 6, score = 800 // e8???????? | // ffd0 | call eax // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp $sequence_8 = { 8bfa 85c9 7436 85ff } // n = 4, score = 700 // 8bfa | mov edi, edx // 85c9 | test ecx, ecx // 7436 | je 0x38 // 85ff | test edi, edi $sequence_9 = { 8b0cba 03ce e8???????? 8bd0 } // n = 4, score = 700 // 8b0cba | mov ecx, dword ptr [edx + edi*4] // 03ce | add ecx, esi // e8???????? | // 8bd0 | mov edx, eax $sequence_10 = { 8a1c08 8d4320 0fb6c8 8d53bf 80fa19 } // n = 5, score = 700 // 8a1c08 | mov bl, byte ptr [eax + ecx] // 8d4320 | lea eax, [ebx + 0x20] // 0fb6c8 | movzx ecx, al // 8d53bf | lea edx, [ebx - 0x41] // 80fa19 | cmp dl, 0x19 $sequence_11 = { 40 8945fc 3bc7 72d5 } // n = 4, score = 700 // 40 | inc eax // 8945fc | mov dword ptr [ebp - 4], eax // 3bc7 | cmp eax, edi // 72d5 | jb 0xffffffd7 $sequence_12 = { 55 8bec 83ec10 53 56 8b35???????? b84d5a0000 } // n = 7, score = 700 // 55 | push ebp // 8bec | mov ebp, esp // 83ec10 | sub esp, 0x10 // 53 | push ebx // 56 | push esi // 8b35???????? | // b84d5a0000 | mov eax, 0x5a4d $sequence_13 = { e8???????? 8bd0 e8???????? 3b45fc } // n = 4, score = 700 // e8???????? | // 8bd0 | mov edx, eax // e8???????? | // 3b45fc | cmp eax, dword ptr [ebp - 4] $sequence_14 = { c3 56 8bf1 85c9 7419 85d2 7415 } // n = 7, score = 700 // c3 | ret // 56 | push esi // 8bf1 | mov esi, ecx // 85c9 | test ecx, ecx // 7419 | je 0x1b // 85d2 | test edx, edx // 7415 | je 0x17 $sequence_15 = { 84c0 75f6 c60100 8bc6 5e } // n = 5, score = 700 // 84c0 | test al, al // 75f6 | jne 0xfffffff8 // c60100 | mov byte ptr [ecx], 0 // 8bc6 | mov eax, esi // 5e | pop esi $sequence_16 = { c9 c3 64a130000000 8b4018 c3 55 } // n = 6, score = 600 // c9 | leave // c3 | ret // 64a130000000 | mov eax, dword ptr fs:[0x30] // 8b4018 | mov eax, dword ptr [eax + 0x18] // c3 | ret // 55 | push ebp condition: 7 of them and filesize < 1717248 } ] }, { Malware : PlugX , Description : RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:machine informationcapture the screensend keyboard and mouse eventskeyloggingreboot the systemmanage processes (create, kill and enumerate)manage services (create, start, stop, etc.); andmanage Windows registry entries, open a shell, etc.The malware also logs its events in a text log file. RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system. Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:machine informationcapture the screensend keyboard and mouse eventskeyloggingreboot the systemmanage processes (create, kill and enumerate)manage services (create, start, stop, etc.); andmanage Windows registry entries, open a shell, etc. The malware also logs its events in a text log file. , YARA : [ rule win_plugx_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.plugx.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 51 56 57 6a1c 8bf8 } // n = 5, score = 1300 // 51 | push ecx // 56 | push esi // 57 | push edi // 6a1c | push 0x1c // 8bf8 | mov edi, eax $sequence_1 = { 33d2 f7f3 33d2 8945fc } // n = 4, score = 1300 // 33d2 | xor edx, edx // f7f3 | div ebx // 33d2 | xor edx, edx // 8945fc | mov dword ptr [ebp - 4], eax $sequence_2 = { 55 8bec a1???????? 83ec5c 53 } // n = 5, score = 1300 // 55 | push ebp // 8bec | mov ebp, esp // a1???????? | // 83ec5c | sub esp, 0x5c // 53 | push ebx $sequence_3 = { 55 8bec 51 0fb74612 } // n = 4, score = 1300 // 55 | push ebp // 8bec | mov ebp, esp // 51 | push ecx // 0fb74612 | movzx eax, word ptr [esi + 0x12] $sequence_4 = { 51 53 6a00 6a00 6a02 ffd0 85c0 } // n = 7, score = 1300 // 51 | push ecx // 53 | push ebx // 6a00 | push 0 // 6a00 | push 0 // 6a02 | push 2 // ffd0 | call eax // 85c0 | test eax, eax $sequence_5 = { 41 3bca 7ce0 3bca } // n = 4, score = 1300 // 41 | inc ecx // 3bca | cmp ecx, edx // 7ce0 | jl 0xffffffe2 // 3bca | cmp ecx, edx $sequence_6 = { 56 8b750c 8b4604 050070ffff } // n = 4, score = 1300 // 56 | push esi // 8b750c | mov esi, dword ptr [ebp + 0xc] // 8b4604 | mov eax, dword ptr [esi + 4] // 050070ffff | add eax, 0xffff7000 $sequence_7 = { 6a00 6800100000 6800100000 68ff000000 6a00 6803000040 } // n = 6, score = 1000 // 6a00 | push 0 // 6800100000 | push 0x1000 // 6800100000 | push 0x1000 // 68ff000000 | push 0xff // 6a00 | push 0 // 6803000040 | push 0x40000003 $sequence_8 = { e8???????? 3de5030000 7407 e8???????? } // n = 4, score = 900 // e8???????? | // 3de5030000 | cmp eax, 0x3e5 // 7407 | je 9 // e8???????? | $sequence_9 = { e8???????? 85c0 7508 e8???????? 8945fc } // n = 5, score = 900 // e8???????? | // 85c0 | test eax, eax // 7508 | jne 0xa // e8???????? | // 8945fc | mov dword ptr [ebp - 4], eax $sequence_10 = { 50 ff15???????? a3???????? 8b4d18 } // n = 4, score = 900 // 50 | push eax // ff15???????? | // a3???????? | // 8b4d18 | mov ecx, dword ptr [ebp + 0x18] $sequence_11 = { 85c0 7413 e8???????? 3de5030000 } // n = 4, score = 900 // 85c0 | test eax, eax // 7413 | je 0x15 // e8???????? | // 3de5030000 | cmp eax, 0x3e5 $sequence_12 = { e8???????? 85c0 7407 b84f050000 } // n = 4, score = 800 // e8???????? | // 85c0 | test eax, eax // 7407 | je 9 // b84f050000 | mov eax, 0x54f $sequence_13 = { e8???????? 85c0 750a e8???????? 8945fc } // n = 5, score = 700 // e8???????? | // 85c0 | test eax, eax // 750a | jne 0xc // e8???????? | // 8945fc | mov dword ptr [ebp - 4], eax $sequence_14 = { 6a00 6a04 6a00 6a01 6800000040 57 } // n = 6, score = 700 // 6a00 | push 0 // 6a04 | push 4 // 6a00 | push 0 // 6a01 | push 1 // 6800000040 | push 0x40000000 // 57 | push edi $sequence_15 = { 6a00 6819000200 6a00 6a00 6a00 51 } // n = 6, score = 600 // 6a00 | push 0 // 6819000200 | push 0x20019 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 51 | push ecx $sequence_16 = { 56 56 6a01 56 ffd0 } // n = 5, score = 600 // 56 | push esi // 56 | push esi // 6a01 | push 1 // 56 | push esi // ffd0 | call eax $sequence_17 = { 85c0 750d e8???????? 8945f4 } // n = 4, score = 600 // 85c0 | test eax, eax // 750d | jne 0xf // e8???????? | // 8945f4 | mov dword ptr [ebp - 0xc], eax $sequence_18 = { 57 e8???????? eb0c e8???????? } // n = 4, score = 500 // 57 | push edi // e8???????? | // eb0c | jmp 0xe // e8???????? | $sequence_19 = { 50 ff75e8 6802000080 e8???????? } // n = 4, score = 400 // 50 | push eax // ff75e8 | push dword ptr [ebp - 0x18] // 6802000080 | push 0x80000002 // e8???????? | $sequence_20 = { 6a00 ff7028 e8???????? 83c408 85c0 } // n = 5, score = 400 // 6a00 | push 0 // ff7028 | push dword ptr [eax + 0x28] // e8???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax $sequence_21 = { 6808020000 6a00 ff742450 e8???????? 83c40c } // n = 5, score = 400 // 6808020000 | push 0x208 // 6a00 | push 0 // ff742450 | push dword ptr [esp + 0x50] // e8???????? | // 83c40c | add esp, 0xc $sequence_22 = { 6a02 6a00 e8???????? c705????????00000000 } // n = 4, score = 400 // 6a02 | push 2 // 6a00 | push 0 // e8???????? | // c705????????00000000 | $sequence_23 = { 6800080000 68???????? e8???????? 6800080000 68???????? e8???????? } // n = 6, score = 400 // 6800080000 | push 0x800 // 68???????? | // e8???????? | // 6800080000 | push 0x800 // 68???????? | // e8???????? | $sequence_24 = { 5e 5f 5b 5d c3 64a118000000 } // n = 6, score = 400 // 5e | pop esi // 5f | pop edi // 5b | pop ebx // 5d | pop ebp // c3 | ret // 64a118000000 | mov eax, dword ptr fs:[0x18] $sequence_25 = { 81ec90010000 e8???????? e8???????? e8???????? } // n = 4, score = 400 // 81ec90010000 | sub esp, 0x190 // e8???????? | // e8???????? | // e8???????? | $sequence_26 = { 68???????? 6830750000 68e8030000 ff36 } // n = 4, score = 400 // 68???????? | // 6830750000 | push 0x7530 // 68e8030000 | push 0x3e8 // ff36 | push dword ptr [esi] $sequence_27 = { 5f 5b 5d c20400 55 53 57 } // n = 7, score = 400 // 5f | pop edi // 5b | pop ebx // 5d | pop ebp // c20400 | ret 4 // 55 | push ebp // 53 | push ebx // 57 | push edi $sequence_28 = { 50 56 ffb42480000000 ff15???????? } // n = 4, score = 400 // 50 | push eax // 56 | push esi // ffb42480000000 | push dword ptr [esp + 0x80] // ff15???????? | $sequence_29 = { 6808020000 6a00 ff74242c e8???????? } // n = 4, score = 400 // 6808020000 | push 0x208 // 6a00 | push 0 // ff74242c | push dword ptr [esp + 0x2c] // e8???????? | $sequence_30 = { 6a01 6a00 e8???????? a3???????? 6800080000 } // n = 5, score = 400 // 6a01 | push 1 // 6a00 | push 0 // e8???????? | // a3???????? | // 6800080000 | push 0x800 condition: 7 of them and filesize < 1284096 } , rule win_plugx_w1 { meta: description = \ PlugX Identifying Strings\ author = \ Seth Hardy\ last_modified = \ 2014-06-12\ source = \ https://github.com/mattulm/sfiles_yara/blob/master/malware/plugx.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\ malpedia_version = \ 20170517\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $BootLDR = \ boot.ldr\ wide ascii $Dwork = \ d:\\work\ nocase $Plug25 = \ plug2.5\ $Plug30 = \ Plug3.0\ $Shell6 = \ Shell6\ condition: $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6)) } , rule win_plugx_w2 { meta: author = \ Jean-Philippe Teissier / @Jipe_\ description = \ PlugX RAT\ date = \ 2014-05-13\ filetype = \ memory\ version = \ 1.0\ ref1 = \ https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py\ source = \ https://github.com/mattulm/sfiles_yara/blob/master/malware/plugx.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\ malpedia_version = \ 20170517\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $v1a = { 47 55 4C 50 00 00 00 00 } $v1b = \ /update?id=%8.8x\ $v1algoa = { BB 33 33 33 33 2B } $v1algob = { BB 44 44 44 44 2B } $v2a = \ Proxy-Auth:\ $v2b = { 68 A0 02 00 00 } $v2k = { C1 8F 3A 71 } condition: $v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k)) } ] }, { Malware : QakBot , Description : QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. , YARA : [ rule win_qakbot_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.qakbot.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c9 c3 55 8bec 81ecc4090000 } // n = 5, score = 15700 // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 81ecc4090000 | sub esp, 0x9c4 $sequence_1 = { 33c0 7402 ebfa e8???????? } // n = 4, score = 15500 // 33c0 | xor eax, eax // 7402 | je 4 // ebfa | jmp 0xfffffffc // e8???????? | $sequence_2 = { 7402 ebfa 33c0 7402 } // n = 4, score = 15400 // 7402 | je 4 // ebfa | jmp 0xfffffffc // 33c0 | xor eax, eax // 7402 | je 4 $sequence_3 = { 7402 ebfa eb06 33c0 } // n = 4, score = 14900 // 7402 | je 4 // ebfa | jmp 0xfffffffc // eb06 | jmp 8 // 33c0 | xor eax, eax $sequence_4 = { e8???????? 33c9 85c0 0f9fc1 41 } // n = 5, score = 14800 // e8???????? | // 33c9 | xor ecx, ecx // 85c0 | test eax, eax // 0f9fc1 | setg cl // 41 | inc ecx $sequence_5 = { 50 e8???????? 8b06 47 59 } // n = 5, score = 14400 // 50 | push eax // e8???????? | // 8b06 | mov eax, dword ptr [esi] // 47 | inc edi // 59 | pop ecx $sequence_6 = { 8d45fc 6aff 50 e8???????? } // n = 4, score = 14100 // 8d45fc | lea eax, [ebp - 4] // 6aff | push -1 // 50 | push eax // e8???????? | $sequence_7 = { 59 59 33c0 7402 } // n = 4, score = 13900 // 59 | pop ecx // 59 | pop ecx // 33c0 | xor eax, eax // 7402 | je 4 $sequence_8 = { e8???????? 59 59 6afb e9???????? } // n = 5, score = 13800 // e8???????? | // 59 | pop ecx // 59 | pop ecx // 6afb | push -5 // e9???????? | $sequence_9 = { 740d 8d45fc 6a00 50 } // n = 4, score = 13700 // 740d | je 0xf // 8d45fc | lea eax, [ebp - 4] // 6a00 | push 0 // 50 | push eax $sequence_10 = { 50 8d8534f6ffff 6a00 50 e8???????? } // n = 5, score = 13700 // 50 | push eax // 8d8534f6ffff | lea eax, [ebp - 0x9cc] // 6a00 | push 0 // 50 | push eax // e8???????? | $sequence_11 = { 8945fc e8???????? 8bf0 8d45fc 50 e8???????? } // n = 6, score = 13500 // 8945fc | mov dword ptr [ebp - 4], eax // e8???????? | // 8bf0 | mov esi, eax // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // e8???????? | $sequence_12 = { 33c0 e9???????? 33c0 7402 } // n = 4, score = 13400 // 33c0 | xor eax, eax // e9???????? | // 33c0 | xor eax, eax // 7402 | je 4 $sequence_13 = { 7402 ebfa e9???????? 6a00 } // n = 4, score = 13200 // 7402 | je 4 // ebfa | jmp 0xfffffffc // e9???????? | // 6a00 | push 0 $sequence_14 = { 8975f8 8975f0 8975f4 e8???????? } // n = 4, score = 13200 // 8975f8 | mov dword ptr [ebp - 8], esi // 8975f0 | mov dword ptr [ebp - 0x10], esi // 8975f4 | mov dword ptr [ebp - 0xc], esi // e8???????? | $sequence_15 = { eb0b c644301c00 ff465c 8b465c 83f840 7cf0 } // n = 6, score = 13000 // eb0b | jmp 0xd // c644301c00 | mov byte ptr [eax + esi + 0x1c], 0 // ff465c | inc dword ptr [esi + 0x5c] // 8b465c | mov eax, dword ptr [esi + 0x5c] // 83f840 | cmp eax, 0x40 // 7cf0 | jl 0xfffffff2 $sequence_16 = { 7cef eb10 c644301c00 ff465c 8b465c 83f838 } // n = 6, score = 13000 // 7cef | jl 0xfffffff1 // eb10 | jmp 0x12 // c644301c00 | mov byte ptr [eax + esi + 0x1c], 0 // ff465c | inc dword ptr [esi + 0x5c] // 8b465c | mov eax, dword ptr [esi + 0x5c] // 83f838 | cmp eax, 0x38 $sequence_17 = { e8???????? 83c410 33c0 7402 } // n = 4, score = 12800 // e8???????? | // 83c410 | add esp, 0x10 // 33c0 | xor eax, eax // 7402 | je 4 $sequence_18 = { 85c0 750a 33c0 7402 } // n = 4, score = 12700 // 85c0 | test eax, eax // 750a | jne 0xc // 33c0 | xor eax, eax // 7402 | je 4 $sequence_19 = { c644061c00 ff465c 837e5c38 7cef eb10 c644301c00 } // n = 6, score = 12700 // c644061c00 | mov byte ptr [esi + eax + 0x1c], 0 // ff465c | inc dword ptr [esi + 0x5c] // 837e5c38 | cmp dword ptr [esi + 0x5c], 0x38 // 7cef | jl 0xfffffff1 // eb10 | jmp 0x12 // c644301c00 | mov byte ptr [eax + esi + 0x1c], 0 $sequence_20 = { 7507 c7466401000000 83f840 7507 } // n = 4, score = 12400 // 7507 | jne 9 // c7466401000000 | mov dword ptr [esi + 0x64], 1 // 83f840 | cmp eax, 0x40 // 7507 | jne 9 $sequence_21 = { 837dfc00 750b 33c0 7402 } // n = 4, score = 12300 // 837dfc00 | cmp dword ptr [ebp - 4], 0 // 750b | jne 0xd // 33c0 | xor eax, eax // 7402 | je 4 $sequence_22 = { e8???????? e8???????? 33c0 7402 } // n = 4, score = 12300 // e8???????? | // e8???????? | // 33c0 | xor eax, eax // 7402 | je 4 $sequence_23 = { 833d????????00 7508 33c0 7402 } // n = 4, score = 12100 // 833d????????00 | // 7508 | jne 0xa // 33c0 | xor eax, eax // 7402 | je 4 $sequence_24 = { c7466001000000 33c0 40 5e } // n = 4, score = 11900 // c7466001000000 | mov dword ptr [esi + 0x60], 1 // 33c0 | xor eax, eax // 40 | inc eax // 5e | pop esi $sequence_25 = { 7402 ebfa 837d1000 7408 } // n = 4, score = 11600 // 7402 | je 4 // ebfa | jmp 0xfffffffc // 837d1000 | cmp dword ptr [ebp + 0x10], 0 // 7408 | je 0xa $sequence_26 = { 80ea80 8855f0 e8???????? 0fb64df7 } // n = 4, score = 11600 // 80ea80 | sub dl, 0x80 // 8855f0 | mov byte ptr [ebp - 0x10], dl // e8???????? | // 0fb64df7 | movzx ecx, byte ptr [ebp - 9] $sequence_27 = { 50 8d45d8 50 8d45d4 50 8d45ec } // n = 6, score = 9500 // 50 | push eax // 8d45d8 | lea eax, [ebp - 0x28] // 50 | push eax // 8d45d4 | lea eax, [ebp - 0x2c] // 50 | push eax // 8d45ec | lea eax, [ebp - 0x14] $sequence_28 = { 56 e8???????? 8b45fc 83c40c 40 } // n = 5, score = 9500 // 56 | push esi // e8???????? | // 8b45fc | mov eax, dword ptr [ebp - 4] // 83c40c | add esp, 0xc // 40 | inc eax $sequence_29 = { 6a00 6800600900 6a00 ff15???????? } // n = 4, score = 8800 // 6a00 | push 0 // 6800600900 | push 0x96000 // 6a00 | push 0 // ff15???????? | $sequence_30 = { 50 ff5508 8bf0 59 } // n = 4, score = 6300 // 50 | push eax // ff5508 | call dword ptr [ebp + 8] // 8bf0 | mov esi, eax // 59 | pop ecx $sequence_31 = { 6a00 58 0f95c0 40 50 } // n = 5, score = 5800 // 6a00 | push 0 // 58 | pop eax // 0f95c0 | setne al // 40 | inc eax // 50 | push eax $sequence_32 = { 57 ff15???????? 33c0 85f6 0f94c0 } // n = 5, score = 5200 // 57 | push edi // ff15???????? | // 33c0 | xor eax, eax // 85f6 | test esi, esi // 0f94c0 | sete al $sequence_33 = { 750c 57 ff15???????? 6afe 58 } // n = 5, score = 5200 // 750c | jne 0xe // 57 | push edi // ff15???????? | // 6afe | push -2 // 58 | pop eax $sequence_34 = { c3 33c9 3d80000000 0f94c1 } // n = 4, score = 5200 // c3 | ret // 33c9 | xor ecx, ecx // 3d80000000 | cmp eax, 0x80 // 0f94c1 | sete cl $sequence_35 = { 6a02 ff15???????? 8bf8 83c8ff } // n = 4, score = 5000 // 6a02 | push 2 // ff15???????? | // 8bf8 | mov edi, eax // 83c8ff | or eax, 0xffffffff $sequence_36 = { 50 e8???????? 6a40 8d4590 } // n = 4, score = 4500 // 50 | push eax // e8???????? | // 6a40 | push 0x40 // 8d4590 | lea eax, [ebp - 0x70] $sequence_37 = { 8d85e4fcffff 50 8d85e4fdffff 50 } // n = 4, score = 4300 // 8d85e4fcffff | lea eax, [ebp - 0x31c] // 50 | push eax // 8d85e4fdffff | lea eax, [ebp - 0x21c] // 50 | push eax $sequence_38 = { 56 e8???????? 83c40c 8d4514 50 } // n = 5, score = 4000 // 56 | push esi // e8???????? | // 83c40c | add esp, 0xc // 8d4514 | lea eax, [ebp + 0x14] // 50 | push eax $sequence_39 = { e8???????? 6a00 8d45d4 50 68???????? } // n = 5, score = 500 // e8???????? | // 6a00 | push 0 // 8d45d4 | lea eax, [ebp - 0x2c] // 50 | push eax // 68???????? | $sequence_40 = { 5d c3 33c9 66890c46 } // n = 4, score = 300 // 5d | pop ebp // c3 | ret // 33c9 | xor ecx, ecx // 66890c46 | mov word ptr [esi + eax*2], cx $sequence_41 = { 8b4a04 83c204 03f0 85c9 75e1 } // n = 5, score = 100 // 8b4a04 | mov ecx, dword ptr [edx + 4] // 83c204 | add edx, 4 // 03f0 | add esi, eax // 85c9 | test ecx, ecx // 75e1 | jne 0xffffffe3 $sequence_42 = { 01f1 898424a8000000 899424ac000000 8d8424b4000000 89c2 8db424c4000000 } // n = 6, score = 100 // 01f1 | add ecx, esi // 898424a8000000 | mov dword ptr [esp + 0xa8], eax // 899424ac000000 | mov dword ptr [esp + 0xac], edx // 8d8424b4000000 | lea eax, [esp + 0xb4] // 89c2 | mov edx, eax // 8db424c4000000 | lea esi, [esp + 0xc4] $sequence_43 = { 8a442417 8b4c2410 0485 88440c66 89ca 83c201 } // n = 6, score = 100 // 8a442417 | mov al, byte ptr [esp + 0x17] // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] // 0485 | add al, 0x85 // 88440c66 | mov byte ptr [esp + ecx + 0x66], al // 89ca | mov edx, ecx // 83c201 | add edx, 1 $sequence_44 = { ffd3 85ff 741b 6808020000 6a00 } // n = 5, score = 100 // ffd3 | call ebx // 85ff | test edi, edi // 741b | je 0x1d // 6808020000 | push 0x208 // 6a00 | push 0 $sequence_45 = { 88442401 894c245c 0f847afdffff e9???????? } // n = 4, score = 100 // 88442401 | mov byte ptr [esp + 1], al // 894c245c | mov dword ptr [esp + 0x5c], ecx // 0f847afdffff | je 0xfffffd80 // e9???????? | $sequence_46 = { 89442410 884c2417 eb94 55 89e5 31c0 } // n = 6, score = 100 // 89442410 | mov dword ptr [esp + 0x10], eax // 884c2417 | mov byte ptr [esp + 0x17], cl // eb94 | jmp 0xffffff96 // 55 | push ebp // 89e5 | mov ebp, esp // 31c0 | xor eax, eax $sequence_47 = { 8945fc 8b4518 53 8b5d10 56 8945c4 } // n = 6, score = 100 // 8945fc | mov dword ptr [ebp - 4], eax // 8b4518 | mov eax, dword ptr [ebp + 0x18] // 53 | push ebx // 8b5d10 | mov ebx, dword ptr [ebp + 0x10] // 56 | push esi // 8945c4 | mov dword ptr [ebp - 0x3c], eax $sequence_48 = { 8b742420 81c638a1e7c3 39f0 89442410 894c240c 89542408 7408 } // n = 7, score = 100 // 8b742420 | mov esi, dword ptr [esp + 0x20] // 81c638a1e7c3 | add esi, 0xc3e7a138 // 39f0 | cmp eax, esi // 89442410 | mov dword ptr [esp + 0x10], eax // 894c240c | mov dword ptr [esp + 0xc], ecx // 89542408 | mov dword ptr [esp + 8], edx // 7408 | je 0xa $sequence_49 = { 8b74242c bb3c13b648 f7e3 69f63c13b648 01f2 89442428 8954242c } // n = 7, score = 100 // 8b74242c | mov esi, dword ptr [esp + 0x2c] // bb3c13b648 | mov ebx, 0x48b6133c // f7e3 | mul ebx // 69f63c13b648 | imul esi, esi, 0x48b6133c // 01f2 | add edx, esi // 89442428 | mov dword ptr [esp + 0x28], eax // 8954242c | mov dword ptr [esp + 0x2c], edx $sequence_50 = { 8b4c2444 ffd1 83ec08 b901000000 ba66000000 31ff 89c3 } // n = 7, score = 100 // 8b4c2444 | mov ecx, dword ptr [esp + 0x44] // ffd1 | call ecx // 83ec08 | sub esp, 8 // b901000000 | mov ecx, 1 // ba66000000 | mov edx, 0x66 // 31ff | xor edi, edi // 89c3 | mov ebx, eax $sequence_51 = { 89e0 89580c bb04000000 895808 8b5c246c 895804 8b9c2480000000 } // n = 7, score = 100 // 89e0 | mov eax, esp // 89580c | mov dword ptr [eax + 0xc], ebx // bb04000000 | mov ebx, 4 // 895808 | mov dword ptr [eax + 8], ebx // 8b5c246c | mov ebx, dword ptr [esp + 0x6c] // 895804 | mov dword ptr [eax + 4], ebx // 8b9c2480000000 | mov ebx, dword ptr [esp + 0x80] $sequence_52 = { 8bf0 83c40c 85f6 0f84f8000000 a1???????? } // n = 5, score = 100 // 8bf0 | mov esi, eax // 83c40c | add esp, 0xc // 85f6 | test esi, esi // 0f84f8000000 | je 0xfe // a1???????? | condition: 7 of them and filesize < 4883456 } ] }, { Malware : ShadowPad , Description : There is no description at this point. , YARA : [ rule win_shadowpad_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.shadowpad.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 59 8d75dc a3???????? e8???????? 53 ff15???????? } // n = 7, score = 200 // e8???????? | // 59 | pop ecx // 8d75dc | lea esi, [ebp - 0x24] // a3???????? | // e8???????? | // 53 | push ebx // ff15???????? | $sequence_1 = { 5b c9 c3 55 8bec b8f8100000 e8???????? } // n = 7, score = 200 // 5b | pop ebx // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // b8f8100000 | mov eax, 0x10f8 // e8???????? | $sequence_2 = { 8bec 53 57 ff7508 ff15???????? 8d7801 } // n = 6, score = 200 // 8bec | mov ebp, esp // 53 | push ebx // 57 | push edi // ff7508 | push dword ptr [ebp + 8] // ff15???????? | // 8d7801 | lea edi, [eax + 1] $sequence_3 = { 8d45e8 50 53 8d75d0 } // n = 4, score = 200 // 8d45e8 | lea eax, [ebp - 0x18] // 50 | push eax // 53 | push ebx // 8d75d0 | lea esi, [ebp - 0x30] $sequence_4 = { 7e25 8a0c56 8a445601 80e961 2c6a } // n = 5, score = 200 // 7e25 | jle 0x27 // 8a0c56 | mov cl, byte ptr [esi + edx*2] // 8a445601 | mov al, byte ptr [esi + edx*2 + 1] // 80e961 | sub cl, 0x61 // 2c6a | sub al, 0x6a $sequence_5 = { 50 6a04 5f e8???????? 85c0 75ae 8d4310 } // n = 7, score = 200 // 50 | push eax // 6a04 | push 4 // 5f | pop edi // e8???????? | // 85c0 | test eax, eax // 75ae | jne 0xffffffb0 // 8d4310 | lea eax, [ebx + 0x10] $sequence_6 = { 83ec24 53 56 57 33ff 393d???????? } // n = 6, score = 200 // 83ec24 | sub esp, 0x24 // 53 | push ebx // 56 | push esi // 57 | push edi // 33ff | xor edi, edi // 393d???????? | $sequence_7 = { e8???????? 8b1d???????? 50 ffd3 6800010000 668945f0 } // n = 6, score = 200 // e8???????? | // 8b1d???????? | // 50 | push eax // ffd3 | call ebx // 6800010000 | push 0x100 // 668945f0 | mov word ptr [ebp - 0x10], ax $sequence_8 = { 8bfe 8d45e8 895de8 895dec 895df4 895df0 885df8 } // n = 7, score = 200 // 8bfe | mov edi, esi // 8d45e8 | lea eax, [ebp - 0x18] // 895de8 | mov dword ptr [ebp - 0x18], ebx // 895dec | mov dword ptr [ebp - 0x14], ebx // 895df4 | mov dword ptr [ebp - 0xc], ebx // 895df0 | mov dword ptr [ebp - 0x10], ebx // 885df8 | mov byte ptr [ebp - 8], bl $sequence_9 = { 0fb639 c1ce08 83cf20 03f7 83c102 81f6a3d9357c 663919 } // n = 7, score = 200 // 0fb639 | movzx edi, byte ptr [ecx] // c1ce08 | ror esi, 8 // 83cf20 | or edi, 0x20 // 03f7 | add esi, edi // 83c102 | add ecx, 2 // 81f6a3d9357c | xor esi, 0x7c35d9a3 // 663919 | cmp word ptr [ecx], bx condition: 7 of them and filesize < 188416 } ] }, { Malware : Akira , Description : There is no description at this point. , YARA : [ rule win_akira_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.akira.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.akira\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b01 85c0 7e18 ffc8 8901 498b4840 488b11 } // n = 7, score = 200 // 8b01 | mov dword ptr [ebp - 0x41], esi // 85c0 | xor cl, cl // 7e18 | mov byte ptr [ebp + 0x77], cl // ffc8 | inc ebp // 8901 | xor edi, edi // 498b4840 | inc esp // 488b11 | mov dword ptr [ebp - 0x69], edi $sequence_1 = { 418bc9 83c902 41f6c108 410f44c9 81e13bffffff 390d???????? 741d } // n = 7, score = 200 // 418bc9 | mov byte ptr [ebp + 0x6f4], 0x37 // 83c902 | mov byte ptr [ebp + 0x6f5], 0x74 // 41f6c108 | mov byte ptr [ebp + 0x6f6], 0x37 // 410f44c9 | mov byte ptr [ebp + 0x6f7], 0x74 // 81e13bffffff | mov byte ptr [ebp + 0x6f8], 0x62 // 390d???????? | // 741d | mov byte ptr [ebp + 0x6f9], 0x74 $sequence_2 = { 90 488b4b60 48894c2430 4885c9 7445 488b5370 4889542440 } // n = 7, score = 200 // 90 | inc dx // 488b4b60 | cmp dword ptr [eax + eax*2], 0 // 48894c2430 | jne 0x6bb // 4885c9 | dec eax // 7445 | lea edx, [ebp + 0x113] // 488b5370 | dec eax // 4889542440 | lea ecx, [ebp + 0xe80] $sequence_3 = { 7cee 488bcb 488b5c2430 4883c420 5f e9???????? 0fb6043b } // n = 7, score = 200 // 7cee | mov byte ptr [edi + 0x321], al // 488bcb | dec eax // 488b5c2430 | mov eax, dword ptr [edi + 0x81] // 4883c420 | dec eax // 5f | lea edx, [edi + 0x5a0] // e9???????? | // 0fb6043b | dec ecx $sequence_4 = { ff5208 90 488b4b60 48894c2430 4885c9 7445 488b5370 } // n = 7, score = 200 // ff5208 | nop // 90 | mov byte ptr [ebp - 4], 0 // 488b4b60 | mov byte ptr [ebp - 3], 0x52 // 48894c2430 | mov byte ptr [ebp - 2], 0x76 // 4885c9 | mov byte ptr [ebp - 1], 0xd // 7445 | mov byte ptr [ebp], 0x76 // 488b5370 | mov byte ptr [ebp + 1], 0x23 $sequence_5 = { e8???????? 488975d0 488b4dd8 488975d8 48894808 0f1045e0 0f114010 } // n = 7, score = 200 // e8???????? | // 488975d0 | lea ecx, [0x74d6a] // 488b4dd8 | mov dword ptr [esp + 0x60], 2 // 488975d8 | jne 0x6a8 // 48894808 | dec eax // 0f1045e0 | lea ecx, [0xcfa1] // 0f114010 | dec eax $sequence_6 = { 4488443c6e 48ffc7 4883ff0a 72ac 0f57c0 0f118590020000 0f57c9 } // n = 7, score = 200 // 4488443c6e | lea ecx, [ebp - 0x79] // 48ffc7 | dec eax // 4883ff0a | sub eax, ecx // 72ac | dec eax // 0f57c0 | cmp eax, 0x16 // 0f118590020000 | jae 0x1896 // 0f57c9 | mov byte ptr [ebp + 0x77], 1 $sequence_7 = { 740a e8???????? 488bd8 eb03 498bdd 49897e18 } // n = 6, score = 200 // 740a | dec ecx // e8???????? | // 488bd8 | inc eax // eb03 | inc dx // 498bdd | cmp dword ptr [eax + eax*2], 0 // 49897e18 | jne 0x14c6 $sequence_8 = { e8???????? 33f6 41897578 49397568 744d 488b0f 40387128 } // n = 7, score = 200 // e8???????? | // 33f6 | mov ecx, dword ptr [eax] // 41897578 | cmp byte ptr [eax], 0 // 49397568 | dec esp // 744d | cmovg esi, eax // 488b0f | inc ecx // 40387128 | movzx eax, byte ptr [esi] $sequence_9 = { c645bf01 4883ef01 75b4 0f2845bf 33ff 4c8d75cf 48837de710 } // n = 7, score = 200 // c645bf01 | je 0x38e // 4883ef01 | cmp ax, 0x5c // 75b4 | je 0x35d // 0f2845bf | cmp ax, 0x2f // 33ff | jne 0x366 // 4c8d75cf | dec eax // 48837de710 | add ecx, 2 condition: 7 of them and filesize < 1286144 } ] }, { Malware : MuddyC2Go , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : phemedrone_stealer , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : PhonyC2 , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Quasar RAT , Description : Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. , YARA : [ rule win_quasar_rat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2018-11-23\ version = \ 1\ description = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator 0.1a\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat\ malpedia_version = \ 20180607\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach will be published in the near future here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 24c1 0430 e800000000 8408 } // n = 4, score = 1000 // 24c1 | and al, 0xc1 // 0430 | add al, 0x30 // e800000000 | call 0x42394c // 8408 | test byte ptr [eax], cl $sequence_1 = { e800000000 8408 d408 0100 } // n = 4, score = 1000 // e800000000 | call 0x42394c // 8408 | test byte ptr [eax], cl // d408 | aam 8 // 0100 | add dword ptr [eax], eax $sequence_2 = { c508 0100 5a 24c1 } // n = 4, score = 1000 // c508 | lds ecx, ptr [eax] // 0100 | add dword ptr [eax], eax // 5a | pop edx // 24c1 | and al, 0xc1 $sequence_3 = { 61 00c0 0428 e800000000 } // n = 4, score = 1000 // 61 | popal // 00c0 | add al, al // 0428 | add al, 0x28 // e800000000 | call 0x42393c $sequence_4 = { 00c0 0428 e800000000 8408 } // n = 4, score = 1000 // 00c0 | add al, al // 0428 | add al, 0x28 // e800000000 | call 0x42393c // 8408 | test byte ptr [eax], cl $sequence_5 = { e800000000 8408 c508 0100 } // n = 4, score = 1000 // e800000000 | call 0x42393c // 8408 | test byte ptr [eax], cl // c508 | lds ecx, ptr [eax] // 0100 | add dword ptr [eax], eax $sequence_6 = { 60 24c1 043c e800000000 } // n = 4, score = 1000 // 60 | pushal // 24c1 | and al, 0xc1 // 043c | add al, 0x3c // e800000000 | call 0x42395c $sequence_7 = { d408 0100 60 24c1 } // n = 4, score = 1000 // d408 | aam 8 // 0100 | add dword ptr [eax], eax // 60 | pushal // 24c1 | and al, 0xc1 $sequence_8 = { e800000000 8418 ee 0200 } // n = 4, score = 1000 // e800000000 | call 0x42395c // 8418 | test byte ptr [eax], bl // ee | out dx, al // 0200 | add al, byte ptr [eax] $sequence_9 = { 0100 5a 24c1 0430 } // n = 4, score = 1000 // 0100 | add dword ptr [eax], eax // 5a | pop edx // 24c1 | and al, 0xc1 // 0430 | add al, 0x30 condition: 7 of them } ] }, { Malware : RedLine Stealer , Description : RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. There is no Yara-Signature yet. , YARA : [] }, { Malware : Ryuk , Description : Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. , YARA : [ rule win_ryuk_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.ryuk.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 68???????? 6a01 6a00 6814010000 } // n = 4, score = 2400 // 68???????? | // 6a01 | sub esi, edx // 6a00 | push ebx // 6814010000 | push ebx $sequence_1 = { ff15???????? 85c0 7508 6a01 ff15???????? 68???????? 6a01 } // n = 7, score = 2300 // ff15???????? | // 85c0 | jne 0 // 7508 | lea edi, [ebx - 2] // 6a01 | sub edx, esi // ff15???????? | // 68???????? | // 6a01 | push ebx $sequence_2 = { 6a08 6a18 68???????? 68???????? 68???????? ff15???????? } // n = 6, score = 1900 // 6a08 | mov eax, 1 // 6a18 | jmp 0x12 // 68???????? | // 68???????? | // 68???????? | // ff15???????? | $sequence_3 = { 754c b90b010000 66398818000035 753e 8b4508 b9???????? 2bc1 } // n = 7, score = 1800 // 754c | mov eax, ebx // b90b010000 | dec eax // 66398818000035 | add esp, 0x30 // 753e | pop ebx // 8b4508 | ret // b9???????? | // 2bc1 | dec eax $sequence_4 = { 68???????? ff15???????? 85c0 7578 6a10 6a18 } // n = 6, score = 1800 // 68???????? | // ff15???????? | // 85c0 | je 9 // 7578 | mov eax, 1 // 6a10 | jmp 0x12 // 6a18 | jmp 0xd $sequence_5 = { 755d a1???????? 81b8????????50450000 754c b90b010000 66398818000035 } // n = 6, score = 1800 // 755d | ret // a1???????? | // 81b8????????50450000 | // 754c | inc eax // b90b010000 | push ebx // 66398818000035 | dec eax $sequence_6 = { 68???????? ff15???????? 85c0 7542 6a28 6a18 } // n = 6, score = 1800 // 68???????? | // ff15???????? | // 85c0 | je 9 // 7542 | mov eax, 1 // 6a28 | jmp 0x14 // 6a18 | jmp 0xf $sequence_7 = { 68c0cf6a00 ff15???????? 6a01 ff15???????? } // n = 4, score = 1700 // 68c0cf6a00 | dec eax // ff15???????? | // 6a01 | sub esp, 0x20 // ff15???????? | $sequence_8 = { 7407 b801000000 eb0b eb04 } // n = 4, score = 1400 // 7407 | mov eax, ecx // b801000000 | ret // eb0b | inc eax // eb04 | push ebx $sequence_9 = { e8???????? 68e8030000 ff15???????? 68???????? e8???????? } // n = 5, score = 1400 // e8???????? | // 68e8030000 | lea edi, [edi + 2] // ff15???????? | // 68???????? | // e8???????? | $sequence_10 = { 720f b901000000 6bd103 8b45fc c6041000 } // n = 5, score = 1300 // 720f | push 8 // b901000000 | push 0x18 // 6bd103 | test eax, eax // 8b45fc | push 8 // c6041000 | push 0x18 $sequence_11 = { 83c101 ba01000000 d1e2 8b45fc } // n = 4, score = 1300 // 83c101 | test eax, eax // ba01000000 | jne 0x7a // d1e2 | push 0x10 // 8b45fc | test eax, eax $sequence_12 = { 8908 895004 837df800 7709 } // n = 4, score = 1300 // 8908 | test eax, eax // 895004 | jne 0x44 // 837df800 | test eax, eax // 7709 | jne 0x7a $sequence_13 = { 89459c 8955a0 8b55a0 3b55f8 0f870b020000 } // n = 5, score = 1300 // 89459c | jne 0x7a // 8955a0 | push 0x10 // 8b55a0 | push 0x18 // 3b55f8 | test eax, eax // 0f870b020000 | jne 0x44 $sequence_14 = { ba01000000 6bc203 8b55fc 880c02 b804000000 } // n = 5, score = 1300 // ba01000000 | push 0x28 // 6bc203 | test eax, eax // 8b55fc | jne 0x27 // 880c02 | push 8 // b804000000 | push 0x18 $sequence_15 = { ff15???????? b811000000 e9???????? e9???????? } // n = 4, score = 1200 // ff15???????? | // b811000000 | cmp word ptr [edi], 0x4e // e9???????? | // e9???????? | $sequence_16 = { ff15???????? 833d????????00 6a10 6a18 } // n = 4, score = 900 // ff15???????? | // 833d????????00 | // 6a10 | lea edx, [eax + 2] // 6a18 | test cx, cx $sequence_17 = { 6a00 6814010000 ff7508 ff35???????? } // n = 4, score = 900 // 6a00 | sar esi, 1 // 6814010000 | and ecx, 3 // ff7508 | rep movsb byte ptr es:[edi], byte ptr [esi] // ff35???????? | $sequence_18 = { 7407 48 85c0 7ff0 } // n = 4, score = 900 // 7407 | sub esi, edx // 48 | push ebx // 85c0 | sar esi, 1 // 7ff0 | add esp, 8 $sequence_19 = { ff15???????? b803000000 eb05 b805000000 } // n = 4, score = 800 // ff15???????? | // b803000000 | mov eax, 3 // eb05 | jmp 7 // b805000000 | mov eax, 5 $sequence_20 = { 2bf0 33c0 66890473 83ffff } // n = 4, score = 800 // 2bf0 | add esp, 0x28 // 33c0 | ret // 66890473 | dec eax // 83ffff | mov dword ptr [esp + 8], ebx $sequence_21 = { 751b ff35???????? ff35???????? 6a01 68???????? e8???????? } // n = 6, score = 800 // 751b | lea edi, [edx - 2] // ff35???????? | // ff35???????? | // 6a01 | mov ax, word ptr [edi + 2] // 68???????? | // e8???????? | $sequence_22 = { eb0b 8bc1 99 f7fe } // n = 4, score = 700 // eb0b | lea edi, [edx - 2] // 8bc1 | mov ax, word ptr [edi + 2] // 99 | lea edi, [edi + 2] // f7fe | test ax, ax $sequence_23 = { 56 ff15???????? 8bcb 8d5102 } // n = 4, score = 700 // 56 | mov eax, ecx // ff15???????? | // 8bcb | ret // 8d5102 | inc eax $sequence_24 = { 7714 7212 81f9d0070000 770a 85d2 } // n = 5, score = 700 // 7714 | jne 0x4e // 7212 | mov ecx, 0x10b // 81f9d0070000 | cmp word ptr [eax + 0x35000018], cx // 770a | jne 0x47 // 85d2 | jne 0x4e $sequence_25 = { e8???????? e8???????? b9e8030000 ff15???????? } // n = 4, score = 700 // e8???????? | // e8???????? | // b9e8030000 | mov ecx, 0x3e8 // ff15???????? | $sequence_26 = { 668b02 83c202 6685c0 75f5 8d7bfe 2bd6 } // n = 6, score = 600 // 668b02 | cmp word ptr [edi], 0x4e // 83c202 | jne 0x18 // 6685c0 | cmp word ptr [edi + 2], 0x54 // 75f5 | jne 0x18 // 8d7bfe | cmp word ptr [edi + 6], 0x41 // 2bd6 | cmp word ptr [edi], 0x4e $sequence_27 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 } // n = 7, score = 600 // 0f9fc0 | test eax, eax // 5d | jne 0xc // c3 | push 1 // 8bff | push 1 // 55 | test eax, eax // 8bec | jne 0xc // 8b4508 | push 1 $sequence_28 = { 5d c3 8bcb 8d5102 } // n = 4, score = 600 // 5d | shr eax, 6 // c3 | imul eax, eax, 0x5a // 8bcb | shr eax, 1 // 8d5102 | add eax, edx $sequence_29 = { d1fa 2bca 33c0 6689444bfe e9???????? 33c0 } // n = 6, score = 600 // d1fa | lea edx, [ecx + 2] // 2bca | sub eax, edx // 33c0 | sar eax, 1 // 6689444bfe | sub esi, eax // e9???????? | // 33c0 | xor eax, eax $sequence_30 = { 488bc3 4883c430 5b c3 48895c2408 48896c2410 4889742418 } // n = 7, score = 600 // 488bc3 | sub esp, 0x20 // 4883c430 | mov eax, ecx // 5b | dec ecx // c3 | mov ebx, eax // 48895c2408 | dec eax // 48896c2410 | mov eax, ebx // 4889742418 | dec eax $sequence_31 = { 68???????? 53 d1fe e8???????? 83c408 8d5002 } // n = 6, score = 600 // 68???????? | // 53 | dec eax // d1fe | sub esp, 0x30 // e8???????? | // 83c408 | and dword ptr [esp + 0x20], 0 // 8d5002 | cmp word ptr [edi], 0x4e $sequence_32 = { 498bc1 c3 4053 4883ec20 8bc1 498bd8 } // n = 6, score = 600 // 498bc1 | dec ecx // c3 | mov eax, ecx // 4053 | ret // 4883ec20 | inc eax // 8bc1 | push ebx // 498bd8 | dec eax $sequence_33 = { 50 51 e8???????? 6a00 6840420f00 52 50 } // n = 7, score = 600 // 50 | push 1 // 51 | push 1 // e8???????? | // 6a00 | push 1 // 6840420f00 | push 0 // 52 | push 0x114 // 50 | jne 0xa $sequence_34 = { 83c602 6685c9 75f5 2bf2 68???????? 53 } // n = 6, score = 600 // 83c602 | jne 0x18 // 6685c9 | cmp word ptr [edi + 2], 0x54 // 75f5 | jne 0x18 // 2bf2 | cmp word ptr [edi + 6], 0x41 // 68???????? | // 53 | cmp word ptr [edi + 2], 0x54 $sequence_35 = { f3a4 8d7afe 668b4702 8d7f02 6685c0 75f4 a1???????? } // n = 7, score = 600 // f3a4 | dec eax // 8d7afe | add esp, 0x28 // 668b4702 | ret // 8d7f02 | dec eax // 6685c0 | mov dword ptr [esp + 8], ebx // 75f4 | push edi // a1???????? | $sequence_36 = { 4883c428 c3 48895c2408 57 4883ec30 8364242000 } // n = 6, score = 600 // 4883c428 | dec eax // c3 | add esp, 0x30 // 48895c2408 | pop ebx // 57 | ret // 4883ec30 | dec eax // 8364242000 | mov dword ptr [esp + 8], ebx $sequence_37 = { 33c9 ba10270000 41b800100000 448d4904 ff15???????? } // n = 5, score = 500 // 33c9 | cmp word ptr [edi + 6], 0x41 // ba10270000 | inc ebp // 41b800100000 | xor ecx, ecx // 448d4904 | inc ebp // ff15???????? | $sequence_38 = { f7e1 8bc1 2bc2 d1e8 03c2 c1e806 6bc05a } // n = 7, score = 500 // f7e1 | dec eax // 8bc1 | sub esp, 0x20 // 2bc2 | mov eax, ecx // d1e8 | dec ecx // 03c2 | mov ebx, eax // c1e806 | cmp word ptr [edi], 0x4e // 6bc05a | jne 0x18 $sequence_39 = { ff15???????? 41b900300000 c744242040000000 448bc3 488bd6 488bcf } // n = 6, score = 500 // ff15???????? | // 41b900300000 | jne 0x18 // c744242040000000 | cmp word ptr [edi + 2], 0x54 // 448bc3 | jne 0x11 // 488bd6 | cmp word ptr [edi + 6], 0x41 // 488bcf | jne 0x11 $sequence_40 = { c744242802000000 4533c9 4533c0 c744242002000000 ba000000c0 } // n = 5, score = 500 // c744242802000000 | jne 0x18 // 4533c9 | cmp word ptr [edi + 2], 0x54 // 4533c0 | jne 0x16 // c744242002000000 | cmp word ptr [edi + 6], 0x41 // ba000000c0 | jne 0x16 $sequence_41 = { ff15???????? 488bd8 ff15???????? 83f820 7510 488bcb ff15???????? } // n = 7, score = 500 // ff15???????? | // 488bd8 | cmp word ptr [edi], 0x4e // ff15???????? | // 83f820 | jne 0x18 // 7510 | cmp word ptr [edi + 2], 0x54 // 488bcb | jne 0x18 // ff15???????? | $sequence_42 = { 4533c9 4533c0 c744242003000000 ba00000040 ff15???????? 488bd8 ff15???????? } // n = 7, score = 500 // 4533c9 | ret // 4533c0 | inc eax // c744242003000000 | push ebx // ba00000040 | dec eax // ff15???????? | // 488bd8 | sub esp, 0x20 // ff15???????? | $sequence_43 = { 66837f0254 750f 66837f0641 7508 } // n = 4, score = 500 // 66837f0254 | push ebx // 750f | dec eax // 66837f0641 | sub esp, 0x20 // 7508 | mov eax, ecx $sequence_44 = { 4889442420 4c8bc6 488bd3 488bcf ff15???????? } // n = 5, score = 500 // 4889442420 | cmp word ptr [edi], 0x4e // 4c8bc6 | jne 0x18 // 488bd3 | cmp word ptr [edi + 2], 0x54 // 488bcf | jne 0x18 // ff15???????? | $sequence_45 = { ff15???????? 66833f4e 7516 66837f0254 750f } // n = 5, score = 500 // ff15???????? | // 66833f4e | mov eax, ebx // 7516 | dec eax // 66837f0254 | add esp, 0x30 // 750f | pop ebx $sequence_46 = { 84c0 746c e8???????? 488d0d63080000 e8???????? e8???????? } // n = 6, score = 400 // 84c0 | push 0x114 // 746c | test eax, eax // e8???????? | // 488d0d63080000 | jne 0xc // e8???????? | // e8???????? | condition: 7 of them and filesize < 7450624 } ] }, { Malware : 404 Keylogger , Description : Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. There is no Yara-Signature yet. , YARA : [] }, { Malware : IcedID , Description : According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER. As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. , YARA : [ rule win_icedid_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.icedid.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 85c0 7511 56 57 ff15???????? } // n = 5, score = 1300 // 85c0 | test eax, eax // 7511 | jne 0x13 // 56 | push esi // 57 | push edi // ff15???????? | $sequence_1 = { 50 6801000080 ff15???????? eb13 } // n = 4, score = 1300 // 50 | push eax // 6801000080 | push 0x80000001 // ff15???????? | // eb13 | jmp 0x15 $sequence_2 = { 803e00 7427 6a3b 56 ff15???????? 8bf8 } // n = 6, score = 1300 // 803e00 | cmp byte ptr [esi], 0 // 7427 | je 0x29 // 6a3b | push 0x3b // 56 | push esi // ff15???????? | // 8bf8 | mov edi, eax $sequence_3 = { ff15???????? 85c0 7420 837c241000 7419 } // n = 5, score = 1300 // ff15???????? | // 85c0 | test eax, eax // 7420 | je 0x22 // 837c241000 | cmp dword ptr [esp + 0x10], 0 // 7419 | je 0x1b $sequence_4 = { 56 ff15???????? 8bf8 85ff 7418 c60700 } // n = 6, score = 1300 // 56 | push esi // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi // 7418 | je 0x1a // c60700 | mov byte ptr [edi], 0 $sequence_5 = { 68???????? 6a00 ff15???????? 33c0 40 } // n = 5, score = 1300 // 68???????? | // 6a00 | push 0 // ff15???????? | // 33c0 | xor eax, eax // 40 | inc eax $sequence_6 = { 50 ff15???????? 8bf7 8bc6 eb02 } // n = 5, score = 1300 // 50 | push eax // ff15???????? | // 8bf7 | mov esi, edi // 8bc6 | mov eax, esi // eb02 | jmp 4 $sequence_7 = { eb0f 6a08 ff15???????? 50 ff15???????? 8906 } // n = 6, score = 1300 // eb0f | jmp 0x11 // 6a08 | push 8 // ff15???????? | // 50 | push eax // ff15???????? | // 8906 | mov dword ptr [esi], eax $sequence_8 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 } // n = 6, score = 1000 // e8???????? | // 8bf0 | mov esi, eax // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // ff75fc | push dword ptr [ebp - 4] // 6a05 | push 5 $sequence_9 = { 743f 8d5808 0fb713 8954241c } // n = 4, score = 800 // 743f | je 0x41 // 8d5808 | lea ebx, [eax + 8] // 0fb713 | movzx edx, word ptr [ebx] // 8954241c | mov dword ptr [esp + 0x1c], edx $sequence_10 = { 03c2 eb5c 8d5004 89542414 8b12 85d2 } // n = 6, score = 800 // 03c2 | add eax, edx // eb5c | jmp 0x5e // 8d5004 | lea edx, [eax + 4] // 89542414 | mov dword ptr [esp + 0x14], edx // 8b12 | mov edx, dword ptr [edx] // 85d2 | test edx, edx $sequence_11 = { 66c16c241c0c 0fb7d2 c744241000100000 663b542410 } // n = 4, score = 800 // 66c16c241c0c | shr word ptr [esp + 0x1c], 0xc // 0fb7d2 | movzx edx, dx // c744241000100000 | mov dword ptr [esp + 0x10], 0x1000 // 663b542410 | cmp dx, word ptr [esp + 0x10] $sequence_12 = { 47 83c302 3bfd 72c4 } // n = 4, score = 800 // 47 | inc edi // 83c302 | add ebx, 2 // 3bfd | cmp edi, ebp // 72c4 | jb 0xffffffc6 $sequence_13 = { 8d4508 50 0fb6440b34 50 } // n = 4, score = 800 // 8d4508 | lea eax, [ebp + 8] // 50 | push eax // 0fb6440b34 | movzx eax, byte ptr [ebx + ecx + 0x34] // 50 | push eax $sequence_14 = { 89542414 8b12 85d2 7454 8d6af8 d1ed } // n = 6, score = 800 // 89542414 | mov dword ptr [esp + 0x14], edx // 8b12 | mov edx, dword ptr [edx] // 85d2 | test edx, edx // 7454 | je 0x56 // 8d6af8 | lea ebp, [edx - 8] // d1ed | shr ebp, 1 $sequence_15 = { 47 3b7820 72d1 5b 33c0 40 } // n = 6, score = 800 // 47 | inc edi // 3b7820 | cmp edi, dword ptr [eax + 0x20] // 72d1 | jb 0xffffffd3 // 5b | pop ebx // 33c0 | xor eax, eax // 40 | inc eax $sequence_16 = { ff5010 85c0 7407 33c0 e9???????? } // n = 5, score = 400 // ff5010 | call dword ptr [eax + 0x10] // 85c0 | test eax, eax // 7407 | je 9 // 33c0 | xor eax, eax // e9???????? | $sequence_17 = { 8a4173 a808 75f5 a804 7406 } // n = 5, score = 400 // 8a4173 | mov al, byte ptr [ecx + 0x73] // a808 | test al, 8 // 75f5 | jne 0xfffffff7 // a804 | test al, 4 // 7406 | je 8 $sequence_18 = { ff15???????? 85c0 750a b8010000c0 } // n = 4, score = 400 // ff15???????? | // 85c0 | test eax, eax // 750a | jne 0xc // b8010000c0 | mov eax, 0xc0000001 $sequence_19 = { 41 02fd c6430503 eb21 41 0fb6c1 } // n = 6, score = 200 // 41 | inc ecx // 02fd | add bh, ch // c6430503 | mov byte ptr [ebx + 5], 3 // eb21 | jmp 0x23 // 41 | inc ecx // 0fb6c1 | movzx eax, cl $sequence_20 = { 48 8bfa 48 8bf1 45 8d41ce e8???????? } // n = 7, score = 200 // 48 | dec eax // 8bfa | mov edi, edx // 48 | dec eax // 8bf1 | mov esi, ecx // 45 | inc ebp // 8d41ce | lea eax, [ecx - 0x32] // e8???????? | $sequence_21 = { 7407 41 2bcd 7515 eb0f 44 } // n = 6, score = 200 // 7407 | je 9 // 41 | inc ecx // 2bcd | sub ecx, ebp // 7515 | jne 0x17 // eb0f | jmp 0x11 // 44 | inc esp $sequence_22 = { 48 8d442458 48 8bf9 48 } // n = 5, score = 200 // 48 | dec eax // 8d442458 | lea eax, [esp + 0x58] // 48 | dec eax // 8bf9 | mov edi, ecx // 48 | dec eax $sequence_23 = { 8bce 894348 48 8b15???????? } // n = 4, score = 200 // 8bce | mov ecx, esi // 894348 | mov dword ptr [ebx + 0x48], eax // 48 | dec eax // 8b15???????? | $sequence_24 = { 7307 4c8b742420 eba1 488bb590020000 } // n = 4, score = 100 // 7307 | mov ecx, eax // 4c8b742420 | dec eax // eba1 | mov esi, dword ptr [ebp + 0x290] // 488bb590020000 | dec eax $sequence_25 = { 57 4883ec30 488bf2 488bd9 ff15???????? 4885c0 } // n = 6, score = 100 // 57 | dec ebp // 4883ec30 | mov esi, eax // 488bf2 | dec eax // 488bd9 | and dword ptr [eax - 0x28], edi // ff15???????? | // 4885c0 | dec esp $sequence_26 = { 7409 8b4c2478 493b0e 741e 498b1f 4885db } // n = 6, score = 100 // 7409 | je 0xb // 8b4c2478 | mov ecx, dword ptr [esp + 0x78] // 493b0e | dec ecx // 741e | cmp ecx, dword ptr [esi] // 498b1f | je 0x20 // 4885db | dec ecx $sequence_27 = { 33d2 488bc8 ff15???????? 488bb590020000 4885f6 7414 ff15???????? } // n = 7, score = 100 // 33d2 | mov ebx, dword ptr [edi] // 488bc8 | dec eax // ff15???????? | // 488bb590020000 | test ebx, ebx // 4885f6 | xor edx, edx // 7414 | dec eax // ff15???????? | $sequence_28 = { 33d2 488bce ff15???????? 8bd8 49891e 85c0 } // n = 6, score = 100 // 33d2 | mov esi, eax // 488bce | dec eax // ff15???????? | // 8bd8 | cmp eax, -1 // 49891e | jne 0x10 // 85c0 | push edi $sequence_29 = { 4533c0 c740c803000000 ba00000080 ff15???????? 488bf0 4883f8ff 7507 } // n = 7, score = 100 // 4533c0 | mov esi, dword ptr [ebp + 0x290] // c740c803000000 | pop ebp // ba00000080 | ret // ff15???????? | // 488bf0 | dec eax // 4883f8ff | lea eax, [0x1e0d] // 7507 | xor edi, edi $sequence_30 = { 33ff 4d8bf0 482178d8 4c8bfa } // n = 4, score = 100 // 33ff | dec esp // 4d8bf0 | mov esi, dword ptr [esp + 0x20] // 482178d8 | jmp 0xffffffaa // 4c8bfa | dec eax $sequence_31 = { 5d c3 488b0d???????? 488d050d1e0000 } // n = 4, score = 100 // 5d | test esi, esi // c3 | je 0x16 // 488b0d???????? | // 488d050d1e0000 | jae 9 condition: 7 of them and filesize < 303104 } ] }, { Malware : INC , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : RansomEXX , Description : According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting. According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting. There is no Yara-Signature yet. , YARA : [] }, { Malware : RansomExx2 , Description : According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2. According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2. There is no Yara-Signature yet. , YARA : [] }, { Malware : Roaming Mantis , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : SnappyTCP , Description : According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023. According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023. There is no Yara-Signature yet. , YARA : [] }, { Malware : Unidentified 111 (IcedID Loader) , Description : First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. , YARA : [ rule win_unidentified_111_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.unidentified_111.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b4c2428 0fbe09 3bc1 7512 } // n = 4, score = 300 // 488b4c2428 | mov dword ptr [esp + 0x138], 0x16505e0 // 0fbe09 | dec eax // 3bc1 | lea eax, [0x75f6] // 7512 | dec eax $sequence_1 = { c744242002000000 e9???????? 837c243406 7511 837c243801 750a } // n = 6, score = 300 // c744242002000000 | mov eax, dword ptr [esp + 0x40] // e9???????? | // 837c243406 | add eax, edx // 7511 | and eax, 0xff // 837c243801 | sub eax, edx // 750a | dec eax $sequence_2 = { 8b00 488b4c2430 488b09 0fbe0401 48634c2404 488b542428 0fbe0c0a } // n = 7, score = 300 // 8b00 | dec eax // 488b4c2430 | mov dword ptr [esp + 0x60], eax // 488b09 | imul eax, eax, 0x3e8 // 0fbe0401 | mov dword ptr [esp + 0xdc], eax // 48634c2404 | je 0x1992 // 488b542428 | xor edx, edx // 0fbe0c0a | imul eax, eax, 0x3e8 $sequence_3 = { eb43 41b901000000 448b442424 488b542428 488b4c2448 e8???????? } // n = 6, score = 300 // eb43 | dec eax // 41b901000000 | lea edx, [0xa84d] // 448b442424 | dec eax // 488b542428 | cmp dword ptr [esp + 0x48], 0 // 488b4c2448 | je 0x651 // e8???????? | $sequence_4 = { eb1f c744242000000000 4533c9 4533c0 } // n = 4, score = 300 // eb1f | dec eax // c744242000000000 | lea eax, [esp + 0x150] // 4533c9 | dec eax // 4533c0 | mov dword ptr [esp + 0x120], eax $sequence_5 = { 488b4c2448 ff15???????? 89442444 837c244400 7502 eb11 } // n = 6, score = 300 // 488b4c2448 | dec eax // ff15???????? | // 89442444 | mov dword ptr [esp + 8], ecx // 837c244400 | dec eax // 7502 | sub esp, 0x1c8 // eb11 | cmp dword ptr [esp + 0x1d8], 0x12 $sequence_6 = { 488d8c0c60020000 ba02000000 486bd200 4803ca 448bc0 488b542420 e8???????? } // n = 7, score = 300 // 488d8c0c60020000 | lea ecx, [0xa4d8] // ba02000000 | dec eax // 486bd200 | test eax, eax // 4803ca | je 0x1519 // 448bc0 | dec eax // 488b542420 | lea eax, [esp + 0x80] // e8???????? | $sequence_7 = { 66c1ca08 0fb7d2 4c8b8424a0000000 450fb74006 6641c1c808 450fb7c0 4c8b8c24a0000000 } // n = 7, score = 300 // 66c1ca08 | dec eax // 0fb7d2 | mov dword ptr [esp + 0x110], eax // 4c8b8424a0000000 | dec eax // 450fb74006 | mov eax, dword ptr [esp + 0x108] // 6641c1c808 | dec eax // 450fb7c0 | mov dword ptr [esp + 0x60], eax // 4c8b8c24a0000000 | mov dword ptr [esp + 0x58], 2 $sequence_8 = { e8???????? b910000000 e8???????? 4889442448 488b442448 488b4c2450 488908 } // n = 7, score = 300 // e8???????? | // b910000000 | add ecx, edx // e8???????? | // 4889442448 | mov ecx, 0x96 // 488b442448 | div ecx // 488b4c2450 | mov eax, edx // 488908 | add eax, 0x1c2 $sequence_9 = { 4889542410 48894c2408 4883ec78 c744243000000000 c744243400000000 488b942488000000 488d4c2448 } // n = 7, score = 300 // 4889542410 | dec eax // 48894c2408 | mov dword ptr [esp + 0x298], eax // 4883ec78 | mov dword ptr [esp + 0x2a0], 0xcce95612 // c744243000000000 | dec eax // c744243400000000 | lea eax, [0x6f67] // 488b942488000000 | dec eax // 488d4c2448 | mov dword ptr [esp + 0x2a8], eax condition: 7 of them and filesize < 148480 } ] }, { Malware : Bandook , Description : Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download. Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download. , YARA : [ rule win_bandook_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.bandook.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 68???????? ffd6 68???????? 6a01 6a00 ff15???????? 68e8030000 } // n = 7, score = 100 // 68???????? | // ffd6 | call esi // 68???????? | // 6a01 | push 1 // 6a00 | push 0 // ff15???????? | // 68e8030000 | push 0x3e8 $sequence_1 = { 8b7c2410 8d442438 50 53 ff15???????? 85c0 0f8529ffffff } // n = 7, score = 100 // 8b7c2410 | mov edi, dword ptr [esp + 0x10] // 8d442438 | lea eax, [esp + 0x38] // 50 | push eax // 53 | push ebx // ff15???????? | // 85c0 | test eax, eax // 0f8529ffffff | jne 0xffffff2f $sequence_2 = { 8d95f8f3ffff 8bce 2bd6 0f1f00 8a01 8d4901 } // n = 6, score = 100 // 8d95f8f3ffff | lea edx, [ebp - 0xc08] // 8bce | mov ecx, esi // 2bd6 | sub edx, esi // 0f1f00 | nop dword ptr [eax] // 8a01 | mov al, byte ptr [ecx] // 8d4901 | lea ecx, [ecx + 1] $sequence_3 = { ff15???????? ff35???????? ff15???????? 68???????? 68???????? 8d8424a8010000 68???????? } // n = 7, score = 100 // ff15???????? | // ff35???????? | // ff15???????? | // 68???????? | // 68???????? | // 8d8424a8010000 | lea eax, [esp + 0x1a8] // 68???????? | $sequence_4 = { 8bf9 897da0 8b7308 8d4dbc 897d9c 6a24 68???????? } // n = 7, score = 100 // 8bf9 | mov edi, ecx // 897da0 | mov dword ptr [ebp - 0x60], edi // 8b7308 | mov esi, dword ptr [ebx + 8] // 8d4dbc | lea ecx, [ebp - 0x44] // 897d9c | mov dword ptr [ebp - 0x64], edi // 6a24 | push 0x24 // 68???????? | $sequence_5 = { 83e103 f3a4 8d442428 50 53 ff15???????? 85c0 } // n = 7, score = 100 // 83e103 | and ecx, 3 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // 8d442428 | lea eax, [esp + 0x28] // 50 | push eax // 53 | push ebx // ff15???????? | // 85c0 | test eax, eax $sequence_6 = { 51 e8???????? 83c408 837dbc10 8d45a8 0f4345a8 50 } // n = 7, score = 100 // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 837dbc10 | cmp dword ptr [ebp - 0x44], 0x10 // 8d45a8 | lea eax, [ebp - 0x58] // 0f4345a8 | cmovae eax, dword ptr [ebp - 0x58] // 50 | push eax $sequence_7 = { 88811744c213 84c0 75ed 0fb605???????? f30f7e05???????? a2???????? a1???????? } // n = 7, score = 100 // 88811744c213 | mov byte ptr [ecx + 0x13c24417], al // 84c0 | test al, al // 75ed | jne 0xffffffef // 0fb605???????? | // f30f7e05???????? | // a2???????? | // a1???????? | $sequence_8 = { c705????????80381713 c705????????003a1713 c705????????c03f1713 c705????????80401713 c705????????c0491713 c705????????704b1713 c705????????30451713 } // n = 7, score = 100 // c705????????80381713 | // c705????????003a1713 | // c705????????c03f1713 | // c705????????80401713 | // c705????????c0491713 | // c705????????704b1713 | // c705????????30451713 | $sequence_9 = { 83c40c 8d842498040000 6a64 50 6a07 6800040000 ff15???????? } // n = 7, score = 100 // 83c40c | add esp, 0xc // 8d842498040000 | lea eax, [esp + 0x498] // 6a64 | push 0x64 // 50 | push eax // 6a07 | push 7 // 6800040000 | push 0x400 // ff15???????? | condition: 7 of them and filesize < 23088128 } ] }, { Malware : DanaBot , Description : Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. , YARA : [ rule win_danabot_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.danabot.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7405 83e804 8b00 83f814 7e18 8b45fc 50 } // n = 7, score = 400 // 7405 | je 7 // 83e804 | sub eax, 4 // 8b00 | mov eax, dword ptr [eax] // 83f814 | cmp eax, 0x14 // 7e18 | jle 0x1a // 8b45fc | mov eax, dword ptr [ebp - 4] // 50 | push eax $sequence_1 = { c1e803 83e03f 83f838 730b ba38000000 } // n = 5, score = 400 // c1e803 | shr eax, 3 // 83e03f | and eax, 0x3f // 83f838 | cmp eax, 0x38 // 730b | jae 0xd // ba38000000 | mov edx, 0x38 $sequence_2 = { 8b03 50 8b44242c 50 6a14 } // n = 5, score = 400 // 8b03 | mov eax, dword ptr [ebx] // 50 | push eax // 8b44242c | mov eax, dword ptr [esp + 0x2c] // 50 | push eax // 6a14 | push 0x14 $sequence_3 = { 8b45f8 85c0 7407 83e804 } // n = 4, score = 400 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 85c0 | test eax, eax // 7407 | je 9 // 83e804 | sub eax, 4 $sequence_4 = { 8b16 e8???????? 8b07 50 8b442428 50 6a0a } // n = 7, score = 400 // 8b16 | mov edx, dword ptr [esi] // e8???????? | // 8b07 | mov eax, dword ptr [edi] // 50 | push eax // 8b442428 | mov eax, dword ptr [esp + 0x28] // 50 | push eax // 6a0a | push 0xa $sequence_5 = { 50 6a14 688a4c2a8d 8bc6 8b4d00 8b17 } // n = 6, score = 400 // 50 | push eax // 6a14 | push 0x14 // 688a4c2a8d | push 0x8d2a4c8a // 8bc6 | mov eax, esi // 8b4d00 | mov ecx, dword ptr [ebp] // 8b17 | mov edx, dword ptr [edi] $sequence_6 = { 3b85d0feffff 7452 8b85d0feffff 50 6a00 } // n = 5, score = 400 // 3b85d0feffff | cmp eax, dword ptr [ebp - 0x130] // 7452 | je 0x54 // 8b85d0feffff | mov eax, dword ptr [ebp - 0x130] // 50 | push eax // 6a00 | push 0 $sequence_7 = { 6a00 49 75f9 51 53 56 bb???????? } // n = 7, score = 400 // 6a00 | push 0 // 49 | dec ecx // 75f9 | jne 0xfffffffb // 51 | push ecx // 53 | push ebx // 56 | push esi // bb???????? | $sequence_8 = { 8b0f 8b16 e8???????? 8b07 50 8b442454 50 } // n = 7, score = 400 // 8b0f | mov ecx, dword ptr [edi] // 8b16 | mov edx, dword ptr [esi] // e8???????? | // 8b07 | mov eax, dword ptr [edi] // 50 | push eax // 8b442454 | mov eax, dword ptr [esp + 0x54] // 50 | push eax $sequence_9 = { 56 57 8bf1 8955f8 8945fc 8d45fc } // n = 6, score = 400 // 56 | push esi // 57 | push edi // 8bf1 | mov esi, ecx // 8955f8 | mov dword ptr [ebp - 8], edx // 8945fc | mov dword ptr [ebp - 4], eax // 8d45fc | lea eax, [ebp - 4] condition: 7 of them and filesize < 237568 } ] }, { Malware : HijackLoader , Description : According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. There is no Yara-Signature yet. , YARA : [] }, { Malware : Royal Ransom , Description : Ransomware Ransomware , YARA : [ rule win_royal_ransom_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.royal_ransom.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 752f e8???????? 4c8d05d60c1400 ba8b010000 488d0d320c1400 e8???????? 4533c0 } // n = 7, score = 100 // 752f | lea edx, [0x143571] // e8???????? | // 4c8d05d60c1400 | inc ebp // ba8b010000 | xor ecx, ecx // 488d0d320c1400 | test eax, eax // e8???????? | // 4533c0 | jle 0x78b $sequence_1 = { e9???????? 2bc3 488d0d2df4dfff 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 } // n = 7, score = 100 // e9???????? | // 2bc3 | dec eax // 488d0d2df4dfff | arpl di, ax // 488b8ce9d02c2d00 | dec eax // 8064f93dfd | lea ebx, [eax*8] // f7d8 | dec eax // 1ac0 | add ecx, ebx $sequence_2 = { e8???????? 33c0 e9???????? 488b4820 e8???????? 85c0 0f8497020000 } // n = 7, score = 100 // e8???????? | // 33c0 | inc ecx // e9???????? | // 488b4820 | mov eax, 0xa // e8???????? | // 85c0 | dec eax // 0f8497020000 | mov edx, esi $sequence_3 = { e8???????? 488d4e24 448bc8 4c8d0579a80d00 ba09000000 e8???????? 488bcb } // n = 7, score = 100 // e8???????? | // 488d4e24 | inc ebp // 448bc8 | xor ecx, dword ptr [edi + ecx*4 + 0x25fb80] // 4c8d0579a80d00 | inc esp // ba09000000 | mov eax, ebx // e8???????? | // 488bcb | mov dword ptr [esp + 0x20], 0xffffffff $sequence_4 = { 8bc2 896c2444 418bfe 83fa02 7d3e e8???????? 4c8d05e7a90f00 } // n = 7, score = 100 // 8bc2 | dec eax // 896c2444 | mov ecx, edi // 418bfe | dec eax // 83fa02 | test eax, eax // 7d3e | je 0xe0e // e8???????? | // 4c8d05e7a90f00 | dec eax $sequence_5 = { 488d1507b51300 41b893040000 e8???????? 41b894040000 488d15efb41300 488bcf e8???????? } // n = 7, score = 100 // 488d1507b51300 | dec esp // 41b893040000 | lea eax, [0xfa846] // e8???????? | // 41b894040000 | mov edx, 0x69 // 488d15efb41300 | dec eax // 488bcf | lea ecx, [0xfa7fa] // e8???????? | $sequence_6 = { e8???????? baa6000000 4c89742420 4c8bcd 4c8d05f3a80e00 8d4a93 e8???????? } // n = 7, score = 100 // e8???????? | // baa6000000 | dec eax // 4c89742420 | lea ecx, [0xd9b5a] // 4c8bcd | dec eax // 4c8d05f3a80e00 | cmp eax, esi // 8d4a93 | jne 0xe0d // e8???????? | $sequence_7 = { 754a e8???????? 4c8d054e820d00 baa2000000 488d0df2810d00 e8???????? 4533c0 } // n = 7, score = 100 // 754a | lea edx, [0x146338] // e8???????? | // 4c8d054e820d00 | dec eax // baa2000000 | sub ebx, edi // 488d0df2810d00 | test eax, eax // e8???????? | // 4533c0 | jne 0x362 $sequence_8 = { b828000000 e8???????? 482be0 488d15fc4fffff 488d0d5de62000 e8???????? 33c9 } // n = 7, score = 100 // b828000000 | pop edi // e8???????? | // 482be0 | ret // 488d15fc4fffff | inc ecx // 488d0d5de62000 | mov eax, 0x3c // e8???????? | // 33c9 | dec eax $sequence_9 = { e8???????? 85c0 7437 488d05297a0000 4c89742430 4889442428 4c8d0d485c0e00 } // n = 7, score = 100 // e8???????? | // 85c0 | dec eax // 7437 | mov ebx, ecx // 488d05297a0000 | inc esp // 4c89742430 | lea eax, [eax + 0x6d] // 4889442428 | dec eax // 4c8d0d485c0e00 | mov ecx, dword ptr [ecx + 0x20] condition: 7 of them and filesize < 6235136 } , rule win_royal_ransom_w0 { meta: author = \ MCRIT YARA Generator\ description = \ Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family.\ date = \ 2023-01-31\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom\ malpedia_rule_date = \ 20230131\ malpedia_hash = \ \ malpedia_version = \ 20230131\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: // Rule generation selected 10 picblocks, covering 1/1 input sample(s). /* picblockhash: 0x76087cc405bd2363 - coverage: 1/1 samples. * 4d8bb4f620c52a00 | mov r14, qword ptr [r14 + rsi*8 + 0x2ac520] * 33d2 | xor edx, edx * 498bce | mov rcx, r14 * 41b800080000 | mov r8d, 0x800 * ff1517160100 | call qword ptr [rip + 0x11617] * 488bd8 | mov rbx, rax * 4885c0 | test rax, rax * 754f | jne 0x1401fae20 */ $blockhash_0x76087cc405bd2363 = { 4d8bb4f620c52a00 33d2 498bce 41b800080000 ff15???????? 488bd8 4885c0 75?? } /* picblockhash: 0xad441b53d9617a84 - coverage: 1/1 samples. * 4c8b05964a0d00 | mov r8, qword ptr [rip + 0xd4a96] * ba40000000 | mov edx, 0x40 * 418bc8 | mov ecx, r8d * 83e13f | and ecx, 0x3f * 2bd1 | sub edx, ecx * 8aca | mov cl, dl * 488bd0 | mov rdx, rax * 48d3ca | ror rdx, cl * 4933d0 | xor rdx, r8 * 4b8794fe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdx * eb2d | jmp 0x1401faed9 */ $blockhash_0xad441b53d9617a84 = { 4c8b05???????? ba40000000 418bc8 83e13f 2bd1 8aca 488bd0 48d3ca 4933d0 4b8794fe80312d00 eb?? } /* picblockhash: 0x8a5718142d9721e2 - coverage: 1/1 samples. * 418bc2 | mov eax, r10d * b940000000 | mov ecx, 0x40 * 83e03f | and eax, 0x3f * 2bc8 | sub ecx, eax * 48d3cf | ror rdi, cl * 4933fa | xor rdi, r10 * 4b87bcfe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdi */ $blockhash_0x8a5718142d9721e2 = { 418bc2 b940000000 83e03f 2bc8 48d3cf 4933fa 4b87bcfe80312d00 } /* picblockhash: 0x9cc1c27925f1c35f - coverage: 1/1 samples. * 4b8b84e7d02c2d00 | mov rax, qword ptr [r15 + r12*8 + 0x2d2cd0] * 4c8b45af | mov r8, qword ptr [rbp - 0x51] * 4c2bc7 | sub r8, rdi * 420fb64cf03e | movzx ecx, byte ptr [rax + r14*8 + 0x3e] * 460fbebc3960022d00 | movsx r15d, byte ptr [rcx + r15 + 0x2d0260] * 41ffc7 | inc r15d * 458bef | mov r13d, r15d * 442bea | sub r13d, edx * 4d63d5 | movsxd r10, r13d * 4d3bd0 | cmp r10, r8 * 0f8f78020000 | jg 0x1401ffdb9 */ $blockhash_0x9cc1c27925f1c35f = { 4b8b84e7d02c2d00 4c8b45af 4c2bc7 420fb64cf03e 460fbebc3960022d00 41ffc7 458bef 442bea 4d63d5 4d3bd0 0f8f???????? } /* picblockhash: 0x826769b1e3d9c0fc - coverage: 1/1 samples. * 0fb607 | movzx eax, byte ptr [rdi] * 498bd5 | mov rdx, r13 * 482bd7 | sub rdx, rdi * 4a0fbeb43860022d00 | movsx rsi, byte ptr [rax + r15 + 0x2d0260] * 8d4e01 | lea ecx, [rsi + 1] * 4863c1 | movsxd rax, ecx * 483bc2 | cmp rax, rdx * 0f8fe4010000 | jg 0x1401ffdf3 */ $blockhash_0x826769b1e3d9c0fc = { 0fb607 498bd5 482bd7 4a0fbeb43860022d00 8d4e01 4863c1 483bc2 0f8f???????? } /* picblockhash: 0x26d7edbd8d267bed - coverage: 1/1 samples. * 8a0437 | mov al, byte ptr [rdi + rsi] * ffc2 | inc edx * 4a8b8ce3d02c2d00 | mov rcx, qword ptr [rbx + r12*8 + 0x2d2cd0] * 4803ce | add rcx, rsi * 48ffc6 | inc rsi * 428844f13e | mov byte ptr [rcx + r14*8 + 0x3e], al * 4863c2 | movsxd rax, edx * 493bc0 | cmp rax, r8 * 7ce0 | jl 0x1401ffdcb */ $blockhash_0x26d7edbd8d267bed = { 8a0437 ffc2 4a8b8ce3d02c2d00 4803ce 48ffc6 428844f13e 4863c2 493bc0 7c?? } /* picblockhash: 0x11bb0000ce80b5fe - coverage: 1/1 samples. * 418a0438 | mov al, byte ptr [r8 + rdi] * 41ffc1 | inc r9d * 4b8b8cd7d02c2d00 | mov rcx, qword ptr [r15 + r10*8 + 0x2d2cd0] * 4903c8 | add rcx, r8 * 49ffc0 | inc r8 * 428844d93e | mov byte ptr [rcx + r11*8 + 0x3e], al * 4963c1 | movsxd rax, r9d * 483bc2 | cmp rax, rdx * 7cde | jl 0x1401ffe18 */ $blockhash_0x11bb0000ce80b5fe = { 418a0438 41ffc1 4b8b8cd7d02c2d00 4903c8 49ffc0 428844d93e 4963c1 483bc2 7c?? } /* picblockhash: 0x30abb68a1956753d - coverage: 1/1 samples. * 8a07 | mov al, byte ptr [rdi] * 4c8d05ab01e0ff | lea r8, [rip - 0x1ffe55] * 4b8b8ce0d02c2d00 | mov rcx, qword ptr [r8 + r12*8 + 0x2d2cd0] * ffc3 | inc ebx * 895d9b | mov dword ptr [rbp - 0x65], ebx * 428844f13e | mov byte ptr [rcx + r14*8 + 0x3e], al * 4b8b84e0d02c2d00 | mov rax, qword ptr [r8 + r12*8 + 0x2d2cd0] * 42804cf03d04 | or byte ptr [rax + r14*8 + 0x3d], 4 * 38558f | cmp byte ptr [rbp - 0x71], dl * ebcc | jmp 0x1401ffe46 */ $blockhash_0x30abb68a1956753d = { 8a07 4c8d05???????? 4b8b8ce0d02c2d00 ffc3 895d9b 428844f13e 4b8b84e0d02c2d00 42804cf03d04 38558f eb?? } /* picblockhash: 0x47083a9897a47573 - coverage: 1/1 samples. * 498bc5 | mov rax, r13 * 4c8d0d21f6dfff | lea r9, [rip - 0x2009df] * 83e03f | and eax, 0x3f * 498bd5 | mov rdx, r13 * 48c1fa06 | sar rdx, 6 * 4c8d04c0 | lea r8, [rax + rax*8] * 498b84d1d02c2d00 | mov rax, qword ptr [r9 + rdx*8 + 0x2d2cd0] * 42f644c03848 | test byte ptr [rax + r8*8 + 0x38], 0x48 * 7430 | je 0x140200a2d */ $blockhash_0x47083a9897a47573 = { 498bc5 4c8d0d???????? 83e03f 498bd5 48c1fa06 4c8d04c0 498b84d1d02c2d00 42f644c03848 74?? } /* picblockhash: 0x37de2b88bfe990b6 - coverage: 1/1 samples. * 2bc3 | sub eax, ebx * 488d0d2df4dfff | lea rcx, [rip - 0x200bd3] * 488b8ce9d02c2d00 | mov rcx, qword ptr [rcx + rbp*8 + 0x2d2cd0] * 8064f93dfd | and byte ptr [rcx + rdi*8 + 0x3d], 0xfd * f7d8 | neg eax * 1ac0 | sbb al, al * 2402 | and al, 2 * 0844f93d | or byte ptr [rcx + rdi*8 + 0x3d], al * 8d0412 | lea eax, [rdx + rdx] */ $blockhash_0x37de2b88bfe990b6 = { 2bc3 488d0d???????? 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 2402 0844f93d 8d0412 } condition: 7 of them and filesize < 5MB } ] }, { Malware : SysJoker , Description : Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software. Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software. , YARA : [ rule win_sysjoker_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.sysjoker.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 e8???????? 837de400 7416 } // n = 4, score = 100 // 50 | push eax // e8???????? | // 837de400 | cmp dword ptr [ebp - 0x1c], 0 // 7416 | je 0x18 $sequence_1 = { c746140f000000 c60600 e8???????? c7461060000000 8d4dd4 c746146f000000 0f1005???????? } // n = 7, score = 100 // c746140f000000 | mov dword ptr [esi + 0x14], 0xf // c60600 | mov byte ptr [esi], 0 // e8???????? | // c7461060000000 | mov dword ptr [esi + 0x10], 0x60 // 8d4dd4 | lea ecx, [ebp - 0x2c] // c746146f000000 | mov dword ptr [esi + 0x14], 0x6f // 0f1005???????? | $sequence_2 = { ffd6 e9???????? 8bb5a8efffff 85f6 0f84ce000000 6808020000 8d85e8fdffff } // n = 7, score = 100 // ffd6 | call esi // e9???????? | // 8bb5a8efffff | mov esi, dword ptr [ebp - 0x1058] // 85f6 | test esi, esi // 0f84ce000000 | je 0xd4 // 6808020000 | push 0x208 // 8d85e8fdffff | lea eax, [ebp - 0x218] $sequence_3 = { 8d4dac e8???????? 8d4dc8 e8???????? 8d8d74ffffff c645fc1b e8???????? } // n = 7, score = 100 // 8d4dac | lea ecx, [ebp - 0x54] // e8???????? | // 8d4dc8 | lea ecx, [ebp - 0x38] // e8???????? | // 8d8d74ffffff | lea ecx, [ebp - 0x8c] // c645fc1b | mov byte ptr [ebp - 4], 0x1b // e8???????? | $sequence_4 = { 8bc2 b9ffffff7f 83c80f 3dffffff7f 0f47c1 894584 40 } // n = 7, score = 100 // 8bc2 | mov eax, edx // b9ffffff7f | mov ecx, 0x7fffffff // 83c80f | or eax, 0xf // 3dffffff7f | cmp eax, 0x7fffffff // 0f47c1 | cmova eax, ecx // 894584 | mov dword ptr [ebp - 0x7c], eax // 40 | inc eax $sequence_5 = { 7cd5 33db 395d90 7650 0f1f4000 660f1f840000000000 83bd78ffffff10 } // n = 7, score = 100 // 7cd5 | jl 0xffffffd7 // 33db | xor ebx, ebx // 395d90 | cmp dword ptr [ebp - 0x70], ebx // 7650 | jbe 0x52 // 0f1f4000 | nop dword ptr [eax] // 660f1f840000000000 | nop word ptr [eax + eax] // 83bd78ffffff10 | cmp dword ptr [ebp - 0x88], 0x10 $sequence_6 = { 6a02 68???????? e8???????? 8b8534efffff 83c618 8b8d4cefffff 40 } // n = 7, score = 100 // 6a02 | push 2 // 68???????? | // e8???????? | // 8b8534efffff | mov eax, dword ptr [ebp - 0x10cc] // 83c618 | add esi, 0x18 // 8b8d4cefffff | mov ecx, dword ptr [ebp - 0x10b4] // 40 | inc eax $sequence_7 = { e8???????? 83c404 8b8780000000 33f6 89b534efffff } // n = 5, score = 100 // e8???????? | // 83c404 | add esp, 4 // 8b8780000000 | mov eax, dword ptr [edi + 0x80] // 33f6 | xor esi, esi // 89b534efffff | mov dword ptr [ebp - 0x10cc], esi $sequence_8 = { 6a01 8bce e8???????? 84c0 0f84c2feffff e9???????? 8b4778 } // n = 7, score = 100 // 6a01 | push 1 // 8bce | mov ecx, esi // e8???????? | // 84c0 | test al, al // 0f84c2feffff | je 0xfffffec8 // e9???????? | // 8b4778 | mov eax, dword ptr [edi + 0x78] $sequence_9 = { e8???????? 83c010 8906 51 c645fc25 8bf4 89b508fdffff } // n = 7, score = 100 // e8???????? | // 83c010 | add eax, 0x10 // 8906 | mov dword ptr [esi], eax // 51 | push ecx // c645fc25 | mov byte ptr [ebp - 4], 0x25 // 8bf4 | mov esi, esp // 89b508fdffff | mov dword ptr [ebp - 0x2f8], esi condition: 7 of them and filesize < 832512 } ] }, { Malware : Remcos , Description : Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers. Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. , YARA : [ rule win_remcos_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.remcos.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7410 6a00 ff35???????? ff15???????? } // n = 4, score = 2000 // 7410 | je 0x12 // 6a00 | push 0 // ff35???????? | // ff15???????? | $sequence_1 = { 50 ff15???????? 8d45f0 33f6 } // n = 4, score = 2000 // 50 | push eax // ff15???????? | // 8d45f0 | lea eax, [ebp - 0x10] // 33f6 | xor esi, esi $sequence_2 = { 6a09 ff35???????? ff15???????? ff35???????? ff15???????? } // n = 5, score = 2000 // 6a09 | push 9 // ff35???????? | // ff15???????? | // ff35???????? | // ff15???????? | $sequence_3 = { 8d45f8 50 ff15???????? ff7508 } // n = 4, score = 2000 // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax // ff15???????? | // ff7508 | push dword ptr [ebp + 8] $sequence_4 = { 7508 ff15???????? 33c0 5f } // n = 4, score = 2000 // 7508 | jne 0xa // ff15???????? | // 33c0 | xor eax, eax // 5f | pop edi $sequence_5 = { 6a09 ff35???????? ff15???????? ff35???????? } // n = 4, score = 2000 // 6a09 | push 9 // ff35???????? | // ff15???????? | // ff35???????? | $sequence_6 = { ff15???????? 50 ff15???????? 8d45f0 33f6 } // n = 5, score = 2000 // ff15???????? | // 50 | push eax // ff15???????? | // 8d45f0 | lea eax, [ebp - 0x10] // 33f6 | xor esi, esi $sequence_7 = { 50 6a28 ff15???????? 50 ff15???????? 8d45f0 33f6 } // n = 7, score = 2000 // 50 | push eax // 6a28 | push 0x28 // ff15???????? | // 50 | push eax // ff15???????? | // 8d45f0 | lea eax, [ebp - 0x10] // 33f6 | xor esi, esi $sequence_8 = { 51 51 8d45f8 c745f808000000 50 ff15???????? ff15???????? } // n = 7, score = 2000 // 51 | push ecx // 51 | push ecx // 8d45f8 | lea eax, [ebp - 8] // c745f808000000 | mov dword ptr [ebp - 8], 8 // 50 | push eax // ff15???????? | // ff15???????? | $sequence_9 = { 85c0 7410 6a00 ff35???????? ff15???????? } // n = 5, score = 2000 // 85c0 | test eax, eax // 7410 | je 0x12 // 6a00 | push 0 // ff35???????? | // ff15???????? | condition: 7 of them and filesize < 1054720 } , rule win_remcos_w0 { meta: author = \ Matthew @ Embee_Research\ created = \ 2023/08/27\ description = \ Detects strings present in remcos rat Samples.\ sha_256 = \ ec901217558e77f2f449031a6a1190b1e99b30fa1bb8d8dabc3a99bc69833784\ source = \ https://github.com/embee-research/Yara-detection-rules/blob/main/Rules/win_remcos_rat_unpacked.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\ malpedia_rule_date = \ 20230906\ malpedia_hash = \ \ malpedia_version = \ 20230906\ malpedia_sharing = \ TLP:WHITE\ strings: $r0 = \ ______ \ ascii $r1 = \ (_____ \\ \ ascii $r2 = \ _____) )_____ ____ ____ ___ ___ \ ascii $r3 = \ | __ /| ___ | \\ / ___) _ \\ /___)\ ascii $r4 = \ | | \\ \\| ____| | | ( (__| |_| |___ |\ ascii $r5 = \ |_| |_|_____)_|_|_|\\____)___/(___/ \ ascii $s1 = \ Watchdog module activated\ ascii $s2 = \ Remcos restarted by watchdog!\ ascii $s3 = \ BreakingSecurity.net\ ascii condition: //uint16(0) == 0x5a4d //and ( (all of ($r*)) or (all of ($s*)) ) } ] }, { Malware : csharp-streamer RAT , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : DUCKTAIL , Description : According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature. According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature. , YARA : [ rule win_ducktail_w0 { meta: author = \ dr4k0nia\ description = \ Detects binaries signed with compromised certificates used by DuckTail stealer - identified in June 2023\ reference = \ Internal Research\ date = \ 2023-06-16\ hash1 = \ 17c75f2d14af9f00822fc1dba00ccc9ec71fc50962e196d7e6f193f4b2ee0183\ hash2 = \ b3cfdb442772d07a7f037b0bb093ba315dfd1e79b0e292736c52097355495270\ hash3 = \ 9afe013cae0167993a6a7ccd650eb1221a5ec163110565eb3a49a8b57949d4ee\ score = 80 malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail\ malpedia_version = \ 20230626\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:GREEN\ strings: $sx1 = \ AZM MARKETING COMPANY LIMITED\ ascii fullword $sx2 = \ CONG TY TNHH\ ascii $sx3 = {43 C3 94 4E 47 20 54 59 20 54 4E 48 48 20} $sx4 = \ CONG TY TRACH\ ascii $se1 = {65 78 BE 85 2D 48 E3 3D 4E 48 B8 D4 73 F5 B7 60} // AZM MARKETING COMPANY LIMITED $se2 = {1D 53 38 32 74 2B 58 37 87 C0 A2 53 32 F7 FB 06} // AZM MARKETING COMPANY LIMITED $se3 = {00 BD 7B 85 B2 6A 69 C9 7D 6D 68 CC 95 67 34 C0 6B} // CONG TY TNHH PDF SOFTWARE $se4 = {06 5F 5C 57 0B D6 A7 98 92 FB B0 E6 34 61 3A 4D} $se5 = {41 55 3F 07 13 37 11 7A 99 B4 58 57} // CONG TY TNHH CAO SU MINH KHANG $se6 = {1E AA E4 CE E7 EE 89 FB 20 32 59 27 88 13 D8 53} // CONG TY TNHH MTV SAN VUON THAI VUONG $se7 = {56 DC DB 85 D4 89 F9 87 B2 D6 76 72} // CONG TY TNHH THUONG MAI VA XAY DUNG PHUC NGUYEN $se8 = {2D A4 50 57 C2 74 3C 1A 3C A4 93 7A} // CONG TY TNHH DICH VU CAU CHU NHO $se9 = {37 AE 95 F5 4C 8E 9B D0 B6 47 68 6A} // CÔNG TY TNHH THIẾT KẾ VÀ XÂY DỰNG SÂN VƯỜN NON BỘ SƠN HẢI $se10 = {3D C8 F5 3B 62 7A 34 07 AC 7E 01 00 13 87 A3 B3} // CÔNG TY TNHH GIẢ I PHÁ P CÔNG NGHỆ SỐ VIỆT $se11 = {01 C9 87 5A 5F A8 59 68 6D 34 17 C9} // CONG TY TRACH NHIEM HUU HAN THIET BI NOI THAT TAKASY condition: uint16(0) == 0x5a4d and 1 of ($sx*) and 1 of ($se*) } ] }, { Malware : MetaStealer , Description : On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements. On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements. , YARA : [ rule win_metastealer_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.metastealer.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff7710 50 e8???????? 8b4718 8d4b1c 894318 8d471c } // n = 7, score = 200 // ff7710 | push dword ptr [edi + 0x10] // 50 | push eax // e8???????? | // 8b4718 | mov eax, dword ptr [edi + 0x18] // 8d4b1c | lea ecx, [ebx + 0x1c] // 894318 | mov dword ptr [ebx + 0x18], eax // 8d471c | lea eax, [edi + 0x1c] $sequence_1 = { 8b4220 894620 8d4228 894224 897a20 c70700000000 8bc6 } // n = 7, score = 200 // 8b4220 | mov eax, dword ptr [edx + 0x20] // 894620 | mov dword ptr [esi + 0x20], eax // 8d4228 | lea eax, [edx + 0x28] // 894224 | mov dword ptr [edx + 0x24], eax // 897a20 | mov dword ptr [edx + 0x20], edi // c70700000000 | mov dword ptr [edi], 0 // 8bc6 | mov eax, esi $sequence_2 = { 8d4dd8 e8???????? c745fc00000000 8d45d8 68a3000000 68???????? 68???????? } // n = 7, score = 200 // 8d4dd8 | lea ecx, [ebp - 0x28] // e8???????? | // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 8d45d8 | lea eax, [ebp - 0x28] // 68a3000000 | push 0xa3 // 68???????? | // 68???????? | $sequence_3 = { 8b4104 894610 8b4104 8b400c 85c0 740c 89460c } // n = 7, score = 200 // 8b4104 | mov eax, dword ptr [ecx + 4] // 894610 | mov dword ptr [esi + 0x10], eax // 8b4104 | mov eax, dword ptr [ecx + 4] // 8b400c | mov eax, dword ptr [eax + 0xc] // 85c0 | test eax, eax // 740c | je 0xe // 89460c | mov dword ptr [esi + 0xc], eax $sequence_4 = { eb0a c70600000000 c6460401 8a45ae 8b7d9c 8845af 660f1f440000 } // n = 7, score = 200 // eb0a | jmp 0xc // c70600000000 | mov dword ptr [esi], 0 // c6460401 | mov byte ptr [esi + 4], 1 // 8a45ae | mov al, byte ptr [ebp - 0x52] // 8b7d9c | mov edi, dword ptr [ebp - 0x64] // 8845af | mov byte ptr [ebp - 0x51], al // 660f1f440000 | nop word ptr [eax + eax] $sequence_5 = { eb0e 0f57c0 660f1345d4 8b7dd8 8b75d4 51 8d4dd4 } // n = 7, score = 200 // eb0e | jmp 0x10 // 0f57c0 | xorps xmm0, xmm0 // 660f1345d4 | movlpd qword ptr [ebp - 0x2c], xmm0 // 8b7dd8 | mov edi, dword ptr [ebp - 0x28] // 8b75d4 | mov esi, dword ptr [ebp - 0x2c] // 51 | push ecx // 8d4dd4 | lea ecx, [ebp - 0x2c] $sequence_6 = { ff7314 68???????? 56 e8???????? 68???????? 56 e8???????? } // n = 7, score = 200 // ff7314 | push dword ptr [ebx + 0x14] // 68???????? | // 56 | push esi // e8???????? | // 68???????? | // 56 | push esi // e8???????? | $sequence_7 = { ffd0 83c40c 85c0 7407 be01000000 eb02 33f6 } // n = 7, score = 200 // ffd0 | call eax // 83c40c | add esp, 0xc // 85c0 | test eax, eax // 7407 | je 9 // be01000000 | mov esi, 1 // eb02 | jmp 4 // 33f6 | xor esi, esi $sequence_8 = { d945fc 5e 8be5 5d c3 8d8100000038 0bc6 } // n = 7, score = 200 // d945fc | fld dword ptr [ebp - 4] // 5e | pop esi // 8be5 | mov esp, ebp // 5d | pop ebp // c3 | ret // 8d8100000038 | lea eax, [ecx + 0x38000000] // 0bc6 | or eax, esi $sequence_9 = { c7411000000000 c7411400000000 837e1408 8975d0 7205 8b16 8955d0 } // n = 7, score = 200 // c7411000000000 | mov dword ptr [ecx + 0x10], 0 // c7411400000000 | mov dword ptr [ecx + 0x14], 0 // 837e1408 | cmp dword ptr [esi + 0x14], 8 // 8975d0 | mov dword ptr [ebp - 0x30], esi // 7205 | jb 7 // 8b16 | mov edx, dword ptr [esi] // 8955d0 | mov dword ptr [ebp - 0x30], edx condition: 7 of them and filesize < 26230784 } , rule win_metastealer_w0 { meta: description = \ MetaStealer Memory\ author = \ Peter Gurney\ date = \ 2022-04-29\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer\ malpedia_rule_date = \ 20230119\ malpedia_hash = \ \ malpedia_version = \ 20230131\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $str_c2_parse = {B8 56 55 55 55 F7 6D C4 8B C2 C1 E8 1F 03 C2 8B 55 C0 8D 04 40 2B 45 C4} $str_filename = \ .xyz -newname hyper-v.exe\ fullword wide $str_stackstring = {FF FF FF C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF} condition: uint16(0) == 0x5a4d and 2 of ($str_*) } ] }, { Malware : Nova Stealer , Description : Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new actor called \ Sordeal\ . Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain \ Premium\ features missing. Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new actor called \ Sordeal\ . Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain \ Premium\ features missing. There is no Yara-Signature yet. , YARA : [] }, { Malware : PureLogs Stealer , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : WhiteSnake Stealer , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : AlphaSeed , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Appleseed , Description : There is no description at this point. , YARA : [ rule win_appleseed_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.appleseed.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 448bc6 442bc0 488b442450 488d0d65d30100 488b0cc1 4c8d4c244c 488d9520060000 } // n = 7, score = 100 // 448bc6 | mov edx, dword ptr [eax] // 442bc0 | dec eax // 488b442450 | mov dword ptr [ebp + 0x70], 0xf // 488d0d65d30100 | xor esi, esi // 488b0cc1 | dec eax // 4c8d4c244c | mov dword ptr [ebp + 0x68], esi // 488d9520060000 | dec eax $sequence_1 = { 4c89b590000000 c6858000000000 4883bde000000010 720c 488b8dc8000000 e8???????? 8bc7 } // n = 7, score = 100 // 4c89b590000000 | lea ecx, [ebp - 0x48] // c6858000000000 | je 0x2de5 // 4883bde000000010 | dec eax // 720c | lea edx, [0x21c03] // 488b8dc8000000 | nop // e8???????? | // 8bc7 | dec eax $sequence_2 = { 90 488d4db8 e8???????? 48833d????????00 0f84b10c0000 } // n = 5, score = 100 // 90 | dec eax // 488d4db8 | mov dword ptr [esp + 0x68], esi // e8???????? | // 48833d????????00 | // 0f84b10c0000 | inc eax $sequence_3 = { 488bcb ff15???????? ff15???????? 33ff 8bf0 0f1f8000000000 ff15???????? } // n = 7, score = 100 // 488bcb | dec eax // ff15???????? | // ff15???????? | // 33ff | mov dword ptr [esp + 0x68], 0xf // 8bf0 | dec eax // 0f1f8000000000 | mov dword ptr [esp + 0x60], edi // ff15???????? | $sequence_4 = { 90 488d4db8 e8???????? 48833d????????00 0f84c0040000 488d157e170200 488d4db8 } // n = 7, score = 100 // 90 | lea ecx, [edx + 0x140] // 488d4db8 | dec eax // e8???????? | // 48833d????????00 | // 0f84c0040000 | mov ecx, dword ptr [edx + 0x40] // 488d157e170200 | dec eax // 488d4db8 | mov ecx, dword ptr [edx + 0x40] $sequence_5 = { 488bce ff15???????? 4885c0 7411 83caff 488bc8 } // n = 6, score = 100 // 488bce | mov eax, dword ptr [esi] // ff15???????? | // 4885c0 | jb 0xef // 7411 | dec eax // 83caff | mov ecx, dword ptr [ebp - 1] // 488bc8 | nop $sequence_6 = { e9???????? 488d8af0000000 e9???????? 488b8a60000000 e9???????? 488d8a10010000 e9???????? } // n = 7, score = 100 // e9???????? | // 488d8af0000000 | mov dword ptr [esp + 0x30], ebp // e9???????? | // 488b8a60000000 | inc ecx // e9???????? | // 488d8a10010000 | mov esi, ebp // e9???????? | $sequence_7 = { 0f8490000000 85db 0f8488000000 41880f 4b8b84e900670300 4183caff 4103da } // n = 7, score = 100 // 0f8490000000 | mov dword ptr [ebp - 0x70], 0xf // 85db | dec eax // 0f8488000000 | mov dword ptr [ebp - 0x78], esi // 41880f | mov byte ptr [esp + 0x78], 0 // 4b8b84e900670300 | dec eax // 4183caff | cmp dword ptr [esp + 0x70], 0x10 // 4103da | dec eax $sequence_8 = { 48ffc7 803c3a00 75f7 488d4c2450 4c8bc7 e8???????? 488d4c2450 } // n = 7, score = 100 // 48ffc7 | dec eax // 803c3a00 | lea ecx, [0xdee3] // 75f7 | mov dword ptr [esp + 0x30], ebx // 488d4c2450 | dec eax // 4c8bc7 | lea edx, [0xdeba] // e8???????? | // 488d4c2450 | test ecx, ecx $sequence_9 = { 48895dc8 c645b800 41b838000000 488d15b81d0200 488d4db8 e8???????? 90 } // n = 7, score = 100 // 48895dc8 | lea ecx, [ebp - 0x49] // c645b800 | nop // 41b838000000 | dec eax // 488d15b81d0200 | cmp dword ptr [ebx + 0x18], 0x10 // 488d4db8 | jb 0x5ce // e8???????? | // 90 | dec eax condition: 7 of them and filesize < 497664 } , rule win_appleseed_w0 { meta: author = \ KrCERT/CC Profound Analysis Team\ date = \ 2020-12-4\ info = \ Operation MUZABI\ hash = \ 43cc6d190238e851d33066cbe9be9ac8\ hash = \ fd10bd6013aabadbcb9edb8a23ba7331\ hash = \ 16231e2e8991c60a42f293e0c33ff801\ hash = \ 89fff6645013008cda57f88639b92990\ hash = \ 030e2f992cbc4e61f0d5c994779caf3b\ hash = \ 3620c22671641fbf32cf496b118b85f6\ hash = \ 4876fc88c361743a1220a7b161f8f06f\ hash = \ 94b8a0e4356d0202dc61046e3d8bdfe0\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed\ malpedia_rule_date = \ 20201015\ malpedia_version = \ 20201015\ malpedia_license = \ CC NC-BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00} $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01} $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10} $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98} $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f} $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8} $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4} $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c} $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?} condition: uint16(0) == 0x5a4d and filesize < 400KB and (2 of ($appleseed_str*)) and (1 of ($seed_str*)) and (1 of ($appleseed_key*)) } ] }, { Malware : Konni , Description : Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. , YARA : [ rule win_konni_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.konni.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.konni\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7908 4e 81ce00ffffff 46 8a9c35f8feffff 8819 889435f8feffff } // n = 7, score = 800 // 7908 | jns 0xa // 4e | dec esi // 81ce00ffffff | or esi, 0xffffff00 // 46 | inc esi // 8a9c35f8feffff | mov bl, byte ptr [ebp + esi - 0x108] // 8819 | mov byte ptr [ecx], bl // 889435f8feffff | mov byte ptr [ebp + esi - 0x108], dl $sequence_1 = { 8945fc 53 56 57 b910000000 be???????? 8d7db0 } // n = 7, score = 800 // 8945fc | mov dword ptr [ebp - 4], eax // 53 | push ebx // 56 | push esi // 57 | push edi // b910000000 | mov ecx, 0x10 // be???????? | // 8d7db0 | lea edi, [ebp - 0x50] $sequence_2 = { 7527 0fb655eb 0fb645ea 52 } // n = 4, score = 800 // 7527 | jne 0x29 // 0fb655eb | movzx edx, byte ptr [ebp - 0x15] // 0fb645ea | movzx eax, byte ptr [ebp - 0x16] // 52 | push edx $sequence_3 = { 889435f8feffff 0fb609 0fb6d2 03ca 81e1ff000080 7908 } // n = 6, score = 800 // 889435f8feffff | mov byte ptr [ebp + esi - 0x108], dl // 0fb609 | movzx ecx, byte ptr [ecx] // 0fb6d2 | movzx edx, dl // 03ca | add ecx, edx // 81e1ff000080 | and ecx, 0x800000ff // 7908 | jns 0xa $sequence_4 = { 0fbef1 d0f9 83e601 884c15f4 8970e8 42 } // n = 6, score = 800 // 0fbef1 | movsx esi, cl // d0f9 | sar cl, 1 // 83e601 | and esi, 1 // 884c15f4 | mov byte ptr [ebp + edx - 0xc], cl // 8970e8 | mov dword ptr [eax - 0x18], esi // 42 | inc edx $sequence_5 = { 49 81c900ffffff 41 8a940df8feffff 8d8c0df8feffff 0fb6da 03f3 } // n = 7, score = 800 // 49 | dec ecx // 81c900ffffff | or ecx, 0xffffff00 // 41 | inc ecx // 8a940df8feffff | mov dl, byte ptr [ebp + ecx - 0x108] // 8d8c0df8feffff | lea ecx, [ebp + ecx - 0x108] // 0fb6da | movzx ebx, dl // 03f3 | add esi, ebx $sequence_6 = { 83e601 897004 d0f9 0fbef1 83e601 8930 } // n = 6, score = 800 // 83e601 | and esi, 1 // 897004 | mov dword ptr [eax + 4], esi // d0f9 | sar cl, 1 // 0fbef1 | movsx esi, cl // 83e601 | and esi, 1 // 8930 | mov dword ptr [eax], esi $sequence_7 = { 68b6030000 6a0d 50 ff15???????? } // n = 4, score = 500 // 68b6030000 | push 0x3b6 // 6a0d | push 0xd // 50 | push eax // ff15???????? | $sequence_8 = { 6a01 ff15???????? 50 a3???????? } // n = 4, score = 500 // 6a01 | push 1 // ff15???????? | // 50 | push eax // a3???????? | $sequence_9 = { 33c9 83f802 7508 890d???????? } // n = 4, score = 300 // 33c9 | xor ecx, ecx // 83f802 | cmp eax, 2 // 7508 | jne 0xa // 890d???????? | $sequence_10 = { eb1e 83f804 740f c705????????02000000 } // n = 4, score = 300 // eb1e | jmp 0x20 // 83f804 | cmp eax, 4 // 740f | je 0x11 // c705????????02000000 | $sequence_11 = { 740f c705????????02000000 83f801 750a c705????????01000000 890d???????? } // n = 6, score = 300 // 740f | je 0x11 // c705????????02000000 | // 83f801 | cmp eax, 1 // 750a | jne 0xc // c705????????01000000 | // 890d???????? | $sequence_12 = { 7508 890d???????? eb1e 83f804 } // n = 4, score = 300 // 7508 | jne 0xa // 890d???????? | // eb1e | jmp 0x20 // 83f804 | cmp eax, 4 $sequence_13 = { 8916 56 e8???????? 8a8c30dec44600 } // n = 4, score = 200 // 8916 | mov dword ptr [esi], edx // 56 | push esi // e8???????? | // 8a8c30dec44600 | mov cl, byte ptr [eax + esi + 0x46c4de] $sequence_14 = { e8???????? 83c40c 6804010000 8d8df4fdffff 51 ff15???????? } // n = 6, score = 200 // e8???????? | // 83c40c | add esp, 0xc // 6804010000 | push 0x104 // 8d8df4fdffff | lea ecx, [ebp - 0x20c] // 51 | push ecx // ff15???????? | $sequence_15 = { 83e203 83f908 7229 f3a5 ff2495f0444000 8bc7 } // n = 6, score = 200 // 83e203 | and edx, 3 // 83f908 | cmp ecx, 8 // 7229 | jb 0x2b // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // ff2495f0444000 | jmp dword ptr [edx*4 + 0x4044f0] // 8bc7 | mov eax, edi $sequence_16 = { 8d85f8feffff 50 ffd6 68???????? 8d8df0faffff } // n = 5, score = 200 // 8d85f8feffff | lea eax, [ebp - 0x108] // 50 | push eax // ffd6 | call esi // 68???????? | // 8d8df0faffff | lea ecx, [ebp - 0x510] $sequence_17 = { 4c89742420 ff15???????? 488bd8 4885c0 744f } // n = 5, score = 200 // 4c89742420 | dec esp // ff15???????? | // 488bd8 | mov dword ptr [esp + 0x20], esi // 4885c0 | dec eax // 744f | mov ebx, eax $sequence_18 = { bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 0f85d7030000 } // n = 6, score = 200 // bbedffffff | mov ebx, 0xffffffed // 03dd | add ebx, ebp // 81eb00200200 | sub ebx, 0x22000 // 83bd9404000000 | cmp dword ptr [ebp + 0x494], 0 // 899d94040000 | mov dword ptr [ebp + 0x494], ebx // 0f85d7030000 | jne 0x3dd $sequence_19 = { e9???????? 8b35???????? 68???????? 8d85f8feffff } // n = 4, score = 200 // e9???????? | // 8b35???????? | // 68???????? | // 8d85f8feffff | lea eax, [ebp - 0x108] $sequence_20 = { ff95b50f0000 898598040000 8bf0 8d7d51 } // n = 4, score = 200 // ff95b50f0000 | call dword ptr [ebp + 0xfb5] // 898598040000 | mov dword ptr [ebp + 0x498], eax // 8bf0 | mov esi, eax // 8d7d51 | lea edi, [ebp + 0x51] $sequence_21 = { 6804010000 8d95f8feffff 52 50 ff15???????? } // n = 5, score = 200 // 6804010000 | push 0x104 // 8d95f8feffff | lea edx, [ebp - 0x108] // 52 | push edx // 50 | push eax // ff15???????? | $sequence_22 = { 50 038594040000 59 0bc9 89851a040000 61 7508 } // n = 7, score = 200 // 50 | push eax // 038594040000 | add eax, dword ptr [ebp + 0x494] // 59 | pop ecx // 0bc9 | or ecx, ecx // 89851a040000 | mov dword ptr [ebp + 0x41a], eax // 61 | popal // 7508 | jne 0xa $sequence_23 = { 8b4e08 33db 56 e8???????? 8a9c30c2c44600 } // n = 5, score = 200 // 8b4e08 | mov ecx, dword ptr [esi + 8] // 33db | xor ebx, ebx // 56 | push esi // e8???????? | // 8a9c30c2c44600 | mov bl, byte ptr [eax + esi + 0x46c4c2] $sequence_24 = { 8bf0 8d7d51 57 56 ff95b10f0000 ab } // n = 6, score = 200 // 8bf0 | mov esi, eax // 8d7d51 | lea edi, [ebp + 0x51] // 57 | push edi // 56 | push esi // ff95b10f0000 | call dword ptr [ebp + 0xfb1] // ab | stosd dword ptr es:[edi], eax $sequence_25 = { 33d2 56 e8???????? 8a9435dec44600 5e 84c0 8bfa } // n = 7, score = 200 // 33d2 | xor edx, edx // 56 | push esi // e8???????? | // 8a9435dec44600 | mov dl, byte ptr [ebp + esi + 0x46c4de] // 5e | pop esi // 84c0 | test al, al // 8bfa | mov edi, edx $sequence_26 = { 56 33d2 898ddcfeffff 40 57 } // n = 5, score = 200 // 56 | cmp eax, 2 // 33d2 | jne 0xd // 898ddcfeffff | jmp 0x25 // 40 | push 0x208 // 57 | push 0 $sequence_27 = { 6808020000 6a00 56 c745fc00010000 e8???????? 83c40c 8d45fc } // n = 7, score = 200 // 6808020000 | je 0x14 // 6a00 | cmp eax, 1 // 56 | jne 0x14 // c745fc00010000 | jmp 0x20 // e8???????? | // 83c40c | cmp eax, 4 // 8d45fc | je 0x14 $sequence_28 = { ebab c745e428614000 817de42c614000 7311 8b45e4 } // n = 5, score = 200 // ebab | jmp 0xffffffad // c745e428614000 | mov dword ptr [ebp - 0x1c], 0x406128 // 817de42c614000 | cmp dword ptr [ebp - 0x1c], 0x40612c // 7311 | jae 0x13 // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] $sequence_29 = { 6a00 6a00 8d8df8feffff 51 8d95f0fcffff } // n = 5, score = 200 // 6a00 | push 0 // 6a00 | push 0 // 8d8df8feffff | lea ecx, [ebp - 0x108] // 51 | push ecx // 8d95f0fcffff | lea edx, [ebp - 0x310] $sequence_30 = { 68???????? 8d8df0faffff 51 ffd6 8b35???????? } // n = 5, score = 200 // 68???????? | // 8d8df0faffff | lea ecx, [ebp - 0x510] // 51 | push ecx // ffd6 | call esi // 8b35???????? | $sequence_31 = { 51 6689442414 e8???????? 6808020000 8d942420020000 6a00 } // n = 6, score = 200 // 51 | cmp eax, 1 // 6689442414 | jne 0xa // e8???????? | // 6808020000 | jmp 0x20 // 8d942420020000 | cmp eax, 4 // 6a00 | cmp eax, 2 $sequence_32 = { e8???????? 8a8c30a6c44600 5e 8b442414 03ca 03c1 89442414 } // n = 7, score = 200 // e8???????? | // 8a8c30a6c44600 | mov cl, byte ptr [eax + esi + 0x46c4a6] // 5e | pop esi // 8b442414 | mov eax, dword ptr [esp + 0x14] // 03ca | add ecx, edx // 03c1 | add eax, ecx // 89442414 | mov dword ptr [esp + 0x14], eax $sequence_33 = { 33c0 56 51 668985e8fdffff e8???????? } // n = 5, score = 200 // 33c0 | jne 0xa // 56 | jmp 0x22 // 51 | cmp eax, 4 // 668985e8fdffff | xor ecx, ecx // e8???????? | $sequence_34 = { 488bda 488b15???????? 4889442458 89442450 488b05???????? 482bc2 } // n = 6, score = 100 // 488bda | dec eax // 488b15???????? | // 4889442458 | test eax, eax // 89442450 | je 0x51 // 488b05???????? | // 482bc2 | dec eax $sequence_35 = { 48ffc9 48ffc1 7440 488d542448 458d4e2e } // n = 5, score = 100 // 48ffc9 | xor eax, eax // 48ffc1 | dec eax // 7440 | mov ecx, 0x80000002 // 488d542448 | dec eax // 458d4e2e | sub esp, 0x20 $sequence_36 = { 8bd9 e8???????? 4885c0 7509 488d051f390100 } // n = 5, score = 100 // 8bd9 | jmp dword ptr [eax*4 + 0x1000bbd1] // e8???????? | // 4885c0 | push edi // 7509 | mov edi, dword ptr [ebp + 0x10] // 488d051f390100 | mov dword ptr [ebp - 0x10c], eax $sequence_37 = { 4883ec20 488bd9 e8???????? 4c8d1d4b9b0000 } // n = 4, score = 100 // 4883ec20 | je 0xffffff57 // 488bd9 | cmp eax, 7 // e8???????? | // 4c8d1d4b9b0000 | ja 0xa20 $sequence_38 = { 488b01 8b08 ff15???????? 488d15f3170100 488bcb } // n = 5, score = 100 // 488b01 | dec eax // 8b08 | mov ebx, ecx // ff15???????? | // 488d15f3170100 | dec esp // 488bcb | lea ebx, [0x9b4b] $sequence_39 = { e8???????? 59 3bc7 59 a3???????? 7419 68???????? } // n = 7, score = 100 // e8???????? | // 59 | pop ecx // 3bc7 | cmp eax, edi // 59 | pop ecx // a3???????? | // 7419 | je 0x1b // 68???????? | $sequence_40 = { 743e 8305????????20 8d0c9de0a30010 8d9080040000 8901 3bc2 } // n = 6, score = 100 // 743e | je 0x40 // 8305????????20 | // 8d0c9de0a30010 | lea ecx, [ebx*4 + 0x1000a3e0] // 8d9080040000 | lea edx, [eax + 0x480] // 8901 | mov dword ptr [ecx], eax // 3bc2 | cmp eax, edx $sequence_41 = { 4885c0 7438 33c0 4883c9ff 4c8d8600010000 488bfb } // n = 6, score = 100 // 4885c0 | mov ebx, edx // 7438 | dec eax // 33c0 | mov dword ptr [esp + 0x58], eax // 4883c9ff | mov dword ptr [esp + 0x50], eax // 4c8d8600010000 | dec eax // 488bfb | sub eax, edx $sequence_42 = { 8d04c0 8b0c8de0a30010 8a448104 83e040 c3 55 8bec } // n = 7, score = 100 // 8d04c0 | lea eax, [eax + eax*8] // 8b0c8de0a30010 | mov ecx, dword ptr [ecx*4 + 0x1000a3e0] // 8a448104 | mov al, byte ptr [ecx + eax*4 + 4] // 83e040 | and eax, 0x40 // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp $sequence_43 = { 83c410 837dfc08 752f 68???????? 53 e8???????? } // n = 6, score = 100 // 83c410 | add esp, 0x10 // 837dfc08 | cmp dword ptr [ebp - 4], 8 // 752f | jne 0x31 // 68???????? | // 53 | push ebx // e8???????? | $sequence_44 = { 448d5bf0 498d4e10 4963d3 4d8bcd 4d8bc4 } // n = 5, score = 100 // 448d5bf0 | dec eax // 498d4e10 | test eax, eax // 4963d3 | je 0x3a // 4d8bcd | xor eax, eax // 4d8bc4 | dec eax $sequence_45 = { 8b8fa8af0100 488b87a0af0100 400fb6d6 f6d2 881401 ff87a8af0100 8b97a8af0100 } // n = 7, score = 100 // 8b8fa8af0100 | xor esi, esi // 488b87a0af0100 | push edi // 400fb6d6 | mov edi, dword ptr [ebp + 0x10] // f6d2 | mov dword ptr [ebp - 0x10c], eax // 881401 | xor esi, esi // ff87a8af0100 | dec esp // 8b97a8af0100 | mov dword ptr [esp + 0x20], esi $sequence_46 = { 59 8a4dff 8d3c85e0a30010 8bc3 80c901 83e01f 884d0b } // n = 7, score = 100 // 59 | pop ecx // 8a4dff | mov cl, byte ptr [ebp - 1] // 8d3c85e0a30010 | lea edi, [eax*4 + 0x1000a3e0] // 8bc3 | mov eax, ebx // 80c901 | or cl, 1 // 83e01f | and eax, 0x1f // 884d0b | mov byte ptr [ebp + 0xb], cl $sequence_47 = { 488905???????? 8905???????? 488b05???????? 4533c0 48c7c102000080 488905???????? } // n = 6, score = 100 // 488905???????? | // 8905???????? | // 488b05???????? | // 4533c0 | lea eax, [ebp - 4] // 48c7c102000080 | cmp eax, edx // 488905???????? | $sequence_48 = { 8bc3 c1f905 83e01f 8b0c8de0a30010 8d04c0 } // n = 5, score = 100 // 8bc3 | mov eax, ebx // c1f905 | sar ecx, 5 // 83e01f | and eax, 0x1f // 8b0c8de0a30010 | mov ecx, dword ptr [ecx*4 + 0x1000a3e0] // 8d04c0 | lea eax, [eax + eax*8] $sequence_49 = { 8b442448 448b6e4c 448b7e44 c1e808 4c8bf3 8b5e48 } // n = 6, score = 100 // 8b442448 | dec eax // 448b6e4c | mov ebx, eax // 448b7e44 | dec eax // c1e808 | test eax, eax // 4c8bf3 | je 0x5c // 8b5e48 | inc ebp condition: 7 of them and filesize < 330752 } ] }, { Malware : MASEPIE , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Serpent Stealer , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : TriangleDB , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Chameleon , Description : The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen. The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen. There is no Yara-Signature yet. , YARA : [] }, { Malware : FiveHands , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : MimiKatz , Description : Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them. Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks. Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them. , YARA : [ rule win_mimikatz_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.mimikatz.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f7f1 85d2 7406 2bca } // n = 4, score = 300 // f7f1 | div ecx // 85d2 | test edx, edx // 7406 | je 8 // 2bca | sub ecx, edx $sequence_1 = { 83f8ff 750e ff15???????? c7002a000000 } // n = 4, score = 300 // 83f8ff | cmp eax, -1 // 750e | jne 0x10 // ff15???????? | // c7002a000000 | mov dword ptr [eax], 0x2a $sequence_2 = { c3 81f998000000 7410 81f996000000 7408 } // n = 5, score = 200 // c3 | ret // 81f998000000 | cmp ecx, 0x98 // 7410 | je 0x12 // 81f996000000 | cmp ecx, 0x96 // 7408 | je 0xa $sequence_3 = { e8???????? 894720 85c0 7413 } // n = 4, score = 200 // e8???????? | // 894720 | mov dword ptr [edi + 0x20], eax // 85c0 | test eax, eax // 7413 | je 0x15 $sequence_4 = { f30f6f4928 f30f7f8c24a0000000 f30f6f4138 f30f7f8424b8000000 } // n = 4, score = 200 // f30f6f4928 | movdqu xmm1, xmmword ptr [ecx + 0x28] // f30f7f8c24a0000000 | movdqu xmmword ptr [esp + 0xa0], xmm1 // f30f6f4138 | movdqu xmm0, xmmword ptr [ecx + 0x38] // f30f7f8424b8000000 | movdqu xmmword ptr [esp + 0xb8], xmm0 $sequence_5 = { 83f812 72f1 33c0 c3 } // n = 4, score = 200 // 83f812 | cmp eax, 0x12 // 72f1 | jb 0xfffffff3 // 33c0 | xor eax, eax // c3 | ret $sequence_6 = { ff5028 8be8 85c0 787a } // n = 4, score = 200 // ff5028 | call dword ptr [eax + 0x28] // 8be8 | mov ebp, eax // 85c0 | test eax, eax // 787a | js 0x7c $sequence_7 = { 66894108 33c0 39410c 740b } // n = 4, score = 200 // 66894108 | mov word ptr [ecx + 8], ax // 33c0 | xor eax, eax // 39410c | cmp dword ptr [ecx + 0xc], eax // 740b | je 0xd $sequence_8 = { eb0c bfdfff0000 6623fe 6683ef07 8b742474 } // n = 5, score = 200 // eb0c | jmp 0xe // bfdfff0000 | mov edi, 0xffdf // 6623fe | and di, si // 6683ef07 | sub di, 7 // 8b742474 | mov esi, dword ptr [esp + 0x74] $sequence_9 = { 6683f83f 7607 32c0 e9???????? } // n = 4, score = 200 // 6683f83f | cmp ax, 0x3f // 7607 | jbe 9 // 32c0 | xor al, al // e9???????? | $sequence_10 = { 2bc1 85c9 7403 83c008 d1e8 8d441002 } // n = 6, score = 200 // 2bc1 | sub eax, ecx // 85c9 | test ecx, ecx // 7403 | je 5 // 83c008 | add eax, 8 // d1e8 | shr eax, 1 // 8d441002 | lea eax, [eax + edx + 2] $sequence_11 = { ff15???????? b940000000 8bd0 89442430 } // n = 4, score = 200 // ff15???????? | // b940000000 | mov ecx, 0x40 // 8bd0 | mov edx, eax // 89442430 | mov dword ptr [esp + 0x30], eax $sequence_12 = { 3c02 7207 e8???????? eb10 } // n = 4, score = 200 // 3c02 | cmp al, 2 // 7207 | jb 9 // e8???????? | // eb10 | jmp 0x12 $sequence_13 = { ff15???????? b9e9fd0000 8905???????? ff15???????? } // n = 4, score = 200 // ff15???????? | // b9e9fd0000 | mov ecx, 0xfde9 // 8905???????? | // ff15???????? | $sequence_14 = { 8d04f530d94600 8938 68a00f0000 ff30 83c718 ff15???????? 85c0 } // n = 7, score = 100 // 8d04f530d94600 | lea eax, [esi*8 + 0x46d930] // 8938 | mov dword ptr [eax], edi // 68a00f0000 | push 0xfa0 // ff30 | push dword ptr [eax] // 83c718 | add edi, 0x18 // ff15???????? | // 85c0 | test eax, eax $sequence_15 = { 837e1800 7402 ffd0 e8???????? 53 } // n = 5, score = 100 // 837e1800 | cmp dword ptr [esi + 0x18], 0 // 7402 | je 4 // ffd0 | call eax // e8???????? | // 53 | push ebx $sequence_16 = { 57 33ff ffb750da4600 ff15???????? 898750da4600 83c704 } // n = 6, score = 100 // 57 | push edi // 33ff | xor edi, edi // ffb750da4600 | push dword ptr [edi + 0x46da50] // ff15???????? | // 898750da4600 | mov dword ptr [edi + 0x46da50], eax // 83c704 | add edi, 4 $sequence_17 = { e8???????? 8d04453cdb4600 8bc8 2bce 6a03 d1f9 68???????? } // n = 7, score = 100 // e8???????? | // 8d04453cdb4600 | lea eax, [eax*2 + 0x46db3c] // 8bc8 | mov ecx, eax // 2bce | sub ecx, esi // 6a03 | push 3 // d1f9 | sar ecx, 1 // 68???????? | $sequence_18 = { a1???????? a3???????? a1???????? c705????????cf2f4000 8935???????? } // n = 5, score = 100 // a1???????? | // a3???????? | // a1???????? | // c705????????cf2f4000 | // 8935???????? | $sequence_19 = { 8888a0d44600 40 ebe6 ff35???????? ff15???????? } // n = 5, score = 100 // 8888a0d44600 | mov byte ptr [eax + 0x46d4a0], cl // 40 | inc eax // ebe6 | jmp 0xffffffe8 // ff35???????? | // ff15???????? | $sequence_20 = { 8a80a4d54600 08443b1d 0fb64601 47 3bf8 76ea 8b7d08 } // n = 7, score = 100 // 8a80a4d54600 | mov al, byte ptr [eax + 0x46d5a4] // 08443b1d | or byte ptr [ebx + edi + 0x1d], al // 0fb64601 | movzx eax, byte ptr [esi + 1] // 47 | inc edi // 3bf8 | cmp edi, eax // 76ea | jbe 0xffffffec // 8b7d08 | mov edi, dword ptr [ebp + 8] $sequence_21 = { 43 83c408 83fb04 7cdc 8b5df8 8ad3 } // n = 6, score = 100 // 43 | inc ebx // 83c408 | add esp, 8 // 83fb04 | cmp ebx, 4 // 7cdc | jl 0xffffffde // 8b5df8 | mov ebx, dword ptr [ebp - 8] // 8ad3 | mov dl, bl condition: 7 of them and filesize < 1642496 } , /* Benjamin DELPY `gentilkiwi` http://blog.gentilkiwi.com benjamin@gentilkiwi.com Licence : https://creativecommons.org/licenses/by/4.0/ */ rule win_mimikatz_w0 { meta: description = \ mimikatz\ author = \ Benjamin DELPY (gentilkiwi)\ tool_author = \ Benjamin DELPY (gentilkiwi)\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz\ malpedia_version = \ 20171230\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd } $exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 } $exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74} $exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 } $dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 } $dll_2 = { c7 0? 10 02 00 00 ?? 89 4? } $sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 } $sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 } condition: (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*)) } ] }, { Malware : SombRAT , Description : There is no description at this point. , YARA : [ rule win_sombrat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.sombrat.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 014114 8b7508 837df800 8b5df4 } // n = 4, score = 300 // 014114 | add dword ptr [ecx + 0x14], eax // 8b7508 | mov esi, dword ptr [ebp + 8] // 837df800 | cmp dword ptr [ebp - 8], 0 // 8b5df4 | mov ebx, dword ptr [ebp - 0xc] $sequence_1 = { 01041e 8b4508 42 8d7308 } // n = 4, score = 300 // 01041e | add dword ptr [esi + ebx], eax // 8b4508 | mov eax, dword ptr [ebp + 8] // 42 | inc edx // 8d7308 | lea esi, [ebx + 8] $sequence_2 = { 0144244a 894e0c ffb72c010000 ff15???????? } // n = 4, score = 300 // 0144244a | add dword ptr [esp + 0x4a], eax // 894e0c | mov dword ptr [esi + 0xc], ecx // ffb72c010000 | push dword ptr [edi + 0x12c] // ff15???????? | $sequence_3 = { 01420c 8b11 294210 8b09 } // n = 4, score = 300 // 01420c | add dword ptr [edx + 0xc], eax // 8b11 | mov edx, dword ptr [ecx] // 294210 | sub dword ptr [edx + 0x10], eax // 8b09 | mov ecx, dword ptr [ecx] $sequence_4 = { 0145e4 8b55f8 83c40c 294644 } // n = 4, score = 300 // 0145e4 | add dword ptr [ebp - 0x1c], eax // 8b55f8 | mov edx, dword ptr [ebp - 8] // 83c40c | add esp, 0xc // 294644 | sub dword ptr [esi + 0x44], eax $sequence_5 = { 0000 e8???????? c70424???????? 8d5f0c 68???????? } // n = 5, score = 300 // 0000 | add byte ptr [eax], al // e8???????? | // c70424???????? | // 8d5f0c | lea ebx, [edi + 0xc] // 68???????? | $sequence_6 = { 7514 8b4610 8d8de4fffeff 2b4618 03c3 } // n = 5, score = 300 // 7514 | jne 0x16 // 8b4610 | mov eax, dword ptr [esi + 0x10] // 8d8de4fffeff | lea ecx, [ebp - 0x1001c] // 2b4618 | sub eax, dword ptr [esi + 0x18] // 03c3 | add eax, ebx $sequence_7 = { 014114 014620 f6460c04 8945e0 742d } // n = 5, score = 300 // 014114 | add dword ptr [ecx + 0x14], eax // 014620 | add dword ptr [esi + 0x20], eax // f6460c04 | test byte ptr [esi + 0xc], 4 // 8945e0 | mov dword ptr [ebp - 0x20], eax // 742d | je 0x2f $sequence_8 = { 015f08 33c0 488b4c2470 4833cc } // n = 4, score = 200 // 015f08 | mov edx, dword ptr [esi] // 33c0 | add dword ptr [ebp - 0xf], eax // 488b4c2470 | inc ebp // 4833cc | xor ecx, ecx $sequence_9 = { 0145f1 4533c9 4533c0 488b16 } // n = 4, score = 200 // 0145f1 | dec esp // 4533c9 | sub eax, esi // 4533c0 | add dword ptr [esp + ecx*4 + 0x20], eax // 488b16 | dec eax $sequence_10 = { 016b08 488d05dc980500 41b9e7160000 4889442420 } // n = 4, score = 200 // 016b08 | add dword ptr [edi + 8], ebx // 488d05dc980500 | dec eax // 41b9e7160000 | mov ecx, edi // 4889442420 | mov esi, eax $sequence_11 = { 015f08 83bfd800000016 0f856c020000 488b87c8000000 } // n = 4, score = 200 // 015f08 | dec esp // 83bfd800000016 | lea ebx, [esp + 0x80] // 0f856c020000 | dec ecx // 488b87c8000000 | mov ebx, dword ptr [ebx + 0x38] $sequence_12 = { 016b08 33c0 e9???????? 33ff } // n = 4, score = 200 // 016b08 | xor eax, eax // 33c0 | dec eax // e9???????? | // 33ff | mov eax, dword ptr [edi + 0x60] $sequence_13 = { 01448c20 48ffc1 493bc9 7cf1 } // n = 4, score = 200 // 01448c20 | add dword ptr [esp + ecx*4 + 0x20], eax // 48ffc1 | dec eax // 493bc9 | inc ecx // 7cf1 | dec ecx $sequence_14 = { 015f08 33c0 e9???????? 488b4760 } // n = 4, score = 200 // 015f08 | add dword ptr [ebp - 0xf], eax // 33c0 | inc ebp // e9???????? | // 488b4760 | xor ecx, ecx $sequence_15 = { 015f08 488bcf e8???????? 8bf0 } // n = 4, score = 200 // 015f08 | dec eax // 488bcf | mov ecx, dword ptr [esp + 0x70] // e8???????? | // 8bf0 | dec eax condition: 7 of them and filesize < 1466368 } ] }, { Malware : Vidar , Description : Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. , YARA : [ rule win_vidar_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.vidar.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 25ff7f0000 c3 e8???????? 8b486c 3b0d???????? 7410 } // n = 6, score = 2600 // 25ff7f0000 | and eax, 0x7fff // c3 | ret // e8???????? | // 8b486c | mov ecx, dword ptr [eax + 0x6c] // 3b0d???????? | // 7410 | je 0x12 $sequence_1 = { 05c39e2600 894114 c1e810 25ff7f0000 c3 e8???????? } // n = 6, score = 2600 // 05c39e2600 | add eax, 0x269ec3 // 894114 | mov dword ptr [ecx + 0x14], eax // c1e810 | shr eax, 0x10 // 25ff7f0000 | and eax, 0x7fff // c3 | ret // e8???????? | $sequence_2 = { 8d8d68fdffff 51 50 ff15???????? } // n = 4, score = 2500 // 8d8d68fdffff | lea ecx, [ebp - 0x298] // 51 | push ecx // 50 | push eax // ff15???????? | $sequence_3 = { 7202 8b00 8d8d68fdffff 51 } // n = 4, score = 2500 // 7202 | jb 4 // 8b00 | mov eax, dword ptr [eax] // 8d8d68fdffff | lea ecx, [ebp - 0x298] // 51 | push ecx $sequence_4 = { 740a b800000500 e9???????? 57 } // n = 4, score = 2400 // 740a | je 0xc // b800000500 | mov eax, 0x50000 // e9???????? | // 57 | push edi $sequence_5 = { 56 8b742408 8b865caf0100 57 } // n = 4, score = 2400 // 56 | push esi // 8b742408 | mov esi, dword ptr [esp + 8] // 8b865caf0100 | mov eax, dword ptr [esi + 0x1af5c] // 57 | push edi $sequence_6 = { 895dd0 c746140f000000 895e10 8975cc } // n = 4, score = 2400 // 895dd0 | mov dword ptr [ebp - 0x30], ebx // c746140f000000 | mov dword ptr [esi + 0x14], 0xf // 895e10 | mov dword ptr [esi + 0x10], ebx // 8975cc | mov dword ptr [ebp - 0x34], esi $sequence_7 = { 8b8648af0100 c1e803 038644af0100 5e 5d c3 } // n = 6, score = 2400 // 8b8648af0100 | mov eax, dword ptr [esi + 0x1af48] // c1e803 | shr eax, 3 // 038644af0100 | add eax, dword ptr [esi + 0x1af44] // 5e | pop esi // 5d | pop ebp // c3 | ret $sequence_8 = { 895dfc e8???????? 83781408 c645fc01 } // n = 4, score = 2400 // 895dfc | mov dword ptr [ebp - 4], ebx // e8???????? | // 83781408 | cmp dword ptr [eax + 0x14], 8 // c645fc01 | mov byte ptr [ebp - 4], 1 $sequence_9 = { 8b7508 33ff 89b55cfdffff 89bd60fdffff } // n = 4, score = 2400 // 8b7508 | mov esi, dword ptr [ebp + 8] // 33ff | xor edi, edi // 89b55cfdffff | mov dword ptr [ebp - 0x2a4], esi // 89bd60fdffff | mov dword ptr [ebp - 0x2a0], edi $sequence_10 = { 5f c6043300 8bc6 5e 5b c20400 } // n = 6, score = 2400 // 5f | pop edi // c6043300 | mov byte ptr [ebx + esi], 0 // 8bc6 | mov eax, esi // 5e | pop esi // 5b | pop ebx // c20400 | ret 4 $sequence_11 = { 50 ff15???????? 8b4da0 8901 85c0 } // n = 5, score = 2300 // 50 | push eax // ff15???????? | // 8b4da0 | mov ecx, dword ptr [ebp - 0x60] // 8901 | mov dword ptr [ecx], eax // 85c0 | test eax, eax $sequence_12 = { 83781410 7202 8b00 50 8b45a0 } // n = 5, score = 2300 // 83781410 | cmp dword ptr [eax + 0x14], 0x10 // 7202 | jb 4 // 8b00 | mov eax, dword ptr [eax] // 50 | push eax // 8b45a0 | mov eax, dword ptr [ebp - 0x60] $sequence_13 = { eb02 33c0 5f 5e c9 c3 6a04 } // n = 7, score = 2300 // eb02 | jmp 4 // 33c0 | xor eax, eax // 5f | pop edi // 5e | pop esi // c9 | leave // c3 | ret // 6a04 | push 4 $sequence_14 = { 5e c20400 ff742408 e8???????? 59 83f8ff 7503 } // n = 7, score = 2300 // 5e | pop esi // c20400 | ret 4 // ff742408 | push dword ptr [esp + 8] // e8???????? | // 59 | pop ecx // 83f8ff | cmp eax, -1 // 7503 | jne 5 $sequence_15 = { c9 c3 8b542408 85d2 7503 } // n = 5, score = 2300 // c9 | leave // c3 | ret // 8b542408 | mov edx, dword ptr [esp + 8] // 85d2 | test edx, edx // 7503 | jne 5 $sequence_16 = { 0fb605???????? 50 0fb605???????? 50 0fb605???????? 50 6a01 } // n = 7, score = 2200 // 0fb605???????? | // 50 | push eax // 0fb605???????? | // 50 | push eax // 0fb605???????? | // 50 | push eax // 6a01 | push 1 $sequence_17 = { 53 50 899e6caf0600 e8???????? } // n = 4, score = 2100 // 53 | push ebx // 50 | push eax // 899e6caf0600 | mov dword ptr [esi + 0x6af6c], ebx // e8???????? | $sequence_18 = { 53 68???????? 8d8da8000000 e8???????? } // n = 4, score = 2100 // 53 | push ebx // 68???????? | // 8d8da8000000 | lea ecx, [ebp + 0xa8] // e8???????? | $sequence_19 = { c3 55 8bec 83ec0c 8365fc00 8365f400 8365f800 } // n = 7, score = 1900 // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 83ec0c | sub esp, 0xc // 8365fc00 | and dword ptr [ebp - 4], 0 // 8365f400 | and dword ptr [ebp - 0xc], 0 // 8365f800 | and dword ptr [ebp - 8], 0 $sequence_20 = { c20400 56 8bf1 e8???????? 6a00 ff74240c 8bce } // n = 7, score = 1800 // c20400 | ret 4 // 56 | push esi // 8bf1 | mov esi, ecx // e8???????? | // 6a00 | push 0 // ff74240c | push dword ptr [esp + 0xc] // 8bce | mov ecx, esi $sequence_21 = { 0faf450c 50 e8???????? 59 } // n = 4, score = 1800 // 0faf450c | imul eax, dword ptr [ebp + 0xc] // 50 | push eax // e8???????? | // 59 | pop ecx $sequence_22 = { 8b4508 8906 8b450c 894608 } // n = 4, score = 1800 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8906 | mov dword ptr [esi], eax // 8b450c | mov eax, dword ptr [ebp + 0xc] // 894608 | mov dword ptr [esi + 8], eax $sequence_23 = { 8b4120 8910 8b4130 8910 c3 56 } // n = 6, score = 1800 // 8b4120 | mov eax, dword ptr [ecx + 0x20] // 8910 | mov dword ptr [eax], edx // 8b4130 | mov eax, dword ptr [ecx + 0x30] // 8910 | mov dword ptr [eax], edx // c3 | ret // 56 | push esi $sequence_24 = { e8???????? c9 c3 55 8bec 83ec18 8b450c } // n = 7, score = 1800 // e8???????? | // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 83ec18 | sub esp, 0x18 // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_25 = { 8d852cffffff 50 8d459c 50 } // n = 4, score = 1800 // 8d852cffffff | lea eax, [ebp - 0xd4] // 50 | push eax // 8d459c | lea eax, [ebp - 0x64] // 50 | push eax $sequence_26 = { 6860ea0000 6a00 ff15???????? 50 } // n = 4, score = 800 // 6860ea0000 | push 0xea60 // 6a00 | push 0 // ff15???????? | // 50 | push eax $sequence_27 = { 50 ff15???????? 6a1a e8???????? } // n = 4, score = 800 // 50 | push eax // ff15???????? | // 6a1a | push 0x1a // e8???????? | $sequence_28 = { 5f c21000 8bff 55 8bec 6a0a } // n = 6, score = 700 // 5f | pop edi // c21000 | ret 0x10 // 8bff | mov edi, edi // 55 | push ebp // 8bec | mov ebp, esp // 6a0a | push 0xa $sequence_29 = { e8???????? 83c410 85c0 7404 6a99 ebcc } // n = 6, score = 600 // e8???????? | // 83c410 | add esp, 0x10 // 85c0 | test eax, eax // 7404 | je 6 // 6a99 | push -0x67 // ebcc | jmp 0xffffffce $sequence_30 = { 7410 84c0 7406 3ac8 7c14 } // n = 5, score = 500 // 7410 | je 0x12 // 84c0 | test al, al // 7406 | je 8 // 3ac8 | cmp cl, al // 7c14 | jl 0x16 $sequence_31 = { 7408 ff36 e8???????? 59 834e04ff 8b06 } // n = 6, score = 500 // 7408 | je 0xa // ff36 | push dword ptr [esi] // e8???????? | // 59 | pop ecx // 834e04ff | or dword ptr [esi + 4], 0xffffffff // 8b06 | mov eax, dword ptr [esi] $sequence_32 = { e8???????? 83c408 84c0 740e 68???????? } // n = 5, score = 300 // e8???????? | // 83c408 | add esp, 8 // 84c0 | test al, al // 740e | je 0x10 // 68???????? | $sequence_33 = { 6a0b 6a10 e8???????? 83c41c 8be5 } // n = 5, score = 200 // 6a0b | push 0xb // 6a10 | push 0x10 // e8???????? | // 83c41c | add esp, 0x1c // 8be5 | mov esp, ebp $sequence_34 = { eb0b 8b45f4 0500040000 8945f4 } // n = 4, score = 200 // eb0b | jmp 0xd // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 0500040000 | add eax, 0x400 // 8945f4 | mov dword ptr [ebp - 0xc], eax $sequence_35 = { 83ec08 dd4508 dd1c24 6a0b 6a08 } // n = 5, score = 200 // 83ec08 | sub esp, 8 // dd4508 | fld qword ptr [ebp + 8] // dd1c24 | fstp qword ptr [esp] // 6a0b | push 0xb // 6a08 | push 8 $sequence_36 = { 8bc6 8b35???????? 99 2bc2 } // n = 4, score = 100 // 8bc6 | mov eax, esi // 8b35???????? | // 99 | cdq // 2bc2 | sub eax, edx $sequence_37 = { 8bc6 5f 5e 5d 5b 81c460010000 c3 } // n = 7, score = 100 // 8bc6 | mov eax, esi // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 5b | pop ebx // 81c460010000 | add esp, 0x160 // c3 | ret condition: 7 of them and filesize < 2793472 } , rule win_vidar_w0 { meta: description = \ Yara rule for detecting Vidar stealer\ author = \ Fumik0_\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar\ malpedia_version = \ 20190106\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $s1 = { 56 69 64 61 72 } $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 } condition: all of them } ] }, { Malware : 8Base , Description : The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader. The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader. , YARA : [ rule win_8base_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.8base.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.8base\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 ff15???????? 8d8e04a2feff 81f98c230000 770b } // n = 5, score = 100 // 6a00 | push 0 // ff15???????? | // 8d8e04a2feff | lea ecx, [esi - 0x15dfc] // 81f98c230000 | cmp ecx, 0x238c // 770b | ja 0xd $sequence_1 = { f8 290c67 98 a6 73c2 } // n = 5, score = 100 // f8 | clc // 290c67 | sub dword ptr [edi], ecx // 98 | cwde // a6 | cmpsb byte ptr [esi], byte ptr es:[edi] // 73c2 | jae 0xffffffc4 $sequence_2 = { 8815???????? c605????????6f 880d???????? c605????????65 c605????????63 } // n = 5, score = 100 // 8815???????? | // c605????????6f | // 880d???????? | // c605????????65 | // c605????????63 | $sequence_3 = { 8d3485c0289100 8b06 83e71f c1e706 03c7 8a5824 } // n = 6, score = 100 // 8d3485c0289100 | lea esi, [eax*4 + 0x9128c0] // 8b06 | mov eax, dword ptr [esi] // 83e71f | and edi, 0x1f // c1e706 | shl edi, 6 // 03c7 | add eax, edi // 8a5824 | mov bl, byte ptr [eax + 0x24] $sequence_4 = { c684249c00000002 50 c7442410043a4000 e8???????? } // n = 4, score = 100 // c684249c00000002 | mov byte ptr [esp + 0x9c], 2 // 50 | push eax // c7442410043a4000 | mov dword ptr [esp + 0x10], 0x403a04 // e8???????? | $sequence_5 = { d3ea 89542414 8b442434 01442414 8b442424 31442410 } // n = 6, score = 100 // d3ea | shr edx, cl // 89542414 | mov dword ptr [esp + 0x14], edx // 8b442434 | mov eax, dword ptr [esp + 0x34] // 01442414 | add dword ptr [esp + 0x14], eax // 8b442424 | mov eax, dword ptr [esp + 0x24] // 31442410 | xor dword ptr [esp + 0x10], eax $sequence_6 = { ff15???????? 8b442414 40 3d???????? 89442414 0f8c0effffff 8b35???????? } // n = 7, score = 100 // ff15???????? | // 8b442414 | mov eax, dword ptr [esp + 0x14] // 40 | inc eax // 3d???????? | // 89442414 | mov dword ptr [esp + 0x14], eax // 0f8c0effffff | jl 0xffffff14 // 8b35???????? | $sequence_7 = { 8bf7 83e61f c1e606 033485c0289100 c745e401000000 } // n = 5, score = 100 // 8bf7 | mov esi, edi // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 033485c0289100 | add esi, dword ptr [eax*4 + 0x9128c0] // c745e401000000 | mov dword ptr [ebp - 0x1c], 1 $sequence_8 = { 6689442416 33c9 668954241a 8d442434 50 66894c241c 8b4c241c } // n = 7, score = 100 // 6689442416 | mov word ptr [esp + 0x16], ax // 33c9 | xor ecx, ecx // 668954241a | mov word ptr [esp + 0x1a], dx // 8d442434 | lea eax, [esp + 0x34] // 50 | push eax // 66894c241c | mov word ptr [esp + 0x1c], cx // 8b4c241c | mov ecx, dword ptr [esp + 0x1c] $sequence_9 = { 899c24ac000000 3bfb 7449 8b8424b8000000 56 8d742418 } // n = 6, score = 100 // 899c24ac000000 | mov dword ptr [esp + 0xac], ebx // 3bfb | cmp edi, ebx // 7449 | je 0x4b // 8b8424b8000000 | mov eax, dword ptr [esp + 0xb8] // 56 | push esi // 8d742418 | lea esi, [esp + 0x18] condition: 7 of them and filesize < 10838016 } ] }, { Malware : Ares , Description : Ares is a Python RAT. Ares is a Python RAT. There is no Yara-Signature yet. , YARA : [] }, { Malware : BATLOADER , Description : According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites. According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites. There is no Yara-Signature yet. , YARA : [] }, { Malware : BlackCat , Description : ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021. ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. , YARA : [ rule win_blackcat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.blackcat.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c3 894608 c7460400000000 b001 ebe8 89c2 } // n = 6, score = 600 // c3 | ret // 894608 | mov dword ptr [esi + 8], eax // c7460400000000 | mov dword ptr [esi + 4], 0 // b001 | mov al, 1 // ebe8 | jmp 0xffffffea // 89c2 | mov edx, eax $sequence_1 = { 7260 8b06 01d8 51 57 50 89cf } // n = 7, score = 600 // 7260 | jb 0x62 // 8b06 | mov eax, dword ptr [esi] // 01d8 | add eax, ebx // 51 | push ecx // 57 | push edi // 50 | push eax // 89cf | mov edi, ecx $sequence_2 = { 8975dc 8955e0 eb07 31c0 b902000000 } // n = 5, score = 600 // 8975dc | mov dword ptr [ebp - 0x24], esi // 8955e0 | mov dword ptr [ebp - 0x20], edx // eb07 | jmp 9 // 31c0 | xor eax, eax // b902000000 | mov ecx, 2 $sequence_3 = { b104 eb0f e8???????? 89c2 c1e018 31c9 } // n = 6, score = 600 // b104 | mov cl, 4 // eb0f | jmp 0x11 // e8???????? | // 89c2 | mov edx, eax // c1e018 | shl eax, 0x18 // 31c9 | xor ecx, ecx $sequence_4 = { 7504 3c02 7351 88c4 8975cc } // n = 5, score = 600 // 7504 | jne 6 // 3c02 | cmp al, 2 // 7351 | jae 0x53 // 88c4 | mov ah, al // 8975cc | mov dword ptr [ebp - 0x34], esi $sequence_5 = { 81f9cf040000 0f8fe4000000 81f96b040000 0f84b4010000 81f976040000 } // n = 5, score = 600 // 81f9cf040000 | cmp ecx, 0x4cf // 0f8fe4000000 | jg 0xea // 81f96b040000 | cmp ecx, 0x46b // 0f84b4010000 | je 0x1ba // 81f976040000 | cmp ecx, 0x476 $sequence_6 = { 83ec08 a1???????? c745f800000000 c745fc00000000 85c0 7408 8d4df8 } // n = 7, score = 600 // 83ec08 | sub esp, 8 // a1???????? | // c745f800000000 | mov dword ptr [ebp - 8], 0 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 85c0 | test eax, eax // 7408 | je 0xa // 8d4df8 | lea ecx, [ebp - 8] $sequence_7 = { 8d45f8 50 e8???????? 8b45f8 8b55fc 83c408 } // n = 6, score = 600 // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax // e8???????? | // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b55fc | mov edx, dword ptr [ebp - 4] // 83c408 | add esp, 8 $sequence_8 = { 895804 897008 eb0b 8b45e8 894708 } // n = 5, score = 600 // 895804 | mov dword ptr [eax + 4], ebx // 897008 | mov dword ptr [eax + 8], esi // eb0b | jmp 0xd // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 894708 | mov dword ptr [edi + 8], eax $sequence_9 = { ff45e4 8a02 42 8955e8 } // n = 4, score = 600 // ff45e4 | inc dword ptr [ebp - 0x1c] // 8a02 | mov al, byte ptr [edx] // 42 | inc edx // 8955e8 | mov dword ptr [ebp - 0x18], edx condition: 7 of them and filesize < 29981696 } ] }, { Malware : BlackLotus , Description : There is no description at this point. , YARA : [ rule win_blacklotus_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.blacklotus.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 443bca 7319 69c03f000100 4883c102 4103c0 41ffc1 440fb701 } // n = 7, score = 100 // 443bca | dec eax // 7319 | mov ebp, dword ptr [esp + 0x38] // 69c03f000100 | dec eax // 4883c102 | mov esi, dword ptr [esp + 0x40] // 4103c0 | dec eax // 41ffc1 | mov edi, dword ptr [esp + 0x48] // 440fb701 | dec ecx $sequence_1 = { c745cfc1afbd03 c745d301138a6b c745d73a911141 c745db4f67dcea c745df97f2cfce } // n = 5, score = 100 // c745cfc1afbd03 | dec eax // c745d301138a6b | add ecx, 2 // c745d73a911141 | inc ecx // c745db4f67dcea | add eax, eax // c745df97f2cfce | inc ecx $sequence_2 = { 448bc6 488d155b1d0000 488bcb e8???????? 488bf0 } // n = 5, score = 100 // 448bc6 | test eax, eax // 488d155b1d0000 | mov cl, 0xe // 488bcb | mov cl, byte ptr [ebx + 2] // e8???????? | // 488bf0 | inc eax $sequence_3 = { 770b 418b4908 03ca 413bcb 770e 6641ffc2 4983c128 } // n = 7, score = 100 // 770b | mov ebp, edx // 418b4908 | dec eax // 03ca | mov ebx, dword ptr [edi] // 413bcb | xor esi, esi // 770e | push edi // 6641ffc2 | dec eax // 4983c128 | sub esp, 0x20 $sequence_4 = { 42883c10 4183fb3c 0f8c45ffffff 498d8af0000000 41b810000000 498bd6 } // n = 6, score = 100 // 42883c10 | inc ebp // 4183fb3c | xor ecx, ecx // 0f8c45ffffff | dec eax // 498d8af0000000 | mov dword ptr [esp + 0x28], eax // 41b810000000 | dec esp // 498bd6 | mov eax, ebp $sequence_5 = { 488d1588f7ffff e8???????? 488b05???????? 488bcb ff5020 488b5c2430 488b742438 } // n = 7, score = 100 // 488d1588f7ffff | jb 0x1c60 // e8???????? | // 488b05???????? | // 488bcb | dec eax // ff5020 | lea esi, [0x116b1] // 488b5c2430 | inc ebp // 488b742438 | test eax, eax $sequence_6 = { 4632440c30 eb1b 418af1 83f804 } // n = 4, score = 100 // 4632440c30 | inc esp // eb1b | xor bl, al // 418af1 | inc ecx // 83f804 | mov al, bl $sequence_7 = { 4889442428 4c8bc5 488bd3 48897c2420 } // n = 4, score = 100 // 4889442428 | inc esi // 4c8bc5 | xor al, byte ptr [esp + ecx + 0x30] // 488bd3 | jmp 0xbd // 48897c2420 | inc ecx $sequence_8 = { 740b 4883c602 483bf7 72bd eb0c bb03000000 eb05 } // n = 7, score = 100 // 740b | lea ecx, [esp + 0x40] // 4883c602 | test esi, esi // 483bf7 | je 0x958 // 72bd | dec esi // eb0c | dec esp // bb03000000 | lea eax, [esp + 0x70] // eb05 | dec eax $sequence_9 = { 48897010 48897818 4c897020 55 488d68c8 4881ec30010000 4c8bd1 } // n = 7, score = 100 // 48897010 | dec eax // 48897818 | mov ebx, dword ptr [eax + 0x40] // 4c897020 | mov ecx, 0x1f // 55 | call dword ptr [eax + 0x18] // 488d68c8 | dec esp // 4881ec30010000 | lea eax, [0x1144e] // 4c8bd1 | dec eax condition: 7 of them and filesize < 181248 } ] }, { Malware : Carbanak , Description : MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities: MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control. The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities: , YARA : [ rule win_carbanak_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.carbanak.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7f05 83c061 eb03 83c027 } // n = 4, score = 500 // 7f05 | arpl word ptr [ecx + 0x10], cx // 83c061 | push edi // eb03 | dec eax // 83c027 | sub esp, 0x20 $sequence_1 = { 7907 32c0 e9???????? 7507 b001 } // n = 5, score = 500 // 7907 | cmp eax, 0x100 // 32c0 | jne 0xff8 // e9???????? | // 7507 | dec eax // b001 | lea ecx, [esp + 0x20] $sequence_2 = { 32c0 e9???????? 7507 b001 } // n = 4, score = 500 // 32c0 | mov edx, eax // e9???????? | // 7507 | sub eax, dword ptr [ecx + 4] // b001 | cmp eax, dword ptr [ebp + 8] $sequence_3 = { 2bd1 81e921100000 8bc1 c1f80e 0cc0 } // n = 5, score = 500 // 2bd1 | inc ecx // 81e921100000 | mov eax, 0xf01ff // 8bc1 | dec eax // c1f80e | mov edx, esi // 0cc0 | dec eax $sequence_4 = { 8b4608 eb02 8bc3 85c0 } // n = 4, score = 500 // 8b4608 | mov eax, dword ptr [ebp - 4] // eb02 | jge 0x176b // 8bc3 | mov edi, dword ptr [ebp + 0x10] // 85c0 | mov eax, dword ptr [ebp + 0xc] $sequence_5 = { c3 8d4120 3c1f 7705 0fb6c1 } // n = 5, score = 500 // c3 | push ecx // 8d4120 | mov ecx, eax // 3c1f | je 0x124 // 7705 | push 5 // 0fb6c1 | push dword ptr [ebp - 0x114] $sequence_6 = { 7c0d e8???????? 84c0 7504 } // n = 4, score = 500 // 7c0d | push 0x4c // e8???????? | // 84c0 | push 0 // 7504 | push ebp $sequence_7 = { 7c0d e8???????? 84c0 7504 33c0 } // n = 5, score = 500 // 7c0d | dec eax // e8???????? | // 84c0 | lea ecx, [esp + 0x30] // 7504 | inc esp // 33c0 | mov eax, dword ptr [eax + 0x34] $sequence_8 = { e9???????? 3d2c5c0700 750a e8???????? } // n = 4, score = 500 // e9???????? | // 3d2c5c0700 | dec esi // 750a | mov dword ptr [ebp - 8], esi // e8???????? | $sequence_9 = { 3d2c5c0700 750a e8???????? e9???????? } // n = 4, score = 500 // 3d2c5c0700 | cmp dword ptr [ebp + 0x67], edi // 750a | jle 0xfd // e8???????? | // e9???????? | condition: 7 of them and filesize < 658432 } ] }, { Malware : CLOUDBURST , Description : CLOUDBURST aka NickelLoader is an HTTP(S) downloader. It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022. CLOUDBURST aka NickelLoader is an HTTP(S) downloader. It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode. It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code). The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen). The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022. , YARA : [ rule win_cloudburst_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.cloudburst.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4533c2 4133e8 45894424f8 41896c24fc 8bc5 } // n = 5, score = 300 // 4533c2 | lea edi, [0xc24d5] // 4133e8 | dec eax // 45894424f8 | mov esi, ebx // 41896c24fc | dec eax // 8bc5 | lea edi, [0xc22d7] $sequence_1 = { 4883ec08 8b05???????? 41be01000000 4c892c24 85c0 } // n = 5, score = 300 // 4883ec08 | movzx ecx, byte ptr [esi] // 8b05???????? | // 41be01000000 | movzx eax, cl // 4c892c24 | and al, 0xc0 // 85c0 | cmp al, 0x80 $sequence_2 = { 4c892c24 85c0 4c8bd9 4c8bd2 410f44c6 4533ed } // n = 6, score = 300 // 4c892c24 | xor ebx, ebx // 85c0 | nop dword ptr [eax + eax] // 4c8bd9 | dec esp // 4c8bd2 | mov edi, dword ptr [ebp] // 410f44c6 | dec ebp // 4533ed | mov esi, dword ptr [esp] $sequence_3 = { 488b0d???????? 488d542444 4533c9 4533c0 488bf8 418bdd ff15???????? } // n = 7, score = 300 // 488b0d???????? | // 488d542444 | mov dword ptr [esp + 0x50], ebp // 4533c9 | mov byte ptr [esp + 0x40], al // 4533c0 | inc esp // 488bf8 | lea eax, [eax + 7] // 418bdd | dec eax // ff15???????? | $sequence_4 = { 458942f4 458b4c24f8 418bc1 c1e818 } // n = 4, score = 300 // 458942f4 | xor ecx, eax // 458b4c24f8 | inc esp // 418bc1 | xor ecx, ecx // c1e818 | test edx, edx $sequence_5 = { ba00080000 488bcb e8???????? 4c8d442430 } // n = 4, score = 300 // ba00080000 | mov eax, dword ptr [edi + esi*8 + 0x10] // 488bcb | dec esp // e8???????? | // 4c8d442430 | lea esi, [eax + eax*2] $sequence_6 = { 8b05???????? 41be01000000 4c892c24 85c0 4c8bd9 } // n = 5, score = 300 // 8b05???????? | // 41be01000000 | arpl word ptr [edi + ebp*8 + 4], cx // 4c892c24 | dec eax // 85c0 | mov dword ptr [ebp - 0x38], esi // 4c8bd9 | dec eax $sequence_7 = { 03c2 8bc8 83e00f 3bc2 7407 } // n = 5, score = 300 // 03c2 | lea ecx, [ebp + 0x80] // 8bc8 | jne 0x13e8 // 83e00f | dec eax // 3bc2 | lea edx, [0xc0c18] // 7407 | dec eax $sequence_8 = { 33d6 41891424 4133d3 33fa 4189542404 33df 41897c2408 } // n = 7, score = 300 // 33d6 | jmp ecx // 41891424 | dec esp // 4133d3 | lea ecx, [0xbed79] // 33fa | dec eax // 4189542404 | lea edx, [0x15e74] // 33df | dec eax // 41897c2408 | mov ecx, esi $sequence_9 = { 41b904000000 4c8d442440 418d5101 ff15???????? 85c0 74b1 } // n = 6, score = 300 // 41b904000000 | dec eax // 4c8d442440 | mov ecx, dword ptr [esp + 0x60] // 418d5101 | inc esp // ff15???????? | // 85c0 | mov eax, edi // 74b1 | dec eax condition: 7 of them and filesize < 2363392 } ] }, { Malware : Conti , Description : Ransomware Ransomware There is no Yara-Signature yet. , YARA : [] }, { Malware : CryptoClippy , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : DoppelDridex , Description : DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure. DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure. , YARA : [ rule win_doppeldridex_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.doppeldridex.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 01501c 015020 015024 01500c } // n = 4, score = 1200 // 01501c | add dword ptr [eax + 0x1c], edx // 015020 | add dword ptr [eax + 0x20], edx // 015024 | add dword ptr [eax + 0x24], edx // 01500c | add dword ptr [eax + 0xc], edx $sequence_1 = { 33d2 3b7c2414 0f4cd3 032c24 03ee 2bea 8bc5 } // n = 7, score = 1200 // 33d2 | xor edx, edx // 3b7c2414 | cmp edi, dword ptr [esp + 0x14] // 0f4cd3 | cmovl edx, ebx // 032c24 | add ebp, dword ptr [esp] // 03ee | add ebp, esi // 2bea | sub ebp, edx // 8bc5 | mov eax, ebp $sequence_2 = { 011483 40 3b06 7cf8 } // n = 4, score = 1200 // 011483 | add dword ptr [ebx + eax*4], edx // 40 | inc eax // 3b06 | cmp eax, dword ptr [esi] // 7cf8 | jl 0xfffffffa $sequence_3 = { 010c28 8b4e04 42 8d41f8 d1e8 } // n = 5, score = 1200 // 010c28 | add dword ptr [eax + ebp], ecx // 8b4e04 | mov ecx, dword ptr [esi + 4] // 42 | inc edx // 8d41f8 | lea eax, [ecx - 8] // d1e8 | shr eax, 1 $sequence_4 = { 017c240c 3b5c2408 0f822affffff ff74240c } // n = 4, score = 1200 // 017c240c | add dword ptr [esp + 0xc], edi // 3b5c2408 | cmp ebx, dword ptr [esp + 8] // 0f822affffff | jb 0xffffff30 // ff74240c | push dword ptr [esp + 0xc] $sequence_5 = { 030c24 0fbe01 88442458 85c0 } // n = 4, score = 1200 // 030c24 | add ecx, dword ptr [esp] // 0fbe01 | movsx eax, byte ptr [ecx] // 88442458 | mov byte ptr [esp + 0x58], al // 85c0 | test eax, eax $sequence_6 = { 01500c 833920 751c 8bc1 } // n = 4, score = 1200 // 01500c | add dword ptr [eax + 0xc], edx // 833920 | cmp dword ptr [ecx], 0x20 // 751c | jne 0x1e // 8bc1 | mov eax, ecx $sequence_7 = { 0306 894218 47 3b7c2408 } // n = 4, score = 1200 // 0306 | add eax, dword ptr [esi] // 894218 | mov dword ptr [edx + 0x18], eax // 47 | inc edi // 3b7c2408 | cmp edi, dword ptr [esp + 8] $sequence_8 = { 7508 8b45f8 83c40c 5d c3 } // n = 5, score = 100 // 7508 | jne 0xa // 8b45f8 | mov eax, dword ptr [ebp - 8] // 83c40c | add esp, 0xc // 5d | pop ebp // c3 | ret $sequence_9 = { 8b459c 83c474 5e 5f 5b } // n = 5, score = 100 // 8b459c | mov eax, dword ptr [ebp - 0x64] // 83c474 | add esp, 0x74 // 5e | pop esi // 5f | pop edi // 5b | pop ebx $sequence_10 = { 5e 5f 5d c3 8b45e4 8b4dec 8a1401 } // n = 7, score = 100 // 5e | pop esi // 5f | pop edi // 5d | pop ebp // c3 | ret // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 8a1401 | mov dl, byte ptr [ecx + eax] $sequence_11 = { 8945e0 74c2 eb9b 8b45f0 353857544f } // n = 5, score = 100 // 8945e0 | mov dword ptr [ebp - 0x20], eax // 74c2 | je 0xffffffc4 // eb9b | jmp 0xffffff9d // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 353857544f | xor eax, 0x4f545738 $sequence_12 = { 0fb7c7 89442408 894c240c 8b45ac } // n = 4, score = 100 // 0fb7c7 | movzx eax, di // 89442408 | mov dword ptr [esp + 8], eax // 894c240c | mov dword ptr [esp + 0xc], ecx // 8b45ac | mov eax, dword ptr [ebp - 0x54] $sequence_13 = { 8b4da0 83f900 898570ffffff 0f840c010000 e9???????? } // n = 5, score = 100 // 8b4da0 | mov ecx, dword ptr [ebp - 0x60] // 83f900 | cmp ecx, 0 // 898570ffffff | mov dword ptr [ebp - 0x90], eax // 0f840c010000 | je 0x112 // e9???????? | $sequence_14 = { 7452 eb22 668b45c6 66c1e801 0fb7c8 } // n = 5, score = 100 // 7452 | je 0x54 // eb22 | jmp 0x24 // 668b45c6 | mov ax, word ptr [ebp - 0x3a] // 66c1e801 | shr ax, 1 // 0fb7c8 | movzx ecx, ax $sequence_15 = { 8b5dbc 891c24 89442404 0fb7c7 } // n = 4, score = 100 // 8b5dbc | mov ebx, dword ptr [ebp - 0x44] // 891c24 | mov dword ptr [esp], ebx // 89442404 | mov dword ptr [esp + 4], eax // 0fb7c7 | movzx eax, di condition: 7 of them and filesize < 360448 } ] }, { Malware : DoppelPaymer , Description : Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \ .how2decrypt.txt\ . Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \ .how2decrypt.txt\ . , YARA : [ rule win_doppelpaymer_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.doppelpaymer.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 80790600 7523 80790264 751d } // n = 4, score = 700 // 80790600 | cmp byte ptr [ecx + 6], 0 // 7523 | jne 0x25 // 80790264 | cmp byte ptr [ecx + 2], 0x64 // 751d | jne 0x1f $sequence_1 = { 80790561 7517 80790361 7511 80790474 } // n = 5, score = 700 // 80790561 | cmp byte ptr [ecx + 5], 0x61 // 7517 | jne 0x19 // 80790361 | cmp byte ptr [ecx + 3], 0x61 // 7511 | jne 0x13 // 80790474 | cmp byte ptr [ecx + 4], 0x74 $sequence_2 = { e8???????? 8b08 e8???????? 3db6389096 } // n = 4, score = 700 // e8???????? | // 8b08 | mov ecx, dword ptr [eax] // e8???????? | // 3db6389096 | cmp eax, 0x969038b6 $sequence_3 = { 83ec28 6800002002 6a00 6a01 } // n = 4, score = 700 // 83ec28 | sub esp, 0x28 // 6800002002 | push 0x2200000 // 6a00 | push 0 // 6a01 | push 1 $sequence_4 = { 80790264 751d 80790561 7517 } // n = 4, score = 700 // 80790264 | cmp byte ptr [ecx + 2], 0x64 // 751d | jne 0x1f // 80790561 | cmp byte ptr [ecx + 5], 0x61 // 7517 | jne 0x19 $sequence_5 = { baffffff7f 43 e8???????? 3bd8 } // n = 4, score = 700 // baffffff7f | mov edx, 0x7fffffff // 43 | inc ebx // e8???????? | // 3bd8 | cmp ebx, eax $sequence_6 = { 8d8c2450010000 e8???????? 89bc245c010000 8d442404 } // n = 4, score = 600 // 8d8c2450010000 | lea ecx, [esp + 0x150] // e8???????? | // 89bc245c010000 | mov dword ptr [esp + 0x15c], edi // 8d442404 | lea eax, [esp + 4] $sequence_7 = { e8???????? 8d8c2424030000 e8???????? 6a10 } // n = 4, score = 600 // e8???????? | // 8d8c2424030000 | lea ecx, [esp + 0x324] // e8???????? | // 6a10 | push 0x10 $sequence_8 = { c20400 8b4e44 8b4110 5e } // n = 4, score = 100 // c20400 | ret 4 // 8b4e44 | mov ecx, dword ptr [esi + 0x44] // 8b4110 | mov eax, dword ptr [ecx + 0x10] // 5e | pop esi $sequence_9 = { 8955ec e8???????? 8d0d6f302b00 890424 894c2404 e8???????? 8d0d34302b00 } // n = 7, score = 100 // 8955ec | mov dword ptr [ebp - 0x14], edx // e8???????? | // 8d0d6f302b00 | lea ecx, [0x2b306f] // 890424 | mov dword ptr [esp], eax // 894c2404 | mov dword ptr [esp + 4], ecx // e8???????? | // 8d0d34302b00 | lea ecx, [0x2b3034] $sequence_10 = { 890c24 8945c8 e8???????? 8b4de8 890c24 8945c4 } // n = 6, score = 100 // 890c24 | mov dword ptr [esp], ecx // 8945c8 | mov dword ptr [ebp - 0x38], eax // e8???????? | // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 890c24 | mov dword ptr [esp], ecx // 8945c4 | mov dword ptr [ebp - 0x3c], eax $sequence_11 = { c3 8b45e8 b99054c837 8a55f3 80c2c9 2b4df4 } // n = 6, score = 100 // c3 | ret // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // b99054c837 | mov ecx, 0x37c85490 // 8a55f3 | mov dl, byte ptr [ebp - 0xd] // 80c2c9 | add dl, 0xc9 // 2b4df4 | sub ecx, dword ptr [ebp - 0xc] $sequence_12 = { 83ec08 8b4508 8b4054 89e1 894104 } // n = 5, score = 100 // 83ec08 | sub esp, 8 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b4054 | mov eax, dword ptr [eax + 0x54] // 89e1 | mov ecx, esp // 894104 | mov dword ptr [ecx + 4], eax $sequence_13 = { 8945c4 74d0 e9???????? 31c0 8b4db8 83c104 } // n = 6, score = 100 // 8945c4 | mov dword ptr [ebp - 0x3c], eax // 74d0 | je 0xffffffd2 // e9???????? | // 31c0 | xor eax, eax // 8b4db8 | mov ecx, dword ptr [ebp - 0x48] // 83c104 | add ecx, 4 $sequence_14 = { 5b 5d c3 b8e2f49a29 2b45ec 8b4dcc 81c1ffff0000 } // n = 7, score = 100 // 5b | pop ebx // 5d | pop ebp // c3 | ret // b8e2f49a29 | mov eax, 0x299af4e2 // 2b45ec | sub eax, dword ptr [ebp - 0x14] // 8b4dcc | mov ecx, dword ptr [ebp - 0x34] // 81c1ffff0000 | add ecx, 0xffff $sequence_15 = { e8???????? 8b4de8 8b55d8 895128 8b75c4 897114 } // n = 6, score = 100 // e8???????? | // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 8b55d8 | mov edx, dword ptr [ebp - 0x28] // 895128 | mov dword ptr [ecx + 0x28], edx // 8b75c4 | mov esi, dword ptr [ebp - 0x3c] // 897114 | mov dword ptr [ecx + 0x14], esi $sequence_16 = { a1???????? ffd0 8945bc 31c0 8b4de8 83c154 8b55e8 } // n = 7, score = 100 // a1???????? | // ffd0 | call eax // 8945bc | mov dword ptr [ebp - 0x44], eax // 31c0 | xor eax, eax // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 83c154 | add ecx, 0x54 // 8b55e8 | mov edx, dword ptr [ebp - 0x18] $sequence_17 = { c20400 8b400c 8b4810 56 8b700c 57 } // n = 6, score = 100 // c20400 | ret 4 // 8b400c | mov eax, dword ptr [eax + 0xc] // 8b4810 | mov ecx, dword ptr [eax + 0x10] // 56 | push esi // 8b700c | mov esi, dword ptr [eax + 0xc] // 57 | push edi condition: 7 of them and filesize < 7266304 } , /* # Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . */ rule win_doppelpaymer_w0 { meta: author = \ kevoreilly\ description = \ DoppelPaymer Payload\ source = \ https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer\ malpedia_version = \ 20200304\ malpedia_sharing = \ TLP:WHITE\ malpedia_license = \ \ strings: $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3} $cmd_string = \ Setup run\n\ wide condition: uint16(0) == 0x5A4D and all of them } ] }, { Malware : Dridex , Description : OxCERT blog describes Dridex as \ an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\ According to MalwareBytes, \ Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\ IBM X-Force discovered \ a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\ OxCERT blog describes Dridex as \ an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\ According to MalwareBytes, \ Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\ IBM X-Force discovered \ a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\ , YARA : [ rule win_dridex_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.dridex.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffd6 85c0 7512 e8???????? eb03 } // n = 5, score = 4000 // ffd6 | call esi // 85c0 | test eax, eax // 7512 | jne 0x14 // e8???????? | // eb03 | jmp 5 $sequence_1 = { e8???????? b910270000 e8???????? e8???????? } // n = 4, score = 4000 // e8???????? | // b910270000 | mov ecx, 0x18 // e8???????? | // e8???????? | $sequence_2 = { c605????????01 c3 c605????????00 c3 } // n = 4, score = 3900 // c605????????01 | // c3 | add esi, -0x40 // c605????????00 | // c3 | cmp esi, 0xfc0 $sequence_3 = { 83f8ff 7505 e8???????? 3d34270000 } // n = 4, score = 3900 // 83f8ff | mov edx, dword ptr [esp + 0x7c] // 7505 | mov esi, dword ptr [edx + 0x3c] // e8???????? | // 3d34270000 | add edx, esi $sequence_4 = { ffd0 85c0 751f e8???????? } // n = 4, score = 3800 // ffd0 | jmp 9 // 85c0 | mov ecx, 0x2710 // 751f | call esi // e8???????? | $sequence_5 = { ffd0 e8???????? 85c0 74de } // n = 4, score = 3800 // ffd0 | call esi // e8???????? | // 85c0 | test eax, eax // 74de | jne 0x16 $sequence_6 = { 53 53 53 6a01 53 ffd0 } // n = 6, score = 3500 // 53 | push ebx // 53 | push ebx // 53 | push ebx // 6a01 | push 1 // 53 | push ebx // ffd0 | call eax $sequence_7 = { eb0a e8???????? eb03 6a7f 58 } // n = 5, score = 3000 // eb0a | jmp 0xc // e8???????? | // eb03 | jmp 5 // 6a7f | push 0x7f // 58 | pop eax $sequence_8 = { c3 31c0 c3 50 } // n = 4, score = 2500 // c3 | ret // 31c0 | xor eax, eax // c3 | ret // 50 | push eax $sequence_9 = { 7406 42 803a00 75fa } // n = 4, score = 2500 // 7406 | je 8 // 42 | inc edx // 803a00 | cmp byte ptr [edx], 0 // 75fa | jne 0xfffffffc $sequence_10 = { 7403 56 ffd0 33f6 } // n = 4, score = 2400 // 7403 | xor eax, eax // 56 | mov edx, eax // ffd0 | pop edi // 33f6 | pop esi $sequence_11 = { e8???????? 85c0 7407 56 ffd0 } // n = 5, score = 2400 // e8???????? | // 85c0 | test eax, eax // 7407 | je 9 // 56 | push esi // ffd0 | call eax $sequence_12 = { 807c241400 7409 8d4c2410 e8???????? } // n = 4, score = 2400 // 807c241400 | cmp byte ptr [esp + 0x14], 0 // 7409 | je 0xb // 8d4c2410 | lea ecx, [esp + 0x10] // e8???????? | $sequence_13 = { e8???????? 6880000000 53 53 } // n = 4, score = 2300 // e8???????? | // 6880000000 | push 0x80 // 53 | push ebx // 53 | push ebx $sequence_14 = { e8???????? 85c0 7408 6a00 ffd0 } // n = 5, score = 2300 // e8???????? | // 85c0 | test eax, eax // 7408 | je 0xa // 6a00 | push 0 // ffd0 | call eax $sequence_15 = { e8???????? 6a00 8d4e1c e8???????? } // n = 4, score = 2200 // e8???????? | // 6a00 | test eax, eax // 8d4e1c | jne 0x16 // e8???????? | $sequence_16 = { e8???????? eb0a b9d0070000 e8???????? } // n = 4, score = 2200 // e8???????? | // eb0a | cmp eax, 0x3ef665a6 // b9d0070000 | jne 0x15 // e8???????? | $sequence_17 = { ffd0 5b c3 33c0 } // n = 4, score = 2200 // ffd0 | call eax // 5b | pop ebx // c3 | ret // 33c0 | xor eax, eax $sequence_18 = { c70350000000 eb0d 3da665f63e 7506 } // n = 4, score = 2200 // c70350000000 | mov dword ptr [ebx], 0x50 // eb0d | jmp 0xf // 3da665f63e | cmp eax, 0x3ef665a6 // 7506 | jne 8 $sequence_19 = { e8???????? 85c0 7404 6a7f } // n = 4, score = 2200 // e8???????? | // 85c0 | dec eax // 7404 | mov dword ptr [esp + 0x90], eax // 6a7f | call esi $sequence_20 = { 85c0 7407 685a040000 ffd0 } // n = 4, score = 2200 // 85c0 | je 5 // 7407 | push esi // 685a040000 | call eax // ffd0 | xor esi, esi $sequence_21 = { e8???????? 3db20d7897 7508 c70350000000 } // n = 4, score = 2200 // e8???????? | // 3db20d7897 | cmp eax, 0x97780db2 // 7508 | jne 0xa // c70350000000 | mov dword ptr [ebx], 0x50 $sequence_22 = { 8bc8 e8???????? 6a70 8bc8 e8???????? 6a73 8bc8 } // n = 7, score = 2100 // 8bc8 | push ebx // e8???????? | // 6a70 | je 0x11 // 8bc8 | push ebx // e8???????? | // 6a73 | push ebx // 8bc8 | push ebx $sequence_23 = { 50 e8???????? 8938 8b35???????? } // n = 4, score = 2100 // 50 | push eax // e8???????? | // 8938 | mov dword ptr [eax], edi // 8b35???????? | $sequence_24 = { 6a00 6a00 8d4dfc 51 6aff } // n = 5, score = 2100 // 6a00 | test eax, eax // 6a00 | je 0x19 // 8d4dfc | push 1 // 51 | push 0 // 6aff | push 0 $sequence_25 = { e8???????? 6a74 8bc8 e8???????? 6a74 8bc8 } // n = 6, score = 2100 // e8???????? | // 6a74 | push 0x73 // 8bc8 | mov ecx, eax // e8???????? | // 6a74 | test eax, eax // 8bc8 | je 0x17 $sequence_26 = { 6810270000 50 e8???????? 83c410 } // n = 4, score = 2100 // 6810270000 | je 0x17 // 50 | push 1 // e8???????? | // 83c410 | push 0 $sequence_27 = { 7411 c7461003000000 e8???????? 894614 } // n = 4, score = 2100 // 7411 | je 0x13 // c7461003000000 | mov dword ptr [esi + 0x10], 3 // e8???????? | // 894614 | mov dword ptr [esi + 0x14], eax $sequence_28 = { 85c0 7415 6a01 6a00 6a00 } // n = 5, score = 2100 // 85c0 | push 1 // 7415 | test eax, eax // 6a01 | je 9 // 6a00 | push esi // 6a00 | call eax $sequence_29 = { 6a00 8bcf e8???????? 50 ffd6 } // n = 5, score = 2100 // 6a00 | push 1 // 8bcf | push 0 // e8???????? | // 50 | test eax, eax // ffd6 | je 0x17 $sequence_30 = { eb08 83ca20 eb03 83ca10 } // n = 4, score = 2100 // eb08 | je 0x17 // 83ca20 | push 1 // eb03 | push 0 // 83ca10 | mov ecx, eax $sequence_31 = { 46 e8???????? c1e802 3bf0 } // n = 4, score = 2100 // 46 | push 0x74 // e8???????? | // c1e802 | mov ecx, eax // 3bf0 | push 0x74 $sequence_32 = { e8???????? e9???????? 807c245000 740a } // n = 4, score = 2100 // e8???????? | // e9???????? | // 807c245000 | mov dword ptr [ebx], 0x1bb // 740a | jne 0xa $sequence_33 = { e8???????? 8d4dc4 e8???????? 5e } // n = 4, score = 2100 // e8???????? | // 8d4dc4 | push 1 // e8???????? | // 5e | push 0 $sequence_34 = { 6802100000 68ffff0000 ff36 ffd0 } // n = 4, score = 2000 // 6802100000 | push 0x1002 // 68ffff0000 | push 0xffff // ff36 | push dword ptr [esi] // ffd0 | call eax $sequence_35 = { ffd0 85c0 7510 e8???????? } // n = 4, score = 2000 // ffd0 | mov dword ptr [ebx], 0x50 // 85c0 | jmp 0x15 // 7510 | cmp eax, 0x3ef665a6 // e8???????? | $sequence_36 = { c20400 55 8bec 83ec34 8365fc00 } // n = 5, score = 2000 // c20400 | ret 4 // 55 | push ebp // 8bec | mov ebp, esp // 83ec34 | sub esp, 0x34 // 8365fc00 | and dword ptr [ebp - 4], 0 $sequence_37 = { 89442404 eb00 8b442404 89c1 89ca } // n = 5, score = 2000 // 89442404 | mov dword ptr [esp + 4], eax // eb00 | jmp 2 // 8b442404 | mov eax, dword ptr [esp + 4] // 89c1 | mov ecx, eax // 89ca | mov edx, ecx $sequence_38 = { 7414 31c0 89c1 8b442424 88c2 8854240f } // n = 6, score = 2000 // 7414 | je 0x16 // 31c0 | xor eax, eax // 89c1 | mov ecx, eax // 8b442424 | mov eax, dword ptr [esp + 0x24] // 88c2 | mov dl, al // 8854240f | mov byte ptr [esp + 0xf], dl $sequence_39 = { 8b442428 6689c1 66894c2458 66894c245a } // n = 4, score = 2000 // 8b442428 | mov eax, dword ptr [esp + 0x28] // 6689c1 | mov cx, ax // 66894c2458 | mov word ptr [esp + 0x58], cx // 66894c245a | mov word ptr [esp + 0x5a], cx $sequence_40 = { 8a442427 a801 7534 eb00 31c0 89c1 } // n = 6, score = 2000 // 8a442427 | mov al, byte ptr [esp + 0x27] // a801 | test al, 1 // 7534 | jne 0x36 // eb00 | jmp 2 // 31c0 | xor eax, eax // 89c1 | mov ecx, eax $sequence_41 = { 6a64 59 e8???????? 33c9 e8???????? } // n = 5, score = 2000 // 6a64 | mov ecx, eax // 59 | push 0x73 // e8???????? | // 33c9 | mov ecx, eax // e8???????? | $sequence_42 = { 51 6801100000 68ffff0000 ff36 } // n = 4, score = 2000 // 51 | push ecx // 6801100000 | push 0x1001 // 68ffff0000 | push 0xffff // ff36 | push dword ptr [esi] $sequence_43 = { 7406 6a02 ff36 ffd0 } // n = 4, score = 2000 // 7406 | je 8 // 6a02 | push 2 // ff36 | push dword ptr [esi] // ffd0 | call eax $sequence_44 = { 740d 40 83c104 3d00100000 } // n = 4, score = 2000 // 740d | je 0xf // 40 | inc eax // 83c104 | add ecx, 4 // 3d00100000 | cmp eax, 0x1000 $sequence_45 = { 885c2407 89442408 7598 8a442407 a801 } // n = 5, score = 2000 // 885c2407 | mov byte ptr [esp + 7], bl // 89442408 | mov dword ptr [esp + 8], eax // 7598 | jne 0xffffff9a // 8a442407 | mov al, byte ptr [esp + 7] // a801 | test al, 1 $sequence_46 = { c7461002000000 eb0f c7461003000000 e8???????? } // n = 4, score = 2000 // c7461002000000 | mov dword ptr [esi + 0x10], 2 // eb0f | jmp 0x11 // c7461003000000 | mov dword ptr [esi + 0x10], 3 // e8???????? | $sequence_47 = { 890424 894c2404 75dd 8b0424 } // n = 4, score = 2000 // 890424 | mov dword ptr [esp], eax // 894c2404 | mov dword ptr [esp + 4], ecx // 75dd | jne 0xffffffdf // 8b0424 | mov eax, dword ptr [esp] $sequence_48 = { e8???????? 50 56 8bcb e8???????? 50 e8???????? } // n = 7, score = 2000 // e8???????? | // 50 | push eax // 56 | push esi // 8bcb | mov ecx, ebx // e8???????? | // 50 | push eax // e8???????? | $sequence_49 = { 8954242c 8b44242c 89c1 89ca } // n = 4, score = 2000 // 8954242c | mov dword ptr [esp + 0x2c], edx // 8b44242c | mov eax, dword ptr [esp + 0x2c] // 89c1 | mov ecx, eax // 89ca | mov edx, ecx $sequence_50 = { eb0a b988130000 e8???????? 33d2 } // n = 4, score = 2000 // eb0a | cmp eax, 0x97780db2 // b988130000 | jne 0xf // e8???????? | // 33d2 | mov dword ptr [ebx], 0x50 $sequence_51 = { 740a 488d4c2448 e8???????? 488d4c2430 e8???????? e9???????? } // n = 6, score = 2000 // 740a | inc esi // 488d4c2448 | shr eax, 2 // e8???????? | // 488d4c2430 | cmp esi, eax // e8???????? | // e9???????? | $sequence_52 = { e8???????? 84c0 740f 6a05 } // n = 4, score = 1900 // e8???????? | // 84c0 | test al, al // 740f | je 0x11 // 6a05 | push 5 $sequence_53 = { e8???????? 8be8 85ed 7458 } // n = 4, score = 1900 // e8???????? | // 8be8 | mov ebp, eax // 85ed | test ebp, ebp // 7458 | je 0x5a $sequence_54 = { e8???????? 6880000000 55 55 } // n = 4, score = 1800 // e8???????? | // 6880000000 | push 0x80 // 55 | push ebp // 55 | push ebp $sequence_55 = { ff7508 ffd0 33c0 40 5d } // n = 5, score = 1700 // ff7508 | push dword ptr [ebp + 8] // ffd0 | call eax // 33c0 | xor eax, eax // 40 | inc eax // 5d | pop ebp $sequence_56 = { c3 55 8bec 837d0800 7422 } // n = 5, score = 1700 // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 837d0800 | cmp dword ptr [ebp + 8], 0 // 7422 | je 0x24 $sequence_57 = { 8d4de0 51 68???????? ffd0 } // n = 4, score = 1600 // 8d4de0 | lea ecx, [ebp - 0x20] // 51 | push ecx // 68???????? | // ffd0 | call eax $sequence_58 = { 6a73 e8???????? 833f00 7523 } // n = 4, score = 1500 // 6a73 | push 0x73 // e8???????? | // 833f00 | cmp dword ptr [edi], 0 // 7523 | jne 0x25 $sequence_59 = { 6a00 6a02 ffd0 50 } // n = 4, score = 1500 // 6a00 | push 0 // 6a02 | push 2 // ffd0 | call eax // 50 | push eax $sequence_60 = { e8???????? 8bc8 a1???????? ff30 } // n = 4, score = 1400 // e8???????? | // 8bc8 | mov ecx, eax // a1???????? | // ff30 | push dword ptr [eax] $sequence_61 = { 5e c3 31c0 89c2 } // n = 4, score = 1200 // 5e | jne 0xffffff9a // c3 | mov al, byte ptr [esp + 7] // 31c0 | test al, 1 // 89c2 | je 0x16 $sequence_62 = { e8???????? 50 ffd7 85c0 7512 } // n = 5, score = 900 // e8???????? | // 50 | push eax // ffd7 | call edi // 85c0 | test eax, eax // 7512 | jne 0x14 $sequence_63 = { eb0c e8???????? 8bf0 eb03 6a7f 5e } // n = 6, score = 900 // eb0c | jmp 0xe // e8???????? | // 8bf0 | mov esi, eax // eb03 | jmp 5 // 6a7f | push 0x7f // 5e | pop esi $sequence_64 = { 8b45cc 31c9 8b55d0 39c2 } // n = 4, score = 800 // 8b45cc | mov eax, dword ptr [ebp - 0x34] // 31c9 | xor ecx, ecx // 8b55d0 | mov edx, dword ptr [ebp - 0x30] // 39c2 | cmp edx, eax $sequence_65 = { 8038e9 89c1 8945d0 894dcc } // n = 4, score = 800 // 8038e9 | cmp byte ptr [eax], 0xe9 // 89c1 | mov ecx, eax // 8945d0 | mov dword ptr [ebp - 0x30], eax // 894dcc | mov dword ptr [ebp - 0x34], ecx $sequence_66 = { e8???????? 50 53 8d4dd0 e8???????? 50 } // n = 6, score = 700 // e8???????? | // 50 | push eax // 53 | push ebx // 8d4dd0 | lea ecx, [ebp - 0x30] // e8???????? | // 50 | push eax $sequence_67 = { 8b45e8 05ffff0000 25ffff0000 83c001 } // n = 4, score = 700 // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 05ffff0000 | add eax, 0xffff // 25ffff0000 | and eax, 0xffff // 83c001 | add eax, 1 $sequence_68 = { 8b4de8 81c1ffff0000 81e1ffff0000 83c101 } // n = 4, score = 600 // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 81c1ffff0000 | add ecx, 0xffff // 81e1ffff0000 | and ecx, 0xffff // 83c101 | add ecx, 1 $sequence_69 = { 50 8b442408 8038e9 890424 7517 8b0424 8b4801 } // n = 7, score = 600 // 50 | push eax // 8b442408 | ret // 8038e9 | xor eax, eax // 890424 | ret // 7517 | push eax // 8b0424 | push eax // 8b4801 | mov eax, dword ptr [esp + 8] $sequence_70 = { 8b704c 2b7134 891424 89742404 894c2418 e8???????? } // n = 6, score = 600 // 8b704c | cmp byte ptr [eax], 0xe9 // 2b7134 | mov dword ptr [esp], eax // 891424 | jne 0x19 // 89742404 | mov eax, dword ptr [esp] // 894c2418 | mov ecx, dword ptr [eax + 1] // e8???????? | $sequence_71 = { 8b55bc 8955c4 776a 31c0 8b4dac 8b510c } // n = 6, score = 600 // 8b55bc | mov dword ptr [esp + 8], eax // 8955c4 | jne 0xffffff9e // 776a | mov al, byte ptr [esp + 7] // 31c0 | dec eax // 8b4dac | add eax, 1 // 8b510c | dec esp $sequence_72 = { 807c0805e9 891424 74e9 8b0424 } // n = 4, score = 600 // 807c0805e9 | push eax // 891424 | mov eax, dword ptr [esp + 8] // 74e9 | cmp byte ptr [eax], 0xe9 // 8b0424 | mov dword ptr [esp], eax $sequence_73 = { 8b450c 8b4d08 8b503c 6689d6 6683fe00 89c7 8945f0 } // n = 7, score = 600 // 8b450c | mov eax, dword ptr [ebp + 0xc] // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 8b503c | mov edx, dword ptr [eax + 0x3c] // 6689d6 | mov si, dx // 6683fe00 | cmp si, 0 // 89c7 | mov edi, eax // 8945f0 | mov dword ptr [ebp - 0x10], eax $sequence_74 = { 83c001 8b4de8 01c1 894de0 } // n = 4, score = 600 // 83c001 | add eax, 1 // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 01c1 | add ecx, eax // 894de0 | mov dword ptr [ebp - 0x20], ecx $sequence_75 = { 7517 8b0424 8b4801 89c2 01ca 83c205 } // n = 6, score = 600 // 7517 | mov esi, dword ptr [eax + 0x4c] // 8b0424 | sub esi, dword ptr [ecx + 0x34] // 8b4801 | mov dword ptr [esp], edx // 89c2 | mov dword ptr [esp + 4], esi // 01ca | mov dword ptr [esp + 0x18], ecx // 83c205 | jne 0x19 $sequence_76 = { 8b513c 6689d6 6683fe00 89cf 8945f0 894dec } // n = 6, score = 600 // 8b513c | mov edx, dword ptr [ecx + 0x3c] // 6689d6 | mov si, dx // 6683fe00 | cmp si, 0 // 89cf | mov edi, ecx // 8945f0 | mov dword ptr [ebp - 0x10], eax // 894dec | mov dword ptr [ebp - 0x14], ecx $sequence_77 = { 01ca 83c205 807c0805e9 891424 } // n = 4, score = 600 // 01ca | mov eax, 1 // 83c205 | ret // 807c0805e9 | xor eax, eax // 891424 | ret $sequence_78 = { 89c7 8945f0 894dec 8955e8 897de4 } // n = 5, score = 600 // 89c7 | mov edi, eax // 8945f0 | mov dword ptr [ebp - 0x10], eax // 894dec | mov dword ptr [ebp - 0x14], ecx // 8955e8 | mov dword ptr [ebp - 0x18], edx // 897de4 | mov dword ptr [ebp - 0x1c], edi $sequence_79 = { 5b 5e 5d c3 55 89e5 6a00 } // n = 7, score = 500 // 5b | ret // 5e | cmp eax, -1 // 5d | jne 7 // c3 | cmp eax, 0x2734 // 55 | test al, al // 89e5 | je 0xe // 6a00 | mov ecx, 0x3e8 $sequence_80 = { 83c001 8b4df8 01c1 894df0 8b45f0 } // n = 5, score = 500 // 83c001 | jne 0x16 // 8b4df8 | jmp 9 // 01c1 | mov ecx, 0x2710 // 894df0 | cmp eax, -1 // 8b45f0 | jne 7 $sequence_81 = { 83c454 5b 5e 5f 5d c3 55 } // n = 7, score = 500 // 83c454 | jne 0x38 // 5b | jmp 6 // 5e | xor eax, eax // 5f | mov ecx, eax // 5d | mov dword ptr [esp + 0x2c], edx // c3 | mov eax, dword ptr [esp + 0x2c] // 55 | mov ecx, eax $sequence_82 = { 894df0 8b45f0 83c40c 5e } // n = 4, score = 500 // 894df0 | and eax, 0xffff // 8b45f0 | add eax, 1 // 83c40c | mov ecx, dword ptr [ebp - 0x58] // 5e | add ecx, eax $sequence_83 = { e9???????? 8b45e0 83c438 5f } // n = 4, score = 500 // e9???????? | // 8b45e0 | dec esp // 83c438 | mov eax, dword ptr [esp + 0x18] // 5f | dec esp $sequence_84 = { 8945f8 894df4 8975f0 7418 8b45f4 05ffff0000 } // n = 6, score = 500 // 8945f8 | je 0xb // 894df4 | push 0x45a // 8975f0 | test eax, eax // 7418 | je 0xb // 8b45f4 | push 0x45a // 05ffff0000 | call eax $sequence_85 = { 25ffff0000 83c001 8b4da8 01c1 } // n = 4, score = 500 // 25ffff0000 | mov dword ptr [ebp - 0x10], ecx // 83c001 | mov eax, dword ptr [ebp - 0x10] // 8b4da8 | add esp, 0xc // 01c1 | pop esi $sequence_86 = { 8945c4 894dc0 885dbf 8975b8 } // n = 4, score = 500 // 8945c4 | call eax // 894dc0 | push 0 // 885dbf | lea ecx, [esi + 0x1c] // 8975b8 | test eax, eax $sequence_87 = { c3 55 89e5 57 56 53 83ec54 } // n = 7, score = 500 // c3 | mov edx, ecx // 55 | mov eax, dword ptr [esp + 0x28] // 89e5 | mov cx, ax // 57 | mov word ptr [esp + 0x58], cx // 56 | mov word ptr [esp + 0x5a], cx // 53 | jne 0x36 // 83ec54 | jmp 2 $sequence_88 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 31f6 } // n = 7, score = 400 // 5b | ret // 5d | mov eax, dword ptr [ebp - 0x30] // c3 | mov ecx, dword ptr [ebp - 0x2c] // 8b45d0 | pop ebx // 8b4dd4 | pop ebp // 668b55d8 | ret // 31f6 | mov eax, dword ptr [ebp - 0x30] $sequence_89 = { 8b45e0 83c45c 5f 5b 5e 5d } // n = 6, score = 400 // 8b45e0 | xor eax, eax // 83c45c | pop ebx // 5f | pop esi // 5b | pop ebp // 5e | ret // 5d | push ebp $sequence_90 = { 53 56 83ec38 8b450c 8b4d08 } // n = 5, score = 300 // 53 | mov dword ptr [ebp - 0x3c], ebx // 56 | mov dword ptr [ebp - 0x1c], eax // 83ec38 | jne 0xfffffee6 // 8b450c | mov eax, dword ptr [ebp - 0x1c] // 8b4d08 | add esp, 0x74 $sequence_91 = { c7424800b00400 8b7c2418 c787cc00000000000000 c787c800000000000000 } // n = 4, score = 300 // c7424800b00400 | mov dword ptr [esp], edx // 8b7c2418 | mov dword ptr [esp + 4], esi // c787cc00000000000000 | mov dword ptr [esp + 0x18], ecx // c787c800000000000000 | xor eax, eax $sequence_92 = { 8955cc 74bc 8b45cc 83c454 5b 5e } // n = 6, score = 300 // 8955cc | push ebp // 74bc | mov ebp, esp // 8b45cc | push edi // 83c454 | push esi // 5b | push ebx // 5e | sub esp, 0x54 $sequence_93 = { 6a00 e8???????? 83c408 c3 6a00 68???????? } // n = 6, score = 300 // 6a00 | mov dword ptr [esp], edx // e8???????? | // 83c408 | mov dword ptr [esp + 4], esi // c3 | mov dword ptr [esp + 0x18], ecx // 6a00 | mov ecx, dword ptr [esp + 0x20] // 68???????? | $sequence_94 = { 8d442448 b91c000000 8b542438 891424 89442404 c74424081c000000 894c2434 } // n = 7, score = 300 // 8d442448 | mov dword ptr [edx + 0x48], 0x4b000 // b91c000000 | mov edi, dword ptr [esp + 0x18] // 8b542438 | mov dword ptr [edi + 0xcc], 0 // 891424 | mov dword ptr [edi + 0xc8], 0 // 89442404 | mov dword ptr [edx + 0x48], 0x4b000 // c74424081c000000 | mov edi, dword ptr [esp + 0x18] // 894c2434 | mov dword ptr [edi + 0xcc], 0 $sequence_95 = { 893c24 89442404 c744240804000000 8954240c 89ac248c000000 898c2488000000 } // n = 6, score = 300 // 893c24 | mov eax, dword ptr [esp] // 89442404 | mov ecx, dword ptr [eax + 1] // c744240804000000 | mov eax, dword ptr [esp + 8] // 8954240c | cmp byte ptr [eax], 0xe9 // 89ac248c000000 | mov dword ptr [esp], eax // 898c2488000000 | jne 0x1f $sequence_96 = { 8945c8 75e4 83c448 5e 5f 5b 5d } // n = 7, score = 300 // 8945c8 | mov eax, dword ptr [ebp - 0x34] // 75e4 | add esp, 0x54 // 83c448 | pop edi // 5e | mov dword ptr [ebp - 0x38], eax // 5f | jne 0xffffffe6 // 5b | add esp, 0x48 // 5d | pop esi $sequence_97 = { 53 83ec74 8b450c 8b4d08 31d2 8b713c } // n = 6, score = 300 // 53 | pop edi // 83ec74 | pop ebp // 8b450c | mov eax, dword ptr [ebp - 0x34] // 8b4d08 | add esp, 0x54 // 31d2 | pop ebx // 8b713c | pop esi $sequence_98 = { 0f85dafeffff 8b45e4 83c474 5b } // n = 4, score = 300 // 0f85dafeffff | pop edi // 8b45e4 | pop ebp // 83c474 | ret // 5b | mov dword ptr [ebp - 0x34], edx $sequence_99 = { 55 89e5 56 57 53 83ec70 } // n = 6, score = 300 // 55 | mov eax, dword ptr [ebp - 0x10] // 89e5 | add esp, 0xc // 56 | pop esi // 57 | mov dword ptr [ebp - 0xc], ecx // 53 | mov dword ptr [ebp - 0x10], esi // 83ec70 | je 0x1d $sequence_100 = { 53 81ecb0000000 8b4508 8d4dd8 c745d800000000 } // n = 5, score = 300 // 53 | mov dword ptr [ebp - 0x1c], eax // 81ecb0000000 | jne 0xfffffee3 // 8b4508 | mov eax, dword ptr [ebp - 0x1c] // 8d4dd8 | add esp, 0x74 // c745d800000000 | pop ebx $sequence_101 = { 5b 5d c3 8b45f0 8b0c8504406e00 8b55f8 39d1 } // n = 7, score = 300 // 5b | mov bl, 1 // 5d | mov dword ptr [edx + 0x48], 0x4b000 // c3 | mov edi, dword ptr [ebp - 0x1c] // 8b45f0 | mov dword ptr [edi + 0xcc], 0 // 8b0c8504406e00 | mov dword ptr [edi + 0xc8], 0 // 8b55f8 | mov dword ptr [ebp - 0x24], eax // 39d1 | mov eax, ecx $sequence_102 = { 8b0c8504406e00 8b55f8 39d1 8945ec 894de8 7212 } // n = 6, score = 300 // 8b0c8504406e00 | mov dword ptr [ebp - 0x24], eax // 8b55f8 | mov dword ptr [edx + 0x48], 0x4b000 // 39d1 | mov edi, dword ptr [ebp - 0x1c] // 8945ec | mov dword ptr [edi + 0xcc], 0 // 894de8 | mov dword ptr [edi + 0xc8], 0 // 7212 | pop ebx $sequence_103 = { 83f900 89442464 0f84f2010000 b801000000 8b4c2468 8b91a4000000 } // n = 6, score = 300 // 83f900 | mov dword ptr [esp], ecx // 89442464 | push 0 // 0f84f2010000 | add esp, 8 // b801000000 | ret // 8b4c2468 | push 0 // 8b91a4000000 | cmp ecx, 0 $sequence_104 = { 83c470 5b 5f 5e 5d c3 } // n = 6, score = 300 // 83c470 | mov dword ptr [ebp - 8], eax // 5b | mov dword ptr [ebp - 0xc], ecx // 5f | mov dword ptr [ebp - 0x10], esi // 5e | je 0x25 // 5d | mov eax, dword ptr [ebp - 0xc] // c3 | add ecx, eax $sequence_105 = { 8b45e0 83c438 5e 5b } // n = 4, score = 300 // 8b45e0 | pop ebx // 83c438 | push ebx // 5e | sub esp, 0xb0 // 5b | mov eax, dword ptr [ebp + 8] $sequence_106 = { 57 83ec20 8b4508 890424 } // n = 4, score = 300 // 57 | pop esi // 83ec20 | je 0xffffffbe // 8b4508 | mov eax, dword ptr [ebp - 0x34] // 890424 | add esp, 0x54 $sequence_107 = { 890424 e8???????? 31c0 83c420 5f } // n = 5, score = 300 // 890424 | pop edi // e8???????? | // 31c0 | mov dword ptr [ebp - 0x60], eax // 83c420 | mov dword ptr [ebp - 0x34], edx // 5f | je 0xffffffc1 $sequence_108 = { c7424800c00400 8b7de4 c787cc00000000000000 c787c800000000000000 } // n = 4, score = 200 // c7424800c00400 | mov eax, dword ptr [ebp + 8] // 8b7de4 | mov dword ptr [esp], eax // c787cc00000000000000 | push edi // c787c800000000000000 | sub esp, 0x20 $sequence_109 = { 897dd8 8b45d8 83c444 5b 5e 5f } // n = 6, score = 200 // 897dd8 | mov ecx, dword ptr [ebp + 8] // 8b45d8 | xor edx, edx // 83c444 | mov esi, dword ptr [eax + 0x3c] // 5b | mov dword ptr [ebp - 0x28], edi // 5e | mov eax, dword ptr [ebp - 0x28] // 5f | add esp, 0x44 $sequence_110 = { e8???????? 8d0d44306e00 31d2 8b75f8 89462c } // n = 5, score = 200 // e8???????? | // 8d0d44306e00 | mov dword ptr [ebp - 0x14], eax // 31d2 | mov dword ptr [ebp - 0x18], ecx // 8b75f8 | jb 0x1f // 89462c | mov eax, dword ptr [ebp - 0x14] $sequence_111 = { 894620 890c24 c744240400000000 8955e0 e8???????? 8d0dd8306e00 890424 } // n = 7, score = 200 // 894620 | mov esi, dword ptr [ebp - 8] // 890c24 | mov dword ptr [esi + 0xc], eax // c744240400000000 | mov dword ptr [esp], ecx // 8955e0 | lea edx, [0x6e305e] // e8???????? | // 8d0dd8306e00 | sub esp, 4 // 890424 | mov dword ptr [esp], edx $sequence_112 = { 8d155e306e00 83ec04 891424 8945e8 894de4 } // n = 5, score = 200 // 8d155e306e00 | mov dword ptr [esp + 4], ecx // 83ec04 | mov dword ptr [ebp - 8], eax // 891424 | lea ecx, [0x6e3044] // 8945e8 | xor edx, edx // 894de4 | mov dword ptr [esp], ecx $sequence_113 = { 8b55f4 8b75ec 89723c c7424004000000 c742442c0c0200 c7424800b00400 } // n = 6, score = 200 // 8b55f4 | add esp, 0x54 // 8b75ec | pop edi // 89723c | pop ebx // c7424004000000 | mov edx, dword ptr [ebp - 0xc] // c742442c0c0200 | mov esi, dword ptr [ebp - 0x14] // c7424800b00400 | mov dword ptr [edx + 0x3c], esi $sequence_114 = { 55 89e5 53 56 57 83ec38 8b450c } // n = 7, score = 200 // 55 | mov dword ptr [edx + 0x48], 0x4b000 // 89e5 | mov edi, dword ptr [ebp - 0x1c] // 53 | mov dword ptr [edi + 0xcc], 0 // 56 | je 0xffffffbe // 57 | mov eax, dword ptr [ebp - 0x34] // 83ec38 | add esp, 0x54 // 8b450c | pop edi $sequence_115 = { c742442c0c0200 c7424800b00400 8b7de4 c787cc00000000000000 } // n = 4, score = 200 // c742442c0c0200 | mov dword ptr [edx + 0x3c], esi // c7424800b00400 | mov dword ptr [edx + 0x40], 4 // 8b7de4 | mov dword ptr [edx + 0x44], 0x20c2c // c787cc00000000000000 | mov dword ptr [edx + 0x44], 0x20c2c $sequence_116 = { 8d0dbc306e00 890424 894c2404 e8???????? 8d0d44306e00 } // n = 5, score = 200 // 8d0dbc306e00 | ret // 890424 | mov eax, dword ptr [ebp - 0x10] // 894c2404 | mov ecx, dword ptr [eax*4 + 0x6e4004] // e8???????? | // 8d0d44306e00 | mov edx, dword ptr [ebp - 8] $sequence_117 = { 74bc 8b45cc 83c454 5f 5b 5e } // n = 6, score = 200 // 74bc | push ebx // 8b45cc | push edi // 83c454 | sub esp, 0x54 // 5f | je 0xffffffbe // 5b | mov eax, dword ptr [ebp - 0x34] // 5e | add esp, 0x54 $sequence_118 = { 0f84e2feffff e9???????? 8b45e0 83c45c 5e 5f 5b } // n = 7, score = 200 // 0f84e2feffff | mov eax, dword ptr [ebp + 8] // e9???????? | // 8b45e0 | lea ecx, [ebp - 0x28] // 83c45c | mov dword ptr [ebp - 0x28], 0 // 5e | je 0xfffffee8 // 5f | mov eax, dword ptr [ebp - 0x20] // 5b | add esp, 0x5c $sequence_119 = { 56 53 57 83ec44 8b4508 } // n = 5, score = 200 // 56 | mov dword ptr [esp], ecx // 53 | mov eax, dword ptr [ebp - 0x28] // 57 | add esp, 0x44 // 83ec44 | pop edi // 8b4508 | pop ebx $sequence_120 = { 8955e0 e8???????? 8d0dd8302700 890424 } // n = 4, score = 100 // 8955e0 | ret // e8???????? | // 8d0dd8302700 | push ebp // 890424 | mov ebp, esp $sequence_121 = { 89462c 890c24 c744240400000000 8955d8 e8???????? 8d0d04318400 } // n = 6, score = 100 // 89462c | mov edi, dword ptr [ebp - 0x1c] // 890c24 | mov dword ptr [edi + 0xcc], 0 // c744240400000000 | mov dword ptr [edi + 0xc8], 0 // 8955d8 | mov dword ptr [ebp - 0x24], eax // e8???????? | // 8d0d04318400 | mov dword ptr [edx + 0x48], 0x4c000 $sequence_122 = { c7424004000000 c7424499040200 c7424800c00400 8b7de4 } // n = 4, score = 100 // c7424004000000 | mov dword ptr [edi + 0xcc], 0 // c7424499040200 | mov dword ptr [edi + 0xc8], 0 // c7424800c00400 | mov dword ptr [ebp - 0x24], eax // 8b7de4 | mov eax, ecx $sequence_123 = { c3 55 89e5 83ec10 8b4508 8d0d44302500 } // n = 6, score = 100 // c3 | push edi // 55 | sub esp, 0x38 // 89e5 | mov eax, dword ptr [ebp - 0x20] // 83ec10 | add esp, 0x38 // 8b4508 | pop edi // 8d0d44302500 | pop esi $sequence_124 = { 56 83ec44 8b4508 8d0d30302500 31d2 890c24 } // n = 6, score = 100 // 56 | mov dword ptr [esp + 4], 0 // 83ec44 | mov dword ptr [ebp - 0x28], edx // 8b4508 | lea ecx, [0x253104] // 8d0d30302500 | ret // 31d2 | push ebp // 890c24 | mov ebp, esp $sequence_125 = { 31c0 8d0d5a232f00 8b55c8 39ca 8945cc 0f84f9000000 } // n = 6, score = 100 // 31c0 | mov dword ptr [esi + 8], eax // 8d0d5a232f00 | mov dword ptr [esp], ecx // 8b55c8 | mov dword ptr [esp + 4], 0 // 39ca | xor eax, eax // 8945cc | lea ecx, [0x2f235a] // 0f84f9000000 | mov edx, dword ptr [ebp - 0x38] $sequence_126 = { 890c24 c744240400000000 8955e4 e8???????? 8d0dc9302f00 890424 894c2404 } // n = 7, score = 100 // 890c24 | mov edx, dword ptr [ebp - 8] // c744240400000000 | cmp ecx, edx // 8955e4 | mov dword ptr [ebp - 0x14], eax // e8???????? | // 8d0dc9302f00 | mov dword ptr [esp], ecx // 890424 | mov dword ptr [esp + 4], 0 // 894c2404 | mov dword ptr [ebp - 0x1c], edx $sequence_127 = { 8d0d44302f00 31d2 8b75f8 894608 890c24 c744240400000000 } // n = 6, score = 100 // 8d0d44302f00 | mov dword ptr [esp], edx // 31d2 | mov dword ptr [ebp - 0x18], eax // 8b75f8 | mov dword ptr [ebp - 0x1c], ecx // 894608 | lea ecx, [0x2f3044] // 890c24 | xor edx, edx // c744240400000000 | mov esi, dword ptr [ebp - 8] $sequence_128 = { 8d0d30302700 31d2 890c24 c744240400000000 8945f0 8955ec e8???????? } // n = 7, score = 100 // 8d0d30302700 | mov dword ptr [ebp - 0x20], edx // 31d2 | lea ecx, [0x2730d8] // 890c24 | mov dword ptr [esp], eax // c744240400000000 | lea ecx, [0x273030] // 8945f0 | xor edx, edx // 8955ec | mov dword ptr [esp], ecx // e8???????? | condition: 7 of them and filesize < 1040384 } ] }, { Malware : ERMAC , Description : According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials There is no Yara-Signature yet. , YARA : [] }, { Malware : FriedEx , Description : There is no description at this point. , YARA : [ rule win_friedex_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.friedex.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 57 8bc8 e8???????? 6a26 } // n = 5, score = 800 // e8???????? | // 57 | push edi // 8bc8 | mov ecx, eax // e8???????? | // 6a26 | push 0x26 $sequence_1 = { c20c00 51 51 53 55 8be9 c744240820090d0a } // n = 7, score = 800 // c20c00 | ret 0xc // 51 | push ecx // 51 | push ecx // 53 | push ebx // 55 | push ebp // 8be9 | mov ebp, ecx // c744240820090d0a | mov dword ptr [esp + 8], 0xa0d0920 $sequence_2 = { 1adb e8???????? 6a20 5f } // n = 4, score = 800 // 1adb | sbb bl, bl // e8???????? | // 6a20 | push 0x20 // 5f | pop edi $sequence_3 = { 74f9 33c9 663908 0f94c0 5f 5e 5d } // n = 7, score = 800 // 74f9 | je 0xfffffffb // 33c9 | xor ecx, ecx // 663908 | cmp word ptr [eax], cx // 0f94c0 | sete al // 5f | pop edi // 5e | pop esi // 5d | pop ebp $sequence_4 = { 663910 7431 8bd8 8d7102 eb1d } // n = 5, score = 800 // 663910 | cmp word ptr [eax], dx // 7431 | je 0x33 // 8bd8 | mov ebx, eax // 8d7102 | lea esi, [ecx + 2] // eb1d | jmp 0x1f $sequence_5 = { 5f 5b 5e 5d c20c00 51 } // n = 6, score = 800 // 5f | pop edi // 5b | pop ebx // 5e | pop esi // 5d | pop ebp // c20c00 | ret 0xc // 51 | push ecx $sequence_6 = { 75c1 6a2a 5f eb06 b001 eb0f 03c5 } // n = 7, score = 800 // 75c1 | jne 0xffffffc3 // 6a2a | push 0x2a // 5f | pop edi // eb06 | jmp 8 // b001 | mov al, 1 // eb0f | jmp 0x11 // 03c5 | add eax, ebp $sequence_7 = { 6a00 ff760c ffd0 8b442408 5e } // n = 5, score = 800 // 6a00 | push 0 // ff760c | push dword ptr [esi + 0xc] // ffd0 | call eax // 8b442408 | mov eax, dword ptr [esp + 8] // 5e | pop esi $sequence_8 = { 8955e0 e8???????? 8d0dd830a500 890424 894c2404 e8???????? } // n = 6, score = 100 // 8955e0 | mov dword ptr [ebp - 0x20], edx // e8???????? | // 8d0dd830a500 | lea ecx, [0xa530d8] // 890424 | mov dword ptr [esp], eax // 894c2404 | mov dword ptr [esp + 4], ecx // e8???????? | $sequence_9 = { 8d055a23a500 31c9 8d55d8 803d????????e9 8955d4 8945d0 } // n = 6, score = 100 // 8d055a23a500 | lea eax, [0xa5235a] // 31c9 | xor ecx, ecx // 8d55d8 | lea edx, [ebp - 0x28] // 803d????????e9 | // 8955d4 | mov dword ptr [ebp - 0x2c], edx // 8945d0 | mov dword ptr [ebp - 0x30], eax $sequence_10 = { 8a2c057530a500 83c001 38e9 8945a0 8955cc 74bc } // n = 6, score = 100 // 8a2c057530a500 | mov ch, byte ptr [eax + 0xa53075] // 83c001 | add eax, 1 // 38e9 | cmp cl, ch // 8945a0 | mov dword ptr [ebp - 0x60], eax // 8955cc | mov dword ptr [ebp - 0x34], edx // 74bc | je 0xffffffbe $sequence_11 = { 8d055a23a500 5d c3 55 } // n = 4, score = 100 // 8d055a23a500 | lea eax, [0xa5235a] // 5d | pop ebp // c3 | ret // 55 | push ebp $sequence_12 = { c7424458270000 c7424800100100 8b7de4 c787cc00000000000000 c787c800000000000000 } // n = 5, score = 100 // c7424458270000 | mov dword ptr [edx + 0x44], 0x2758 // c7424800100100 | mov dword ptr [edx + 0x48], 0x11000 // 8b7de4 | mov edi, dword ptr [ebp - 0x1c] // c787cc00000000000000 | mov dword ptr [edi + 0xcc], 0 // c787c800000000000000 | mov dword ptr [edi + 0xc8], 0 $sequence_13 = { 8b45a4 8a4daf 31d2 8a2c057530a500 83c001 38e9 } // n = 6, score = 100 // 8b45a4 | mov eax, dword ptr [ebp - 0x5c] // 8a4daf | mov cl, byte ptr [ebp - 0x51] // 31d2 | xor edx, edx // 8a2c057530a500 | mov ch, byte ptr [eax + 0xa53075] // 83c001 | add eax, 1 // 38e9 | cmp cl, ch $sequence_14 = { 8d0dc930a500 890424 894c2404 e8???????? 8d0d4430a500 31d2 8b75f8 } // n = 7, score = 100 // 8d0dc930a500 | lea ecx, [0xa530c9] // 890424 | mov dword ptr [esp], eax // 894c2404 | mov dword ptr [esp + 4], ecx // e8???????? | // 8d0d4430a500 | lea ecx, [0xa53044] // 31d2 | xor edx, edx // 8b75f8 | mov esi, dword ptr [ebp - 8] $sequence_15 = { 8d0d4430a500 31d2 890c24 c744240400000000 } // n = 4, score = 100 // 8d0d4430a500 | lea ecx, [0xa53044] // 31d2 | xor edx, edx // 890c24 | mov dword ptr [esp], ecx // c744240400000000 | mov dword ptr [esp + 4], 0 condition: 7 of them and filesize < 204800 } , /* # Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . */ rule win_friedex_w0 { meta: author = \ kevoreilly\ description = \ BitPaymer Payload\ source = \ https://github.com/ctxis/CAPE/blob/a67579f409828928005fc55cfdaae1b5199ea1db/data/yara/CAPE/BitPaymer.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex\ malpedia_version = \ 20200304\ malpedia_sharing = \ TLP:WHITE\ malpedia_license = \ \ strings: $decrypt32 = {6A 40 58 3B C8 0F 4D C1 39 46 04 7D 50 53 57 8B F8 81 E7 3F 00 00 80 79 05 4F 83 CF C0 47 F7 DF 99 1B FF 83 E2 3F 03 C2 F7 DF C1 F8 06 03 F8 C1 E7 06 57} $antidefender = \ TouchMeNot\ wide condition: uint16(0) == 0x5A4D and all of them } ] }, { Malware : Gwisin , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : HelloKitty , Description : Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions. Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions. , YARA : [ rule win_hellokitty_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.hellokitty.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8975fc 8d4e08 c706???????? e8???????? 6818010000 8d86d0030000 6a00 } // n = 7, score = 100 // 8975fc | mov dword ptr [ebp - 4], esi // 8d4e08 | lea ecx, [esi + 8] // c706???????? | // e8???????? | // 6818010000 | push 0x118 // 8d86d0030000 | lea eax, [esi + 0x3d0] // 6a00 | push 0 $sequence_1 = { 23df 234df0 8bc7 c1c802 0bd9 33d0 03de } // n = 7, score = 100 // 23df | and ebx, edi // 234df0 | and ecx, dword ptr [ebp - 0x10] // 8bc7 | mov eax, edi // c1c802 | ror eax, 2 // 0bd9 | or ebx, ecx // 33d0 | xor edx, eax // 03de | add ebx, esi $sequence_2 = { 7509 0fb64702 3a4604 7411 83c32c 41 83c72c } // n = 7, score = 100 // 7509 | jne 0xb // 0fb64702 | movzx eax, byte ptr [edi + 2] // 3a4604 | cmp al, byte ptr [esi + 4] // 7411 | je 0x13 // 83c32c | add ebx, 0x2c // 41 | inc ecx // 83c72c | add edi, 0x2c $sequence_3 = { 33d2 8b45ec 8bf1 0fa4c11e c1ee02 0bd1 c1e01e } // n = 7, score = 100 // 33d2 | xor edx, edx // 8b45ec | mov eax, dword ptr [ebp - 0x14] // 8bf1 | mov esi, ecx // 0fa4c11e | shld ecx, eax, 0x1e // c1ee02 | shr esi, 2 // 0bd1 | or edx, ecx // c1e01e | shl eax, 0x1e $sequence_4 = { 8b048520364200 56 8b7508 57 8b4c0818 8b4514 832600 } // n = 7, score = 100 // 8b048520364200 | mov eax, dword ptr [eax*4 + 0x423620] // 56 | push esi // 8b7508 | mov esi, dword ptr [ebp + 8] // 57 | push edi // 8b4c0818 | mov ecx, dword ptr [eax + ecx + 0x18] // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 832600 | and dword ptr [esi], 0 $sequence_5 = { 33ca 8bd1 894dec 8988a8000000 33d3 } // n = 5, score = 100 // 33ca | xor ecx, edx // 8bd1 | mov edx, ecx // 894dec | mov dword ptr [ebp - 0x14], ecx // 8988a8000000 | mov dword ptr [eax + 0xa8], ecx // 33d3 | xor edx, ebx $sequence_6 = { 8b759c 03c2 8bd1 8945f8 8bc1 c1c807 c1c20e } // n = 7, score = 100 // 8b759c | mov esi, dword ptr [ebp - 0x64] // 03c2 | add eax, edx // 8bd1 | mov edx, ecx // 8945f8 | mov dword ptr [ebp - 8], eax // 8bc1 | mov eax, ecx // c1c807 | ror eax, 7 // c1c20e | rol edx, 0xe $sequence_7 = { 8b45c0 3175c4 8bf0 0facc81c c1e604 0bd0 c1e91c } // n = 7, score = 100 // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // 3175c4 | xor dword ptr [ebp - 0x3c], esi // 8bf0 | mov esi, eax // 0facc81c | shrd eax, ecx, 0x1c // c1e604 | shl esi, 4 // 0bd0 | or edx, eax // c1e91c | shr ecx, 0x1c $sequence_8 = { 8bf8 83c020 59 f3a5 8b7508 83ee20 89450c } // n = 7, score = 100 // 8bf8 | mov edi, eax // 83c020 | add eax, 0x20 // 59 | pop ecx // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8b7508 | mov esi, dword ptr [ebp + 8] // 83ee20 | sub esi, 0x20 // 89450c | mov dword ptr [ebp + 0xc], eax $sequence_9 = { c1ce02 8b45d0 03cf 3345ec 3345c4 3345f0 8b7df4 } // n = 7, score = 100 // c1ce02 | ror esi, 2 // 8b45d0 | mov eax, dword ptr [ebp - 0x30] // 03cf | add ecx, edi // 3345ec | xor eax, dword ptr [ebp - 0x14] // 3345c4 | xor eax, dword ptr [ebp - 0x3c] // 3345f0 | xor eax, dword ptr [ebp - 0x10] // 8b7df4 | mov edi, dword ptr [ebp - 0xc] condition: 7 of them and filesize < 319488 } ] }, { Malware : Hive , Description : Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.In 2022 there was a switch from GoLang to Rust. Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.In 2022 there was a switch from GoLang to Rust. , YARA : [ rule win_hive_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.hive.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.hive\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 31c0 b91d000000 31d2 31db } // n = 4, score = 300 // 31c0 | inc eax // b91d000000 | movzx ecx, bh // 31d2 | add ecx, eax // 31db | shl ecx, 6 $sequence_1 = { b807000000 b9d4000000 31d2 31db } // n = 4, score = 300 // b807000000 | inc eax // b9d4000000 | movzx edx, dh // 31d2 | add eax, ecx // 31db | shl eax, 6 $sequence_2 = { 89c2 e8???????? b801000000 e8???????? } // n = 4, score = 200 // 89c2 | dec ebp // e8???????? | // b801000000 | test edi, edi // e8???????? | $sequence_3 = { 31c9 31d2 bb54000000 31f6 } // n = 4, score = 200 // 31c9 | xor ebx, ebx // 31d2 | xor edi, edi // bb54000000 | jmp 0x37 // 31f6 | xor eax, eax $sequence_4 = { 89d1 e8???????? b802000000 e8???????? } // n = 4, score = 200 // 89d1 | dec ebp // e8???????? | // b802000000 | test edi, edi // e8???????? | $sequence_5 = { 31c9 31d2 bb08000000 becb000000 31ff } // n = 5, score = 200 // 31c9 | nop // 31d2 | add esp, 0xb0 // bb08000000 | ret // becb000000 | nop // 31ff | ret $sequence_6 = { 89d0 b90d000000 e8???????? b90d000000 } // n = 4, score = 200 // 89d0 | shl edx, 6 // b90d000000 | movzx eax, bl // e8???????? | // b90d000000 | add eax, edx $sequence_7 = { 31db 31ff eb31 31c0 } // n = 4, score = 200 // 31db | mov ecx, 0xd // 31ff | mov ecx, 0xd // eb31 | mov ecx, edx // 31c0 | mov eax, 2 $sequence_8 = { 31ff e8???????? 833d????????00 7511 } // n = 4, score = 200 // 31ff | mov eax, edx // e8???????? | // 833d????????00 | // 7511 | mov ecx, 0xd $sequence_9 = { 89d1 e8???????? b901000000 e8???????? } // n = 4, score = 200 // 89d1 | add eax, edx // e8???????? | // b901000000 | dec ebp // e8???????? | $sequence_10 = { 81c4b0000000 c3 e8???????? 90 } // n = 4, score = 200 // 81c4b0000000 | movzx eax, bl // c3 | add eax, edx // e8???????? | // 90 | add edx, ecx $sequence_11 = { 31c9 31d2 bb09000000 bee0000000 } // n = 4, score = 200 // 31c9 | xor edx, edx // 31d2 | xor ebx, ebx // bb09000000 | xor eax, eax // bee0000000 | mov ecx, 0xaa $sequence_12 = { 31c0 eb17 0fb6940496000000 0fb674041c 31d6 } // n = 5, score = 200 // 31c0 | xor ebx, edx // eb17 | lea ebx, [eax + ebx] // 0fb6940496000000 | lea ebx, [ebx + 0xe] // 0fb674041c | mov eax, 7 // 31d6 | mov ecx, 0xd4 $sequence_13 = { 01c1 83c101 83f90c 0f820fffffff } // n = 4, score = 100 // 01c1 | je 0x269 // 83c101 | add eax, eax // 83f90c | inc eax // 0f820fffffff | add al, bh $sequence_14 = { 01c1 c1e106 400fb6d6 01ca } // n = 4, score = 100 // 01c1 | add ecx, eax // c1e106 | shl ecx, 6 // 400fb6d6 | movzx eax, dl // 01ca | add eax, ecx $sequence_15 = { 01c8 c1e006 400fb6cf 01c1 } // n = 4, score = 100 // 01c8 | and ecx, eax // c1e006 | inc ecx // 400fb6cf | mov dword ptr [edi + 0x14], ecx // 01c1 | add eax, ecx $sequence_16 = { 01c1 c1e106 0fb6c2 01c8 } // n = 4, score = 100 // 01c1 | jb 0xfffffe9c // c1e106 | mov edx, 5 // 0fb6c2 | add ecx, eax // 01c8 | add ecx, 1 $sequence_17 = { 01c2 b8ffffff03 21c5 21c3 } // n = 4, score = 100 // 01c2 | inc eax // b8ffffff03 | movzx edx, dh // 21c5 | add edx, ecx // 21c3 | add ecx, eax $sequence_18 = { 01c0 4000f8 0fb6c0 48898424b0000000 } // n = 4, score = 100 // 01c0 | add eax, eax // 4000f8 | inc eax // 0fb6c0 | add al, bh // 48898424b0000000 | movzx eax, al $sequence_19 = { 01ca c1e206 0fb6c3 01d0 } // n = 4, score = 100 // 01ca | mov ecx, eax // c1e206 | shr ecx, 0x1f // 0fb6c3 | dec ecx // 01d0 | inc ecx $sequence_20 = { 01c8 89c1 c1e91f ffc9 } // n = 4, score = 100 // 01c8 | movzx eax, bl // 89c1 | add eax, edx // c1e91f | add edx, eax // ffc9 | mov eax, 0x3ffffff condition: 7 of them and filesize < 7946240 } , rule win_hive_w0 { meta: author = \ rivitna\ family = \ ransomware.hive\ description = \ Hive v3 ransomware Windows/Linux/FreeBSD payload\ source = \ https://github.com/rivitna/Malware/blob/main/Hive/Hive.yar\ severity = 10 score = 100 malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.hive\ malpedia_rule_date = \ 20211222\ malpedia_hash = \ \ malpedia_version = \ 20211222\ malpedia_sharing = \ TLP:WHITE\ strings: $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20] 8D ?? 00 90 01 00 } $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10] 8D ?? 00 0C 00 00 } $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?) 69 ?? 00 90 01 00 } $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6] 89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 } $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12] C6 84 24 ?? 00 00 00 34 } condition: (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or (uint32(0) == 0x464C457F)) and ( (2 of ($h*)) or (1 of ($x*)) ) } ] }, { Malware : Hook , Description : According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities. According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities. There is no Yara-Signature yet. , YARA : [] }, { Malware : LazarDoor , Description : There is no description at this point. , YARA : [ rule win_lazardoor_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lazardoor.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bd1 488bc1 48c1f806 4c8d05f4f60000 } // n = 4, score = 200 // 488bd1 | dec eax // 488bc1 | arpl cx, cx // 48c1f806 | dec eax // 4c8d05f4f60000 | lea edx, [0x12cb4] $sequence_1 = { 428a8c3998a50100 482bd0 8b42fc d3e8 443bc8 0f8d09010000 488b4b28 } // n = 7, score = 200 // 428a8c3998a50100 | add esp, 0x20 // 482bd0 | pop edi // 8b42fc | ret // d3e8 | inc eax // 443bc8 | push ebx // 0f8d09010000 | dec eax // 488b4b28 | sub esp, 0x40 $sequence_2 = { 4053 4883ec20 488d05575a0100 488bd9 488901 f6c201 740a } // n = 7, score = 200 // 4053 | lea eax, [0x29b6f] // 4883ec20 | test eax, eax // 488d05575a0100 | jne 0x583 // 488bd9 | dec eax // 488901 | test eax, eax // f6c201 | jne 0x5aa // 740a | dec esp $sequence_3 = { 8905???????? 0f1105???????? 8b15???????? 4533c9 488b0d???????? 4533c0 } // n = 6, score = 200 // 8905???????? | // 0f1105???????? | // 8b15???????? | // 4533c9 | dec esp // 488b0d???????? | // 4533c0 | lea eax, [0xff52] $sequence_4 = { 4d85c0 7410 488d15615b0200 488bc8 } // n = 4, score = 200 // 4d85c0 | dec eax // 7410 | mov dword ptr [esp + 0x40], eax // 488d15615b0200 | dec eax // 488bc8 | test eax, eax $sequence_5 = { 44392d???????? 743d 4533c9 4c896c2430 c744242880000000 } // n = 5, score = 200 // 44392d???????? | // 743d | lea eax, [ecx - 1] // 4533c9 | cmp eax, 0x9fffff // 4c896c2430 | mov edx, dword ptr [eax] // c744242880000000 | dec eax $sequence_6 = { 660f6e5cc610 660f62d8 660f6fc7 660f6cda 660ffec4 660f76de } // n = 6, score = 200 // 660f6e5cc610 | lea ebx, [0x114b3] // 660f62d8 | dec ebp // 660f6fc7 | test ecx, ecx // 660f6cda | dec eax // 660ffec4 | lea edi, [0x446b] // 660f76de | dec eax $sequence_7 = { 33d2 e8???????? 3bc3 7565 03fb 8b1d???????? 3bfb } // n = 7, score = 200 // 33d2 | dec eax // e8???????? | // 3bc3 | cmp ecx, eax // 7565 | je 0x1c2 // 03fb | nop // 8b1d???????? | // 3bfb | jne 0x1d1 $sequence_8 = { ba5a540000 e9???????? 8b05???????? 85c0 } // n = 4, score = 200 // ba5a540000 | sub eax, eax // e9???????? | // 8b05???????? | // 85c0 | inc ecx $sequence_9 = { 4c8bc1 b84d5a0000 66390525b6ffff 7578 48630d58b6ffff 488d1515b6ffff 4803ca } // n = 7, score = 200 // 4c8bc1 | mov esi, dword ptr [esp + 0x28] // b84d5a0000 | dec eax // 66390525b6ffff | mov ecx, dword ptr [esi] // 7578 | inc esp // 48630d58b6ffff | mov esi, eax // 488d1515b6ffff | dec eax // 4803ca | mov edi, dword ptr [esi + 8] condition: 7 of them and filesize < 405504 } ] }, { Malware : LockBit , Description : There is no description at this point. , YARA : [ rule win_lockbit_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lockbit.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f28c8 660f73f904 660fefc8 0f28c1 660f73f804 } // n = 5, score = 300 // 0f28c8 | movaps xmm1, xmm0 // 660f73f904 | pslldq xmm1, 4 // 660fefc8 | pxor xmm1, xmm0 // 0f28c1 | movaps xmm0, xmm1 // 660f73f804 | pslldq xmm0, 4 $sequence_1 = { 50 e8???????? 8d858cfeffff 50 8d45c0 50 8d45a0 } // n = 7, score = 300 // 50 | push eax // e8???????? | // 8d858cfeffff | lea eax, [ebp - 0x174] // 50 | push eax // 8d45c0 | lea eax, [ebp - 0x40] // 50 | push eax // 8d45a0 | lea eax, [ebp - 0x60] $sequence_2 = { fec1 47 4e 85f6 75d2 5d } // n = 6, score = 300 // fec1 | inc cl // 47 | inc edi // 4e | dec esi // 85f6 | test esi, esi // 75d2 | jne 0xffffffd4 // 5d | pop ebp $sequence_3 = { 56 57 8d9d84fcffff b900c2eb0b e2fe e8???????? 53 } // n = 7, score = 300 // 56 | push esi // 57 | push edi // 8d9d84fcffff | lea ebx, [ebp - 0x37c] // b900c2eb0b | mov ecx, 0xbebc200 // e2fe | loop 0 // e8???????? | // 53 | push ebx $sequence_4 = { 6683f866 7706 6683e857 eb17 6683f830 720c 6683f839 } // n = 7, score = 300 // 6683f866 | cmp ax, 0x66 // 7706 | ja 8 // 6683e857 | sub ax, 0x57 // eb17 | jmp 0x19 // 6683f830 | cmp ax, 0x30 // 720c | jb 0xe // 6683f839 | cmp ax, 0x39 $sequence_5 = { 33db 55 8b6d10 8bc1 } // n = 4, score = 300 // 33db | xor ebx, ebx // 55 | push ebp // 8b6d10 | mov ebp, dword ptr [ebp + 0x10] // 8bc1 | mov eax, ecx $sequence_6 = { 8d8550fdffff 50 6a00 ff15???????? } // n = 4, score = 300 // 8d8550fdffff | lea eax, [ebp - 0x2b0] // 50 | push eax // 6a00 | push 0 // ff15???????? | $sequence_7 = { 33c0 8d7df0 33c9 53 0fa2 } // n = 5, score = 300 // 33c0 | xor eax, eax // 8d7df0 | lea edi, [ebp - 0x10] // 33c9 | xor ecx, ecx // 53 | push ebx // 0fa2 | cpuid $sequence_8 = { f745f800000002 740c 5f 5e } // n = 4, score = 300 // f745f800000002 | test dword ptr [ebp - 8], 0x2000000 // 740c | je 0xe // 5f | pop edi // 5e | pop esi $sequence_9 = { 02d3 8a5c1500 8a541d00 8a541500 fec2 8a441500 } // n = 6, score = 300 // 02d3 | add dl, bl // 8a5c1500 | mov bl, byte ptr [ebp + edx] // 8a541d00 | mov dl, byte ptr [ebp + ebx] // 8a541500 | mov dl, byte ptr [ebp + edx] // fec2 | inc dl // 8a441500 | mov al, byte ptr [ebp + edx] $sequence_10 = { 33d0 8bc1 c1e810 0fb6c0 c1e208 } // n = 5, score = 300 // 33d0 | xor edx, eax // 8bc1 | mov eax, ecx // c1e810 | shr eax, 0x10 // 0fb6c0 | movzx eax, al // c1e208 | shl edx, 8 $sequence_11 = { 53 56 57 33c0 8b5d14 33c9 33d2 } // n = 7, score = 300 // 53 | push ebx // 56 | push esi // 57 | push edi // 33c0 | xor eax, eax // 8b5d14 | mov ebx, dword ptr [ebp + 0x14] // 33c9 | xor ecx, ecx // 33d2 | xor edx, edx $sequence_12 = { 8d45f8 50 8d45fc 50 ff75fc ff75f4 } // n = 6, score = 300 // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // ff75fc | push dword ptr [ebp - 4] // ff75f4 | push dword ptr [ebp - 0xc] $sequence_13 = { e9???????? 6683f841 720c 6683f846 7706 6683e837 } // n = 6, score = 300 // e9???????? | // 6683f841 | cmp ax, 0x41 // 720c | jb 0xe // 6683f846 | cmp ax, 0x46 // 7706 | ja 8 // 6683e837 | sub ax, 0x37 $sequence_14 = { 6a00 6a00 6800000040 ff75d4 } // n = 4, score = 300 // 6a00 | push 0 // 6a00 | push 0 // 6800000040 | push 0x40000000 // ff75d4 | push dword ptr [ebp - 0x2c] $sequence_15 = { 5b 8907 897704 894f08 89570c f745f800000002 740c } // n = 7, score = 300 // 5b | pop ebx // 8907 | mov dword ptr [edi], eax // 897704 | mov dword ptr [edi + 4], esi // 894f08 | mov dword ptr [edi + 8], ecx // 89570c | mov dword ptr [edi + 0xc], edx // f745f800000002 | test dword ptr [ebp - 8], 0x2000000 // 740c | je 0xe $sequence_16 = { 214493fc 8b5df8 8bc3 43 } // n = 4, score = 200 // 214493fc | and dword ptr [ebx + edx*4 - 4], eax // 8b5df8 | mov ebx, dword ptr [ebp - 8] // 8bc3 | mov eax, ebx // 43 | inc ebx $sequence_17 = { 7407 8bce e8???????? 837b0402 } // n = 4, score = 200 // 7407 | je 9 // 8bce | mov ecx, esi // e8???????? | // 837b0402 | cmp dword ptr [ebx + 4], 2 $sequence_18 = { 7414 663901 740f 0f1f440000 } // n = 4, score = 200 // 7414 | je 0x16 // 663901 | cmp word ptr [ecx], ax // 740f | je 0x11 // 0f1f440000 | nop dword ptr [eax + eax] $sequence_19 = { 1bdb 83e30b 83c328 ff7518 8b7d08 8d049500000000 ff7514 } // n = 7, score = 200 // 1bdb | sbb ebx, ebx // 83e30b | and ebx, 0xb // 83c328 | add ebx, 0x28 // ff7518 | push dword ptr [ebp + 0x18] // 8b7d08 | mov edi, dword ptr [ebp + 8] // 8d049500000000 | lea eax, [edx*4] // ff7514 | push dword ptr [ebp + 0x14] condition: 7 of them and filesize < 2049024 } ] }, { Malware : Monti , Description : A ransomware, derived from the leaked Conti source code. A ransomware, derived from the leaked Conti source code. There is no Yara-Signature yet. , YARA : [] }, { Malware : Paradise , Description : Ransomware. Ransomware. There is no Yara-Signature yet. , YARA : [] }, { Malware : Phobos , Description : MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups. MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups. , YARA : [ rule win_phobos_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.phobos.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff75fc e8???????? 59 85c0 0f845c010000 395df8 0f8453010000 } // n = 7, score = 100 // ff75fc | push dword ptr [ebp - 4] // e8???????? | // 59 | pop ecx // 85c0 | test eax, eax // 0f845c010000 | je 0x162 // 395df8 | cmp dword ptr [ebp - 8], ebx // 0f8453010000 | je 0x159 $sequence_1 = { 59 8d4c0002 8bc7 2bc6 03c1 894ddc 897dd0 } // n = 7, score = 100 // 59 | pop ecx // 8d4c0002 | lea ecx, [eax + eax + 2] // 8bc7 | mov eax, edi // 2bc6 | sub eax, esi // 03c1 | add eax, ecx // 894ddc | mov dword ptr [ebp - 0x24], ecx // 897dd0 | mov dword ptr [ebp - 0x30], edi $sequence_2 = { 8d5c3801 e8???????? 59 8945fc 8975e4 ff15???????? 6a40 } // n = 7, score = 100 // 8d5c3801 | lea ebx, [eax + edi + 1] // e8???????? | // 59 | pop ecx // 8945fc | mov dword ptr [ebp - 4], eax // 8975e4 | mov dword ptr [ebp - 0x1c], esi // ff15???????? | // 6a40 | push 0x40 $sequence_3 = { 752e 6683f930 7409 c7450c0a000000 } // n = 4, score = 100 // 752e | jne 0x30 // 6683f930 | cmp cx, 0x30 // 7409 | je 0xb // c7450c0a000000 | mov dword ptr [ebp + 0xc], 0xa $sequence_4 = { 53 56 c745a044000000 ff15???????? 8945fc 3bc6 } // n = 6, score = 100 // 53 | push ebx // 56 | push esi // c745a044000000 | mov dword ptr [ebp - 0x60], 0x44 // ff15???????? | // 8945fc | mov dword ptr [ebp - 4], eax // 3bc6 | cmp eax, esi $sequence_5 = { 8bf8 57 897de0 e8???????? 83c40c 680a020000 8d5c3801 } // n = 7, score = 100 // 8bf8 | mov edi, eax // 57 | push edi // 897de0 | mov dword ptr [ebp - 0x20], edi // e8???????? | // 83c40c | add esp, 0xc // 680a020000 | push 0x20a // 8d5c3801 | lea ebx, [eax + edi + 1] $sequence_6 = { 8d45f4 50 53 ff15???????? 56 8b35???????? ffd6 } // n = 7, score = 100 // 8d45f4 | lea eax, [ebp - 0xc] // 50 | push eax // 53 | push ebx // ff15???????? | // 56 | push esi // 8b35???????? | // ffd6 | call esi $sequence_7 = { 8bf3 2b7010 e8???????? f6472801 8d440006 59 8945fc } // n = 7, score = 100 // 8bf3 | mov esi, ebx // 2b7010 | sub esi, dword ptr [eax + 0x10] // e8???????? | // f6472801 | test byte ptr [edi + 0x28], 1 // 8d440006 | lea eax, [eax + eax + 6] // 59 | pop ecx // 8945fc | mov dword ptr [ebp - 4], eax $sequence_8 = { 7423 a900040000 7518 8b06 ff750c 8b00 ff7020 } // n = 7, score = 100 // 7423 | je 0x25 // a900040000 | test eax, 0x400 // 7518 | jne 0x1a // 8b06 | mov eax, dword ptr [esi] // ff750c | push dword ptr [ebp + 0xc] // 8b00 | mov eax, dword ptr [eax] // ff7020 | push dword ptr [eax + 0x20] $sequence_9 = { 83c602 0fb716 83c702 6685d2 75e0 668b06 663b07 } // n = 7, score = 100 // 83c602 | add esi, 2 // 0fb716 | movzx edx, word ptr [esi] // 83c702 | add edi, 2 // 6685d2 | test dx, dx // 75e0 | jne 0xffffffe2 // 668b06 | mov ax, word ptr [esi] // 663b07 | cmp ax, word ptr [edi] condition: 7 of them and filesize < 139264 } ] }, { Malware : RagnarLocker , Description : There is no description at this point. , YARA : [ rule win_ragnarlocker_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.ragnarlocker.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 898df4feffff 894dc0 8b4f14 898decfeffff 894df8 8b4d0c 0fb601 } // n = 7, score = 300 // 898df4feffff | mov dword ptr [ebp - 0x10c], ecx // 894dc0 | mov dword ptr [ebp - 0x40], ecx // 8b4f14 | mov ecx, dword ptr [edi + 0x14] // 898decfeffff | mov dword ptr [ebp - 0x114], ecx // 894df8 | mov dword ptr [ebp - 8], ecx // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 0fb601 | movzx eax, byte ptr [ecx] $sequence_1 = { 33f1 8b4de8 8bd0 2345d4 3355d4 2355c8 33d0 } // n = 7, score = 300 // 33f1 | xor esi, ecx // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 8bd0 | mov edx, eax // 2345d4 | and eax, dword ptr [ebp - 0x2c] // 3355d4 | xor edx, dword ptr [ebp - 0x2c] // 2355c8 | and edx, dword ptr [ebp - 0x38] // 33d0 | xor edx, eax $sequence_2 = { 0fb6c5 6a04 0bd0 0fb6c1 6800300000 c1e208 53 } // n = 7, score = 300 // 0fb6c5 | movzx eax, ch // 6a04 | push 4 // 0bd0 | or edx, eax // 0fb6c1 | movzx eax, cl // 6800300000 | push 0x3000 // c1e208 | shl edx, 8 // 53 | push ebx $sequence_3 = { 039d28ffffff 13bd24ffffff 035d94 137d98 81c338b548f3 81d75bc25639 015df4 } // n = 7, score = 300 // 039d28ffffff | add ebx, dword ptr [ebp - 0xd8] // 13bd24ffffff | adc edi, dword ptr [ebp - 0xdc] // 035d94 | add ebx, dword ptr [ebp - 0x6c] // 137d98 | adc edi, dword ptr [ebp - 0x68] // 81c338b548f3 | add ebx, 0xf348b538 // 81d75bc25639 | adc edi, 0x3956c25b // 015df4 | add dword ptr [ebp - 0xc], ebx $sequence_4 = { 0fa4ca17 c1ee09 c1e117 0bda 8b55dc 0bf1 8b4de0 } // n = 7, score = 300 // 0fa4ca17 | shld edx, ecx, 0x17 // c1ee09 | shr esi, 9 // c1e117 | shl ecx, 0x17 // 0bda | or ebx, edx // 8b55dc | mov edx, dword ptr [ebp - 0x24] // 0bf1 | or esi, ecx // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] $sequence_5 = { 8bfa 8b4dd4 8bf1 337de8 3375f4 237dac 2355e8 } // n = 7, score = 300 // 8bfa | mov edi, edx // 8b4dd4 | mov ecx, dword ptr [ebp - 0x2c] // 8bf1 | mov esi, ecx // 337de8 | xor edi, dword ptr [ebp - 0x18] // 3375f4 | xor esi, dword ptr [ebp - 0xc] // 237dac | and edi, dword ptr [ebp - 0x54] // 2355e8 | and edx, dword ptr [ebp - 0x18] $sequence_6 = { 897dfc 8bbd34ffffff 8bf7 8bcf c1e618 0facd108 } // n = 6, score = 300 // 897dfc | mov dword ptr [ebp - 4], edi // 8bbd34ffffff | mov edi, dword ptr [ebp - 0xcc] // 8bf7 | mov esi, edi // 8bcf | mov ecx, edi // c1e618 | shl esi, 0x18 // 0facd108 | shrd ecx, edx, 8 $sequence_7 = { 3375ec 8b55e8 2355c0 2375d4 33fa 8b4df4 234dec } // n = 7, score = 300 // 3375ec | xor esi, dword ptr [ebp - 0x14] // 8b55e8 | mov edx, dword ptr [ebp - 0x18] // 2355c0 | and edx, dword ptr [ebp - 0x40] // 2375d4 | and esi, dword ptr [ebp - 0x2c] // 33fa | xor edi, edx // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 234dec | and ecx, dword ptr [ebp - 0x14] $sequence_8 = { 03c3 8945b8 13cf 33ff 894de0 } // n = 5, score = 300 // 03c3 | add eax, ebx // 8945b8 | mov dword ptr [ebp - 0x48], eax // 13cf | adc ecx, edi // 33ff | xor edi, edi // 894de0 | mov dword ptr [ebp - 0x20], ecx $sequence_9 = { c1e108 0bc8 0fb64604 c1e108 0bc8 894b14 0f114318 } // n = 7, score = 300 // c1e108 | shl ecx, 8 // 0bc8 | or ecx, eax // 0fb64604 | movzx eax, byte ptr [esi + 4] // c1e108 | shl ecx, 8 // 0bc8 | or ecx, eax // 894b14 | mov dword ptr [ebx + 0x14], ecx // 0f114318 | movups xmmword ptr [ebx + 0x18], xmm0 condition: 7 of them and filesize < 147456 } ] }, { Malware : RustBucket , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : SmokeLoader , Description : The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. , YARA : [ rule win_smokeloader_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.smokeloader.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 8d45f0 50 8d45e8 50 8d45e0 50 } // n = 7, score = 1300 // ff15???????? | // 8d45f0 | lea eax, [ebp - 0x10] // 50 | push eax // 8d45e8 | lea eax, [ebp - 0x18] // 50 | push eax // 8d45e0 | lea eax, [ebp - 0x20] // 50 | push eax $sequence_1 = { 57 ff15???????? 6a00 6800000002 6a03 6a00 6a03 } // n = 7, score = 1100 // 57 | push edi // ff15???????? | // 6a00 | push 0 // 6800000002 | push 0x2000000 // 6a03 | push 3 // 6a00 | push 0 // 6a03 | push 3 $sequence_2 = { 50 8d45e0 50 56 ff15???????? 56 ff15???????? } // n = 7, score = 1100 // 50 | push eax // 8d45e0 | lea eax, [ebp - 0x20] // 50 | push eax // 56 | push esi // ff15???????? | // 56 | push esi // ff15???????? | $sequence_3 = { 8bf0 8d45dc 50 6a00 53 ff15???????? } // n = 6, score = 1100 // 8bf0 | mov esi, eax // 8d45dc | lea eax, [ebp - 0x24] // 50 | push eax // 6a00 | push 0 // 53 | push ebx // ff15???????? | $sequence_4 = { 740a 83c104 83f920 72f0 } // n = 4, score = 900 // 740a | mov eax, dword ptr [edi] // 83c104 | add eax, ebx // 83f920 | push eax // 72f0 | mov ax, gs $sequence_5 = { e8???????? 8bf0 8d45fc 50 ff75fc 56 6a19 } // n = 7, score = 900 // e8???????? | // 8bf0 | mov esi, eax // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // ff75fc | push dword ptr [ebp - 4] // 56 | push esi // 6a19 | push 0x19 $sequence_6 = { ff15???????? bf90010000 8bcf e8???????? } // n = 4, score = 900 // ff15???????? | // bf90010000 | mov edi, 0x190 // 8bcf | mov ecx, edi // e8???????? | $sequence_7 = { 0fb64405dc 50 8d45ec 50 } // n = 4, score = 900 // 0fb64405dc | lea eax, [ebp - 0x20] // 50 | je 0xc // 8d45ec | add ecx, 4 // 50 | cmp ecx, 0x20 $sequence_8 = { 50 56 681f000f00 57 } // n = 4, score = 900 // 50 | push eax // 56 | push esi // 681f000f00 | push 0xf001f // 57 | push edi $sequence_9 = { 56 8d45fc 50 57 57 6a19 } // n = 6, score = 900 // 56 | push esi // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // 57 | push edi // 57 | push edi // 6a19 | push 0x19 $sequence_10 = { 668ce8 6685c0 7406 fe05???????? } // n = 4, score = 900 // 668ce8 | push 0 // 6685c0 | push ebx // 7406 | push eax // fe05???????? | $sequence_11 = { 8b07 03c3 50 ff15???????? } // n = 4, score = 800 // 8b07 | lea eax, [ebp - 0x20] // 03c3 | push eax // 50 | push esi // ff15???????? | $sequence_12 = { 56 ff15???????? 50 56 6a00 ff15???????? } // n = 6, score = 800 // 56 | push eax // ff15???????? | // 50 | push 0 // 56 | push ebx // 6a00 | lea eax, [ebp - 0x10] // ff15???????? | $sequence_13 = { 33c0 e9???????? e8???????? b904010000 } // n = 4, score = 800 // 33c0 | xor eax, eax // e9???????? | // e8???????? | // b904010000 | mov ecx, 0x104 $sequence_14 = { 88443c18 88543418 0fb64c3c18 0fb6c2 03c8 81e1ff000000 } // n = 6, score = 700 // 88443c18 | push edi // 88543418 | push 0x19 // 0fb64c3c18 | movzx eax, byte ptr [ebp + eax - 0x24] // 0fb6c2 | push eax // 03c8 | lea eax, [ebp - 0x14] // 81e1ff000000 | push eax $sequence_15 = { 81e5ff000000 8a442c18 88443c18 47 } // n = 4, score = 700 // 81e5ff000000 | push esi // 8a442c18 | lea eax, [ebp - 4] // 88443c18 | push eax // 47 | push edi $sequence_16 = { e8???????? 8bf8 68???????? ff15???????? } // n = 4, score = 700 // e8???????? | // 8bf8 | push 0 // 68???????? | // ff15???????? | $sequence_17 = { ebf5 55 8bec 83ec24 8d45f4 53 } // n = 6, score = 700 // ebf5 | push 0x19 // 55 | mov esi, eax // 8bec | lea eax, [ebp - 4] // 83ec24 | push eax // 8d45f4 | push dword ptr [ebp - 4] // 53 | push esi $sequence_18 = { 50 57 ff15???????? 43 83fb0f } // n = 5, score = 700 // 50 | push ebx // 57 | lea eax, [ebp - 0x10] // ff15???????? | // 43 | push eax // 83fb0f | push 0 $sequence_19 = { 8b7d10 50 57 56 53 e8???????? } // n = 6, score = 500 // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 50 | push eax // 57 | push edi // 56 | push esi // 53 | push ebx // e8???????? | $sequence_20 = { 8d8de8fdffff 50 50 50 } // n = 4, score = 500 // 8d8de8fdffff | lea ecx, [ebp - 0x218] // 50 | push eax // 50 | push eax // 50 | push eax $sequence_21 = { 8d95f0fdffff c70200000000 6800800000 52 51 6aff } // n = 6, score = 500 // 8d95f0fdffff | lea edx, [ebp - 0x210] // c70200000000 | mov dword ptr [edx], 0 // 6800800000 | push 0x8000 // 52 | push edx // 51 | push ecx // 6aff | push -1 $sequence_22 = { 8985ecfdffff ffb5f0fdffff 50 53 e8???????? 8d8decfdffff } // n = 6, score = 500 // 8985ecfdffff | mov dword ptr [ebp - 0x214], eax // ffb5f0fdffff | push dword ptr [ebp - 0x210] // 50 | push eax // 53 | push ebx // e8???????? | // 8d8decfdffff | lea ecx, [ebp - 0x214] $sequence_23 = { e8???????? 2500300038 005800 2500300038 } // n = 4, score = 500 // e8???????? | // 2500300038 | and eax, 0x38003000 // 005800 | add byte ptr [eax], bl // 2500300038 | and eax, 0x38003000 $sequence_24 = { 8db5f8fdffff c60653 56 6a00 6a00 6a00 } // n = 6, score = 500 // 8db5f8fdffff | lea esi, [ebp - 0x208] // c60653 | mov byte ptr [esi], 0x53 // 56 | push esi // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_25 = { 8b4514 898608020000 56 6aff } // n = 4, score = 500 // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 898608020000 | mov dword ptr [esi + 0x208], eax // 56 | push esi // 6aff | push -1 $sequence_26 = { 01d4 8d85f0fdffff 8b750c 8b7d10 50 57 } // n = 6, score = 500 // 01d4 | add esp, edx // 8d85f0fdffff | lea eax, [ebp - 0x210] // 8b750c | mov esi, dword ptr [ebp + 0xc] // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 50 | push eax // 57 | push edi $sequence_27 = { fc 5f 5e 5b } // n = 4, score = 400 // fc | push ebx // 5f | push ebx // 5e | lea eax, [ebp - 0x10] // 5b | push eax $sequence_28 = { 89e5 81ec5c060000 53 56 } // n = 4, score = 400 // 89e5 | mov ebp, esp // 81ec5c060000 | sub esp, 0x65c // 53 | push ebx // 56 | push esi $sequence_29 = { 30d0 aa e2f3 7505 } // n = 4, score = 400 // 30d0 | xor al, dl // aa | stosb byte ptr es:[edi], al // e2f3 | loop 0xfffffff5 // 7505 | jne 7 $sequence_30 = { 89cf fc b280 31db a4 } // n = 5, score = 400 // 89cf | pop ebp // fc | mov dh, 0x58 // b280 | pop ds // 31db | jns 0xffffffbc // a4 | test al, 0x88 $sequence_31 = { 60 89c6 89cf fc } // n = 4, score = 400 // 60 | cdq // 89c6 | into // 89cf | stc // fc | pop ebp $sequence_32 = { ff15???????? 85c0 747c 488b4c2448 4533c9 488d442440 } // n = 6, score = 300 // ff15???????? | // 85c0 | mov dword ptr [esp + 0x20], 0xfa000 // 747c | test eax, eax // 488b4c2448 | je 0x7e // 4533c9 | dec eax // 488d442440 | mov ecx, dword ptr [esp + 0x48] $sequence_33 = { 488b4547 488907 4885c9 740f 8b450f 48894d17 83c802 } // n = 7, score = 300 // 488b4547 | dec eax // 488907 | mov ebx, eax // 4885c9 | inc ebp // 740f | test bh, bh // 8b450f | je 0x13 // 48894d17 | inc ecx // 83c802 | mov cl, 1 $sequence_34 = { 33c9 e8???????? 488bd8 4584ff 7411 41b101 } // n = 6, score = 300 // 33c9 | inc ebp // e8???????? | // 488bd8 | xor ecx, ecx // 4584ff | dec eax // 7411 | lea eax, [esp + 0x40] // 41b101 | xor ecx, ecx $sequence_35 = { 4f 8d1c10 41 8b4b18 45 } // n = 5, score = 300 // 4f | dec edi // 8d1c10 | lea ebx, [eax + edx] // 41 | inc ecx // 8b4b18 | mov ecx, dword ptr [ebx + 0x18] // 45 | inc ebp $sequence_36 = { 01c4 ffc9 49 8d3c8c } // n = 4, score = 300 // 01c4 | add esp, eax // ffc9 | dec ecx // 49 | dec ecx // 8d3c8c | lea edi, [esp + ecx*4] $sequence_37 = { 4c 01c7 8b048f 4c } // n = 4, score = 300 // 4c | dec esp // 01c7 | add edi, eax // 8b048f | mov eax, dword ptr [edi + ecx*4] // 4c | dec esp $sequence_38 = { 49 8d3c8c 8b37 4c 01c6 } // n = 5, score = 300 // 49 | dec ecx // 8d3c8c | lea edi, [esp + ecx*4] // 8b37 | mov esi, dword ptr [edi] // 4c | dec esp // 01c6 | add esi, eax $sequence_39 = { 41b104 448bc7 488bcb e8???????? 488b742440 488bc3 488b5c2430 } // n = 7, score = 300 // 41b104 | dec eax // 448bc7 | mov eax, dword ptr [ebp + 0x47] // 488bcb | dec eax // e8???????? | // 488b742440 | mov dword ptr [edi], eax // 488bc3 | dec eax // 488b5c2430 | test ecx, ecx $sequence_40 = { 55 89e5 81ec54040000 53 } // n = 4, score = 300 // 55 | dec esp // 89e5 | arpl word ptr [ebp + 0x7f], ax // 81ec54040000 | dec eax // 53 | mov edx, edi $sequence_41 = { 33c9 4c897c2428 c744242000a00f00 ff15???????? } // n = 4, score = 300 // 33c9 | xor ecx, ecx // 4c897c2428 | dec esp // c744242000a00f00 | mov dword ptr [esp + 0x28], edi // ff15???????? | $sequence_42 = { 8b4b18 45 8b6320 4d } // n = 4, score = 300 // 8b4b18 | mov ecx, dword ptr [ebx + 0x18] // 45 | inc ebp // 8b6320 | mov esp, dword ptr [ebx + 0x20] // 4d | dec ebp $sequence_43 = { 89d0 c1e205 01c2 31c0 ac 01c2 85c0 } // n = 7, score = 300 // 89d0 | mov eax, edx // c1e205 | shl edx, 5 // 01c2 | add edx, eax // 31c0 | xor eax, eax // ac | lodsb al, byte ptr [esi] // 01c2 | add edx, eax // 85c0 | test eax, eax $sequence_44 = { 83c408 85c0 0f84cb000000 8b45f4 2d10bf3400 0fb74dec } // n = 6, score = 200 // 83c408 | mov dword ptr [ebp + 0x17], ecx // 85c0 | or eax, 2 // 0f84cb000000 | inc ecx // 8b45f4 | mov cl, 4 // 2d10bf3400 | inc esp // 0fb74dec | mov eax, edi $sequence_45 = { 8946fc ad 85c0 75f3 c3 56 } // n = 6, score = 200 // 8946fc | mov edi, ecx // ad | cld // 85c0 | mov dl, 0x80 // 75f3 | xor ebx, ebx // c3 | movsb byte ptr es:[edi], byte ptr [esi] // 56 | mov esi, eax $sequence_46 = { 56 ad 01e8 31c9 c1c108 3208 } // n = 6, score = 200 // 56 | mov dl, 0x80 // ad | xor ebx, ebx // 01e8 | movsb byte ptr es:[edi], byte ptr [esi] // 31c9 | mov bl, 2 // c1c108 | pushal // 3208 | mov esi, eax $sequence_47 = { 8b4da0 8b55a4 895148 689d1e6b63 8b45e4 50 } // n = 6, score = 200 // 8b4da0 | mov ebx, dword ptr [esp + 0x30] // 8b55a4 | mov edx, 0x18 // 895148 | test al, al // 689d1e6b63 | cmovne ecx, esi // 8b45e4 | add esp, 8 // 50 | test eax, eax $sequence_48 = { 8b45b4 894220 eb10 8b8d78ffffff 8b11 899578ffffff ebae } // n = 7, score = 200 // 8b45b4 | dec eax // 894220 | mov ecx, ebx // eb10 | dec eax // 8b8d78ffffff | mov esi, dword ptr [esp + 0x40] // 8b11 | dec eax // 899578ffffff | mov eax, ebx // ebae | dec eax $sequence_49 = { 03471c 8b0428 01e8 5e c3 } // n = 5, score = 200 // 03471c | mov edi, ecx // 8b0428 | cld // 01e8 | mov dl, 0x80 // 5e | xor ebx, ebx // c3 | movsb byte ptr es:[edi], byte ptr [esi] $sequence_50 = { 5b c9 c20800 55 89e5 83ec04 } // n = 6, score = 200 // 5b | ret 0x10 // c9 | push ebp // c20800 | mov ebp, esp // 55 | sub esp, 0x454 // 89e5 | ret 0x10 // 83ec04 | push ebp $sequence_51 = { e8???????? 8945ac 6a00 6a04 8d45b4 50 } // n = 6, score = 200 // e8???????? | // 8945ac | mov eax, dword ptr [ebp - 0x4c] // 6a00 | mov dword ptr [edx + 0x20], eax // 6a04 | jmp 0x18 // 8d45b4 | mov ecx, dword ptr [ebp - 0x88] // 50 | mov edx, dword ptr [ecx] $sequence_52 = { aa e2f3 7506 7404 } // n = 4, score = 200 // aa | push ebx // e2f3 | ret 0x10 // 7506 | push ebp // 7404 | mov ebp, esp $sequence_53 = { 55 8bec 83c4d0 1e 53 } // n = 5, score = 200 // 55 | mov edi, ecx // 8bec | cld // 83c4d0 | mov dl, 0x80 // 1e | pushal // 53 | mov esi, eax $sequence_54 = { 684a0dce09 8b45e4 50 e8???????? 8945a8 8b4da0 8b55a8 } // n = 7, score = 200 // 684a0dce09 | mov dword ptr [ebp - 0x54], eax // 8b45e4 | push 0 // 50 | push 4 // e8???????? | // 8945a8 | lea eax, [ebp - 0x4c] // 8b4da0 | push eax // 8b55a8 | sub esp, 0xc $sequence_55 = { 83ec0c e8???????? 8945f8 8b45f8 8b4860 894df4 ff7518 } // n = 7, score = 200 // 83ec0c | mov dword ptr [ebp - 0x88], edx // e8???????? | // 8945f8 | jmp 0xffffffc6 // 8b45f8 | mov ecx, dword ptr [ebp - 0x60] // 8b4860 | mov edx, dword ptr [ebp - 0x5c] // 894df4 | mov dword ptr [ecx + 0x48], edx // ff7518 | push 0x636b1e9d $sequence_56 = { 803800 75f5 31d1 75ec } // n = 4, score = 200 // 803800 | mov edx, eax // 75f5 | mov ebp, esp // 31d1 | add esp, -0x30 // 75ec | push ds $sequence_57 = { 8b450c 2d10bf3400 8b4d08 c1e103 } // n = 4, score = 200 // 8b450c | je 0xd6 // 2d10bf3400 | mov eax, dword ptr [ebp - 0xc] // 8b4d08 | sub eax, 0x34bf10 // c1e103 | movzx ecx, word ptr [ebp - 0x14] $sequence_58 = { 8b55f8 0fb70a c1e103 33d2 f7f1 8945fc } // n = 6, score = 200 // 8b55f8 | mov eax, dword ptr [ebp - 0x1c] // 0fb70a | push eax // c1e103 | mov eax, dword ptr [ebp + 0xc] // 33d2 | sub eax, 0x34bf10 // f7f1 | mov ecx, dword ptr [ebp + 8] // 8945fc | shl ecx, 3 $sequence_59 = { 5e c3 60 89c6 } // n = 4, score = 200 // 5e | xor ecx, ecx // c3 | add esp, -0x30 // 60 | push ds // 89c6 | push ebx $sequence_60 = { 9a18a15c5d5d5d d6 0055d0 08a50f375d37 } // n = 4, score = 100 // 9a18a15c5d5d5d | stosb byte ptr es:[edi], al // d6 | loop 0xfffffff5 // 0055d0 | jne 0xa // 08a50f375d37 | je 0xa $sequence_61 = { 48 35f94e5d5d d6 59 79de 99 } // n = 6, score = 100 // 48 | ret 8 // 35f94e5d5d | push ebp // d6 | mov ebp, esp // 59 | sub esp, 4 // 79de | add byte ptr [ebp - 0x30], dl // 99 | or byte ptr [ebp + 0x375d370f], ah $sequence_62 = { 5d 5d b658 1f 79b6 a888 } // n = 6, score = 100 // 5d | xor al, dl // 5d | stosb byte ptr es:[edi], al // b658 | loop 0xfffffff6 // 1f | jne 0xb // 79b6 | je 0xb // a888 | xor al, dl $sequence_63 = { 0055d0 08a50f375d37 5d 37 } // n = 4, score = 100 // 0055d0 | mov ebp, esp // 08a50f375d37 | sub esp, 0x454 // 5d | push ebx // 37 | push esi $sequence_64 = { 5d 5d 285829 5e cb } // n = 5, score = 100 // 5d | stosb byte ptr es:[edi], al // 5d | loop 0xfffffff6 // 285829 | jne 0xb // 5e | pop ebx // cb | leave condition: 7 of them and filesize < 245760 } ] }, { Malware : Stealc , Description : Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. , YARA : [ rule win_stealc_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.stealc.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 85c0 7507 c685e0feffff43 } // n = 4, score = 600 // ff15???????? | // 85c0 | test eax, eax // 7507 | jne 9 // c685e0feffff43 | mov byte ptr [ebp - 0x120], 0x43 $sequence_1 = { 68???????? e8???????? e8???????? 83c474 } // n = 4, score = 600 // 68???????? | // e8???????? | // e8???????? | // 83c474 | add esp, 0x74 $sequence_2 = { 50 e8???????? e8???????? 83c474 } // n = 4, score = 600 // 50 | push eax // e8???????? | // e8???????? | // 83c474 | add esp, 0x74 $sequence_3 = { e8???????? e8???????? 81c480000000 e9???????? } // n = 4, score = 600 // e8???????? | // e8???????? | // 81c480000000 | add esp, 0x80 // e9???????? | $sequence_4 = { 50 e8???????? e8???????? 81c484000000 } // n = 4, score = 600 // 50 | push eax // e8???????? | // e8???????? | // 81c484000000 | add esp, 0x84 $sequence_5 = { e8???????? 83c460 e8???????? 83c40c } // n = 4, score = 600 // e8???????? | // 83c460 | add esp, 0x60 // e8???????? | // 83c40c | add esp, 0xc $sequence_6 = { e8???????? e8???????? 83c418 6a3c } // n = 4, score = 600 // e8???????? | // e8???????? | // 83c418 | add esp, 0x18 // 6a3c | push 0x3c $sequence_7 = { ff15???????? 50 ff15???????? 8b5508 8902 } // n = 5, score = 600 // ff15???????? | // 50 | push eax // ff15???????? | // 8b5508 | mov edx, dword ptr [ebp + 8] // 8902 | mov dword ptr [edx], eax $sequence_8 = { 50 ff15???????? 8b5508 8902 } // n = 4, score = 600 // 50 | push eax // ff15???????? | // 8b5508 | mov edx, dword ptr [ebp + 8] // 8902 | mov dword ptr [edx], eax $sequence_9 = { 7405 394104 7d07 8b4908 3bca 75f0 8bf9 } // n = 7, score = 400 // 7405 | je 7 // 394104 | cmp dword ptr [ecx + 4], eax // 7d07 | jge 9 // 8b4908 | mov ecx, dword ptr [ecx + 8] // 3bca | cmp ecx, edx // 75f0 | jne 0xfffffff2 // 8bf9 | mov edi, ecx condition: 7 of them and filesize < 4891648 } , rule win_stealc_w0 { meta: malware = \ Stealc\ description = \ Find standalone Stealc sample based on decryption routine or characteristic strings\ source = \ SEKOIA.IO\ reference = \ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\ classification = \ TLP:CLEAR\ hash = \ 77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d\ author = \ crep1x\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc\ malpedia_version = \ 20230221\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ malpedia_rule_date = \ 20230221\ malpedia_hash = \ \ strings: $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function $str01 = \ ------\ ascii $str02 = \ Network Info:\ ascii $str03 = \ - IP: IP?\ ascii $str04 = \ - Country: ISO?\ ascii $str05 = \ - Display Resolution:\ ascii $str06 = \ User Agents:\ ascii $str07 = \ %s\\%s\\%s\ ascii condition: uint16(0) == 0x5A4D and ($dec or 5 of ($str*)) } ] }, { Malware : SystemBC , Description : SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC. SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. , YARA : [ rule win_systembc_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.systembc.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b8e88010000 8b968c010000 8bb690010000 8945e4 895df4 } // n = 5, score = 800 // 8b8e88010000 | mov ecx, dword ptr [esi + 0x188] // 8b968c010000 | mov edx, dword ptr [esi + 0x18c] // 8bb690010000 | mov esi, dword ptr [esi + 0x190] // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 895df4 | mov dword ptr [ebp - 0xc], ebx $sequence_1 = { 52 6a00 6a00 6a00 ffb568f9ffff } // n = 5, score = 800 // 52 | push edx // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // ffb568f9ffff | push dword ptr [ebp - 0x698] $sequence_2 = { 668b9554f9ffff 6a00 6a00 6a03 6a00 6a00 } // n = 6, score = 800 // 668b9554f9ffff | mov dx, word ptr [ebp - 0x6ac] // 6a00 | push 0 // 6a00 | push 0 // 6a03 | push 3 // 6a00 | push 0 // 6a00 | push 0 $sequence_3 = { 898568f9ffff c7856cf9ffff00040000 8d853cf9ffff 50 6a00 6a00 } // n = 6, score = 800 // 898568f9ffff | mov dword ptr [ebp - 0x698], eax // c7856cf9ffff00040000 | mov dword ptr [ebp - 0x694], 0x400 // 8d853cf9ffff | lea eax, [ebp - 0x6c4] // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 $sequence_4 = { 81c200008000 81c200100000 81c200200000 6a00 52 } // n = 5, score = 800 // 81c200008000 | add edx, 0x800000 // 81c200100000 | add edx, 0x1000 // 81c200200000 | add edx, 0x2000 // 6a00 | push 0 // 52 | push edx $sequence_5 = { 8d851cf4ffff 50 6800010000 57 ffb530f4ffff } // n = 5, score = 800 // 8d851cf4ffff | lea eax, [ebp - 0xbe4] // 50 | push eax // 6800010000 | push 0x100 // 57 | push edi // ffb530f4ffff | push dword ptr [ebp - 0xbd0] $sequence_6 = { 50 e8???????? ffd0 8b85f4feffff } // n = 4, score = 800 // 50 | push eax // e8???????? | // ffd0 | call eax // 8b85f4feffff | mov eax, dword ptr [ebp - 0x10c] $sequence_7 = { 43 3b5dfc 7296 33c0 5e 5f } // n = 6, score = 800 // 43 | inc ebx // 3b5dfc | cmp ebx, dword ptr [ebp - 4] // 7296 | jb 0xffffff98 // 33c0 | xor eax, eax // 5e | pop esi // 5f | pop edi $sequence_8 = { 668b9554f9ffff 6a00 6a00 6a03 6a00 } // n = 5, score = 800 // 668b9554f9ffff | mov dx, word ptr [ebp - 0x6ac] // 6a00 | push 0 // 6a00 | push 0 // 6a03 | push 3 // 6a00 | push 0 $sequence_9 = { 57 56 8b7d10 33c0 } // n = 4, score = 800 // 57 | push edi // 56 | push esi // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 33c0 | xor eax, eax condition: 7 of them and filesize < 57344 } ] }, { Malware : Trigona , Description : According to PCrisk, Trigona is ransomware that encrypts files and appends the \ ._locked\ extension to filenames. Also, it drops the \ how_to_decrypt.hta\ file that opens a ransom note. An example of how Trigona renames files: it renames \ 1.jpg\ to \ 1.jpg._locked\ , \ 2.png\ to \ 2.png._locked\ , and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files. According to PCrisk, Trigona is ransomware that encrypts files and appends the \ ._locked\ extension to filenames. Also, it drops the \ how_to_decrypt.hta\ file that opens a ransom note. An example of how Trigona renames files: it renames \ 1.jpg\ to \ 1.jpg._locked\ , \ 2.png\ to \ 2.png._locked\ , and so forth. It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files. There is no Yara-Signature yet. , YARA : [] }, { Malware : Unidentified 112 (Rust-based Stealer) , Description : A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups. A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups. There is no Yara-Signature yet. , YARA : [] }, { Malware : wAgentTea , Description : wAgentTea is an HTTP(S) downloader. It was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech's INISAFE CrossWeb EX or Dream Security’s MagicLine4NX.It uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration.There is a hard-coded list of parameter names used in its HTTP POST request:identy;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc;category;articles;portalIt contains a specific RTTI symbol \ .?AVCHttp_socket@@\ . wAgentTea is an HTTP(S) downloader. It was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech's INISAFE CrossWeb EX or Dream Security’s MagicLine4NX. It uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration. There is a hard-coded list of parameter names used in its HTTP POST request:identy;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc;category;articles;portal It contains a specific RTTI symbol \ .?AVCHttp_socket@@\ . There is no Yara-Signature yet. , YARA : [] }, { Malware : WinDealer , Description : Information stealer used by threat actor LuoYu. Information stealer used by threat actor LuoYu. , YARA : [ rule win_windealer_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.windealer.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 56 e8???????? 83c410 8b4618 } // n = 5, score = 800 // 50 | push eax // 56 | push esi // e8???????? | // 83c410 | add esp, 0x10 // 8b4618 | mov eax, dword ptr [esi + 0x18] $sequence_1 = { 6a00 ff15???????? 85c0 7407 50 ff15???????? 6a01 } // n = 7, score = 800 // 6a00 | push 0 // ff15???????? | // 85c0 | test eax, eax // 7407 | je 9 // 50 | push eax // ff15???????? | // 6a01 | push 1 $sequence_2 = { 6a04 50 6a04 68???????? 68???????? } // n = 5, score = 800 // 6a04 | push 4 // 50 | push eax // 6a04 | push 4 // 68???????? | // 68???????? | $sequence_3 = { 50 56 e8???????? 83c410 8b4610 } // n = 5, score = 800 // 50 | push eax // 56 | push esi // e8???????? | // 83c410 | add esp, 0x10 // 8b4610 | mov eax, dword ptr [esi + 0x10] $sequence_4 = { 53 56 57 68da070000 } // n = 4, score = 800 // 53 | push ebx // 56 | push esi // 57 | push edi // 68da070000 | push 0x7da $sequence_5 = { 56 57 68da070000 e8???????? } // n = 4, score = 800 // 56 | push esi // 57 | push edi // 68da070000 | push 0x7da // e8???????? | $sequence_6 = { 56 e8???????? 83c410 8b4610 } // n = 4, score = 800 // 56 | push esi // e8???????? | // 83c410 | add esp, 0x10 // 8b4610 | mov eax, dword ptr [esi + 0x10] $sequence_7 = { 6a01 50 56 e8???????? 83c410 8bc7 } // n = 6, score = 800 // 6a01 | push 1 // 50 | push eax // 56 | push esi // e8???????? | // 83c410 | add esp, 0x10 // 8bc7 | mov eax, edi $sequence_8 = { 668b91d2070000 8a89d0070000 52 51 } // n = 4, score = 800 // 668b91d2070000 | mov dx, word ptr [ecx + 0x7d2] // 8a89d0070000 | mov cl, byte ptr [ecx + 0x7d0] // 52 | push edx // 51 | push ecx $sequence_9 = { 8b4d08 668b91d2070000 8a89d0070000 52 51 } // n = 5, score = 800 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 668b91d2070000 | mov dx, word ptr [ecx + 0x7d2] // 8a89d0070000 | mov cl, byte ptr [ecx + 0x7d0] // 52 | push edx // 51 | push ecx condition: 7 of them and filesize < 770048 } ] }, { Malware : 3CX Backdoor , Description : According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack. According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack. , YARA : [ rule win_3cx_backdoor_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.3cx_backdoor.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bc8 c1e907 33c1 81c287d61200 8bc8 c1e116 33c1 } // n = 7, score = 100 // 8bc8 | sub ecx, 1 // c1e907 | dec eax // 33c1 | lea ecx, [ebp - 0x30] // 81c287d61200 | dec eax // 8bc8 | mov eax, esi // c1e116 | dec eax // 33c1 | mov ecx, dword ptr [ebp - 0x10] $sequence_1 = { 84d2 7430 3811 742c e8???????? c70016000000 } // n = 6, score = 100 // 84d2 | dec esp // 7430 | mov edi, dword ptr [esp + 0x20] // 3811 | dec eax // 742c | mov ecx, esi // e8???????? | // c70016000000 | dec eax $sequence_2 = { 8bfb 48895c2430 4c89742428 4983e7f0 4d8d243f 498d442410 } // n = 6, score = 100 // 8bfb | mov dword ptr [esp + 0x20], eax // 48895c2430 | inc ecx // 4c89742428 | mov edx, edi // 4983e7f0 | dec eax // 4d8d243f | mov ecx, edi // 498d442410 | dec eax $sequence_3 = { 4a0fbe841940250300 428a8c1950250300 482bd0 8b42fc d3e8 49895108 41894118 } // n = 7, score = 100 // 4a0fbe841940250300 | dec eax // 428a8c1950250300 | arpl word ptr [eax], cx // 482bd0 | dec eax // 8b42fc | mov eax, ecx // d3e8 | dec eax // 49895108 | sar eax, 6 // 41894118 | dec eax $sequence_4 = { 4c8bce 4c8bc5 488bd7 498bcf e8???????? 498bc6 488b5c2460 } // n = 7, score = 100 // 4c8bce | dec eax // 4c8bc5 | lea eax, [0x2de58] // 488bd7 | dec eax // 498bcf | cmp ecx, eax // e8???????? | // 498bc6 | je 0x235 // 488b5c2460 | dec eax $sequence_5 = { 498bd7 4489642448 48897c2440 44894c2438 4c8d4d97 4889442430 4489642428 } // n = 7, score = 100 // 498bd7 | inc ecx // 4489642448 | cmp ebx, eax // 48897c2440 | dec eax // 44894c2438 | imul eax, ebp // 4c8d4d97 | mov edx, ecx // 4889442430 | xor ecx, ecx // 4489642428 | dec eax $sequence_6 = { 7428 85db 7524 488d0d7ef90200 e8???????? 85c0 7510 } // n = 7, score = 100 // 7428 | dec eax // 85db | cmp ebx, edi // 7524 | je 0x592 // 488d0d7ef90200 | dec eax // e8???????? | // 85c0 | cmp edx, dword ptr [ebp - 0x10] // 7510 | dec eax $sequence_7 = { 4889742458 488b7108 33d2 488bce 48c1eb05 492bc9 } // n = 6, score = 100 // 4889742458 | lea eax, [eax + ecx*4] // 488b7108 | inc ecx // 33d2 | movzx ecx, cl // 488bce | jmp 0xe1 // 48c1eb05 | dec ebp // 492bc9 | mov esp, edi $sequence_8 = { 4983c708 4533d2 32d2 4c897c2420 80fb30 7512 b201 } // n = 7, score = 100 // 4983c708 | mov eax, ebx // 4533d2 | inc ebp // 32d2 | test edi, edi // 4c897c2420 | je 0x2f9 // 80fb30 | inc ebp // 7512 | xor ebx, ebx // b201 | dec eax $sequence_9 = { 0fb608 880a 488d5210 488b4808 48894af8 448820 } // n = 6, score = 100 // 0fb608 | add edx, eax // 880a | dec ebp // 488d5210 | imul edx, esp // 488b4808 | inc ecx // 48894af8 | lea ecx, [ecx + edx] // 448820 | inc ecx condition: 7 of them and filesize < 585728 } , rule win_3cx_backdoor_w0 { meta: author = \ threatintel@volexity.com\ date = \ 2023-03-30\ description = \ Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time.\ hash1 = \ aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868\ reference = \ https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\ memory_suitable = 0 license = \ See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor\ malpedia_version = \ 20230331\ malpedia_rule_date = \ 20230331\ malpedia_hash = \ \ malpedia_license = \ \ malpedia_sharing = \ TLP:WHITE\ strings: $cert = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } $app = \ 3CXDesktopApp.exe\ $data = \ 202303\ condition: all of them } , rule win_3cx_backdoor_w1 { meta: author = \ threatintel@volexity.com\ description = \ Detection of malicious ICO files used in 3CX compromise.\ date = \ 2023-03-30\ hash1 = \ a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c\ memory_suitable = 0 license = \ See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor\ malpedia_version = \ 20230331\ malpedia_rule_date = \ 20230331\ malpedia_hash = \ \ malpedia_license = \ \ malpedia_sharing = \ TLP:WHITE\ strings: $IEND_dollar = {49 45 4e 44 ae 42 60 82 24} // IEND.B`.$ $IEND_nodollar = {49 45 4e 44 ae 42 60 82 } // IEND.B`. condition: uint16be(0) == 0x0000 and filesize < 120KB and ( $IEND_dollar in (filesize-500..filesize) and not $IEND_nodollar in (filesize-20..filesize) and for any k in (1..#IEND_dollar): ( for all i in (1..4): ( // in range [0-9a-zA-Z] uint8(@IEND_dollar[k]+!IEND_dollar[k] + i ) < 123 and uint8(@IEND_dollar[k]+!IEND_dollar[k] + i) > 47 ) ) ) } ] }, { Malware : BianLian , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : BLINDINGCAN , Description : BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.It contains specific RTTI symbols like \ .?AVCHTTP_Protocol@@\ , \ .?AVCFileRW@@\ or \ .?AVCSinSocket@@\ .BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022. BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.It contains specific RTTI symbols like \ .?AVCHTTP_Protocol@@\ , \ .?AVCFileRW@@\ or \ .?AVCSinSocket@@\ .BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022. , YARA : [ rule win_blindingcan_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.blindingcan.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c40c 68???????? 68???????? ff15???????? 689c040000 85c0 } // n = 6, score = 300 // 83c40c | mov dword ptr [ebp - 0x18], 0x1d9ccd5a // 68???????? | // 68???????? | // ff15???????? | // 689c040000 | mov dword ptr [ebp - 0x14], 0x64f9c236 // 85c0 | mov dword ptr [ebp - 0x10], 0xae9f0da7 $sequence_1 = { 750a 8b10 8994bdfcfdffff 47 83c00c 49 } // n = 6, score = 300 // 750a | mov ecx, 0x4b0 // 8b10 | test eax, eax // 8994bdfcfdffff | jne 0x2b // 47 | je 0xe // 83c00c | test al, 0x10 // 49 | je 0xc $sequence_2 = { c785bcfdffff661fcba8 c785c0fdffffc0f0d181 c785c4fdffff1f08c3d4 c785c8fdffff28edbc6a c785ccfdffff12aff210 } // n = 5, score = 300 // c785bcfdffff661fcba8 | jne 0x3a // c785c0fdffffc0f0d181 | dec eax // c785c4fdffff1f08c3d4 | lea edx, [0x1480d] // c785c8fdffff28edbc6a | dec eax // c785ccfdffff12aff210 | lea ecx, [0x1db0a] $sequence_3 = { c745e4ef0dfff5 c745e85acd9c1d c745ec36c2f964 c745f0a70d9fae c745f48f2aedf1 } // n = 5, score = 300 // c745e4ef0dfff5 | dec eax // c745e85acd9c1d | sub esp, 0xd00 // c745ec36c2f964 | dec eax // c745f0a70d9fae | xor eax, esp // c745f48f2aedf1 | dec eax $sequence_4 = { c78594feffff657f9183 c78598feffffa78b5b05 c7859cfeffff87f53e0c c785a0feffff074f9b22 } // n = 4, score = 300 // c78594feffff657f9183 | mov byte ptr [ebp + esi - 0x358], 1 // c78598feffffa78b5b05 | inc esi // c7859cfeffff87f53e0c | cmp esi, 0x1a // c785a0feffff074f9b22 | mov dword ptr [ebp - 0x1c], 0xf5ff0def $sequence_5 = { c745ac84b1df57 c745b0c8cbfee9 c745b4567e337f c745b8e958e686 } // n = 4, score = 300 // c745ac84b1df57 | mov dword ptr [ebp - 0xc], 0xf1ed2a8f // c745b0c8cbfee9 | mov dword ptr [ebp - 0x1b8], 0x2cf6c2df // c745b4567e337f | mov dword ptr [ebp - 0x1b4], 0x33665117 // c745b8e958e686 | mov dword ptr [ebp - 0x1b0], 0x7e7e6cf7 $sequence_6 = { c78548feffffdfc2f62c c7854cfeffff17516633 c78550fefffff76c7e7e c78554feffffa14b0c27 c78558feffff10c0aac6 c7855cfeffff489a8471 c78560feffff9cab4ad6 } // n = 7, score = 300 // c78548feffffdfc2f62c | or esi, 0xffffffff // c7854cfeffff17516633 | dec esp // c78550fefffff76c7e7e | mov ebp, eax // c78554feffffa14b0c27 | dec eax // c78558feffff10c0aac6 | mov dword ptr [esp + 0x40], eax // c7855cfeffff489a8471 | dec eax // c78560feffff9cab4ad6 | cmp eax, esi $sequence_7 = { 740c a810 7408 c68435a8fcffff01 46 83fe1a } // n = 6, score = 300 // 740c | inc ecx // a810 | push esp // 7408 | inc ecx // c68435a8fcffff01 | push ebp // 46 | dec eax // 83fe1a | lea ebp, [eax - 0xc18] $sequence_8 = { f7fe 8bca e8???????? 85c0 7409 e8???????? } // n = 6, score = 200 // f7fe | idiv esi // 8bca | mov ecx, edx // e8???????? | // 85c0 | test eax, eax // 7409 | je 0xb // e8???????? | $sequence_9 = { 55 4154 4155 488da8e8f3ffff 4881ec000d0000 488b05???????? 4833c4 } // n = 7, score = 100 // 55 | je 0x68 // 4154 | inc esp // 4155 | mov eax, edi // 488da8e8f3ffff | dec eax // 4881ec000d0000 | lea edx, [ebp - 0x40] // 488b05???????? | // 4833c4 | inc ecx $sequence_10 = { 8bd5 664489642422 6689442420 895c2428 e8???????? 8bd3 488bcf } // n = 7, score = 100 // 8bd5 | mov dword ptr [esp + 0x28], eax // 664489642422 | dec eax // 6689442420 | lea eax, [0x1d352] // 895c2428 | dec eax // e8???????? | // 8bd3 | lea edx, [0x13486] // 488bcf | inc ebp $sequence_11 = { 85c0 751b e8???????? 4885c0 7461 448bc7 488d55c0 } // n = 7, score = 100 // 85c0 | dec eax // 751b | mov ecx, edi // e8???????? | // 4885c0 | sub ecx, 0x2009 // 7461 | je 0x70 // 448bc7 | sub ecx, 7 // 488d55c0 | je 0x66 $sequence_12 = { 81e909200000 746e 83e907 745f ffc9 744d ffc9 } // n = 7, score = 100 // 81e909200000 | xor eax, eax // 746e | mov edx, ebp // 83e907 | inc sp // 745f | mov dword ptr [esp + 0x22], esp // ffc9 | mov word ptr [esp + 0x20], ax // 744d | mov dword ptr [esp + 0x28], ebx // ffc9 | mov edx, ebx $sequence_13 = { 410fb6c4 0fb68c2810be0100 41335518 400fb6c6 0fb6842810be0100 c1e108 33c8 } // n = 7, score = 100 // 410fb6c4 | dec ecx // 0fb68c2810be0100 | je 0x51 // 41335518 | dec ecx // 400fb6c6 | test eax, eax // 0fb6842810be0100 | jne 0x1d // c1e108 | dec eax // 33c8 | test eax, eax $sequence_14 = { 488b4dc8 488d45c0 4c8d4db0 4889442428 488d0552d30100 488d1586340100 4533c0 } // n = 7, score = 100 // 488b4dc8 | dec eax // 488d45c0 | mov ecx, dword ptr [ebp - 0x38] // 4c8d4db0 | dec eax // 4889442428 | lea eax, [ebp - 0x40] // 488d0552d30100 | dec esp // 488d1586340100 | lea ecx, [ebp - 0x50] // 4533c0 | dec eax $sequence_15 = { ff15???????? 4883ceff 4c8be8 4889442440 483bc6 752d ff15???????? } // n = 7, score = 100 // ff15???????? | // 4883ceff | movzx eax, ah // 4c8be8 | movzx ecx, byte ptr [eax + ebp + 0x1be10] // 4889442440 | inc ecx // 483bc6 | xor edx, dword ptr [ebp + 0x18] // 752d | inc eax // ff15???????? | condition: 7 of them and filesize < 363520 } , rule win_blindingcan_w0 { meta: author = \ CISA Code & Media Analysis\ incident = \ 10135536\ date = \ 2018-05-04\ actor = \ Lazarus Group\ actor_type = \ APT\ category = \ malware\ family = \ BLINDINGCAN\ description = \ Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT\ hash = \ 1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954\ hash = \ 7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799\ hash = \ 96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a\ hash = \ f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3\ source = \ https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan\ malpedia_version = \ 20200901\ malpedia_sharing = \ TLP:WHITE\ malpedia_license = \ \ strings: $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 } $s1 = { 50 4D 53 2A 2E 74 6D 70 } $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 } condition: any of them } ] }, { Malware : DRATzarus , Description : There is no description at this point. , YARA : [ rule win_dratzarus_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.dratzarus.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 740a 488b1b 4885db 75c2 eb2f 8b8398010000 } // n = 6, score = 200 // 740a | lea eax, [ebp + 0x220] // 488b1b | movzx esi, word ptr [ebp - 0x5e] // 4885db | inc esp // 75c2 | movzx ecx, word ptr [ebp - 0x60] // eb2f | mov dword ptr [esp + 0x40], edx // 8b8398010000 | mov dword ptr [esp + 0x38], eax $sequence_1 = { f6c201 7403 66ffc3 66ffc0 6683f81a } // n = 5, score = 200 // f6c201 | inc edx // 7403 | movzx eax, word ptr [edx + 0x24d00] // 66ffc3 | dec eax // 66ffc0 | lea ecx, [ebp + 0x300] // 6683f81a | dec eax $sequence_2 = { e8???????? f20f5ef0 f20f1005???????? f20f2cd6 660f6eca 4863c2 488d0c40 } // n = 7, score = 200 // e8???????? | // f20f5ef0 | lea ebx, [0x1f6ff] // f20f1005???????? | // f20f2cd6 | inc ecx // 660f6eca | mov eax, 0x19000 // 4863c2 | dec eax // 488d0c40 | mov ecx, eax $sequence_3 = { ff15???????? 488d4d68 ba13000000 488905???????? e8???????? } // n = 5, score = 200 // ff15???????? | // 488d4d68 | mov edx, 0x80000000 // ba13000000 | mov dword ptr [esp + 0x28], 0x80 // 488905???????? | // e8???????? | $sequence_4 = { 488d8dc8000000 ba1c000000 488905???????? e8???????? 488bcb 488bd0 ff15???????? } // n = 7, score = 200 // 488d8dc8000000 | dec eax // ba1c000000 | add ecx, dword ptr [edi + 8] // 488905???????? | // e8???????? | // 488bcb | dec esp // 488bd0 | arpl ax, ax // ff15???????? | $sequence_5 = { 3c41 7c04 3c5a 7e08 3c30 7c19 3c39 } // n = 7, score = 200 // 3c41 | inc esp // 7c04 | lea eax, [eax + 0x41] // 3c5a | dec eax // 7e08 | mov ebx, eax // 3c30 | dec eax // 7c19 | mov dword ptr [esp + 0x38], eax // 3c39 | dec eax $sequence_6 = { 6683f81a 72e3 0fb7c3 4883c420 } // n = 4, score = 200 // 6683f81a | dec esp // 72e3 | lea ecx, [esp + 0x48] // 0fb7c3 | dec esp // 4883c420 | lea eax, [esp + 0x44] $sequence_7 = { c745303ae47159 c7453474b06493 c745380897878b c6453c5b e8???????? 488bc8 } // n = 6, score = 200 // c745303ae47159 | dec eax // c7453474b06493 | add esp, 0x110 // c745380897878b | pop ebp // c6453c5b | ret // e8???????? | // 488bc8 | dec eax $sequence_8 = { c7450f86f5e3e6 c74513a93633c4 c7451793554020 c7451b48549c39 c7451faaa5f9c7 } // n = 5, score = 200 // c7450f86f5e3e6 | lea ecx, [eax + 1] // c74513a93633c4 | mov dword ptr [esp + 0x28], eax // c7451793554020 | dec eax // c7451b48549c39 | mov esi, edx // c7451faaa5f9c7 | repe cmpsb byte ptr [esi], byte ptr es:[edi] $sequence_9 = { 488d4dc8 ba0c000000 488905???????? e8???????? 488bcb 488bd0 ff15???????? } // n = 7, score = 200 // 488d4dc8 | lea eax, [0x56bfb] // ba0c000000 | lea edx, [ebp + 9] // 488905???????? | // e8???????? | // 488bcb | lea ecx, [ebp + 6] // 488bd0 | inc ecx // ff15???????? | condition: 7 of them and filesize < 1606656 } ] }, { Malware : ForestTiger , Description : There is no description at this point. , YARA : [ rule win_forest_tiger_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.forest_tiger.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.forest_tiger\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 833f01 0f94c0 84c0 7407 } // n = 4, score = 200 // 833f01 | test eax, eax // 0f94c0 | je 0x3cc // 84c0 | jb 0x2fb // 7407 | cmp dword ptr [esp + 0x2c], 0 $sequence_1 = { 833f01 0f94c0 84c0 7407 e8???????? eb05 } // n = 6, score = 200 // 833f01 | mov eax, 0x16 // 0f94c0 | dec eax // 84c0 | lea ecx, [esp + 0x30] // 7407 | dec eax // e8???????? | // eb05 | mov eax, ebx $sequence_2 = { 833f01 0f94c0 84c0 7407 e8???????? } // n = 5, score = 200 // 833f01 | push edx // 0f94c0 | push edi // 84c0 | lea edx, [esp + 0x678] // 7407 | push edx // e8???????? | $sequence_3 = { 833f01 0f94c0 84c0 7407 e8???????? eb05 e8???????? } // n = 7, score = 200 // 833f01 | test eax, eax // 0f94c0 | sete bl // 84c0 | dec eax // 7407 | cmp dword ptr [ebp - 0x58], 8 // e8???????? | // eb05 | jb 0x18a // e8???????? | $sequence_4 = { 6a0c 51 e8???????? 83c410 8b858cf8ffff 3bc3 746e } // n = 7, score = 100 // 6a0c | mov dword ptr [edx + 0x10], eax // 51 | mov word ptr [edx], ax // e8???????? | // 83c410 | dec eax // 8b858cf8ffff | lea edx, [ecx + 0x980] // 3bc3 | dec eax // 746e | sub esp, 0x20 $sequence_5 = { 4885c9 740c e8???????? 4c8935???????? 488d0ddf710200 ff15???????? } // n = 6, score = 100 // 4885c9 | mov eax, dword ptr [ebp - 8] // 740c | mov ecx, dword ptr [ebp - 0x10] // e8???????? | // 4c8935???????? | // 488d0ddf710200 | cmp eax, ecx // ff15???????? | $sequence_6 = { 741b 498d8c243a250000 458ac6 b213 e8???????? f7d8 1bdb } // n = 7, score = 100 // 741b | dec ecx // 498d8c243a250000 | mov edi, dword ptr [ebp + 0x95] // 458ac6 | dec eax // b213 | mov dword ptr [esp + 0x48], esi // e8???????? | // f7d8 | mov ecx, eax // 1bdb | dec eax $sequence_7 = { 51 e8???????? 83c410 81c6a8000000 8bc6 8d5002 668b08 } // n = 7, score = 100 // 51 | cmp ecx, eax // e8???????? | // 83c410 | jl 0x16b7 // 81c6a8000000 | add edi, ebp // 8bc6 | dec eax // 8d5002 | add edx, 4 // 668b08 | cmp edi, 0x1c $sequence_8 = { c20400 8b4508 c7462c00000080 c74644ffffffff 85c0 7403 894644 } // n = 7, score = 100 // c20400 | inc eax // 8b4508 | test ch, 8 // c7462c00000080 | jbe 0x1963 // c74644ffffffff | mov ecx, dword ptr [ebp - 0x1c] // 85c0 | lea edx, [ecx + 1] // 7403 | mov eax, ecx // 894644 | sub eax, edx $sequence_9 = { 7416 4883ffff 7410 8bcd e8???????? 488bcf ffd0 } // n = 7, score = 100 // 7416 | sub esp, 0x60 // 4883ffff | dec eax // 7410 | mov ebx, dword ptr [esp + 0xa0] // 8bcd | and dword ptr [eax - 0x28], 0 // e8???????? | // 488bcf | dec eax // ffd0 | mov dword ptr [eax + 0x20], esi condition: 7 of them and filesize < 709632 } ] }, { Malware : ImprudentCook , Description : ImprudentCook is an HTTP(S) downloader.It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021. It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMainIt contains a string, \ 5.40\ or \ 5.60\ , looking like version information. ImprudentCook is an HTTP(S) downloader. It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021. It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication. It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data). It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub: 1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo 2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain It contains a string, \ 5.40\ or \ 5.60\ , looking like version information. , YARA : [ rule win_imprudentcook_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.imprudentcook.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d3c0b 483bf9 4983d200 4883ee18 4d03da 4d03d9 48ffcd } // n = 7, score = 100 // 488d3c0b | test ebx, ebx // 483bf9 | inc ecx // 4983d200 | setns dh // 4883ee18 | mov eax, 1 // 4d03da | nop word ptr [eax + eax] // 4d03d9 | dec esp // 48ffcd | mov ecx, eax $sequence_1 = { 4983c708 4983c508 48ffc9 75ec 49894500 488b5520 488d4fff } // n = 7, score = 100 // 4983c708 | mov ecx, dword ptr [esi] // 4983c508 | dec ecx // 48ffc9 | lea edx, [esp - 1] // 75ec | dec ecx // 49894500 | lea eax, [esi + 8] // 488b5520 | dec eax // 488d4fff | test edx, edx $sequence_2 = { 4d8bc4 498bd2 eb08 4c89642420 4c8bc7 } // n = 5, score = 100 // 4d8bc4 | dec eax // 498bd2 | shr ebp, 0x20 // eb08 | dec ecx // 4c89642420 | imul ecx, eax // 4c8bc7 | dec eax $sequence_3 = { 488d04ed00000000 4c03f5 4803f5 48ffc3 4c03f8 4c3bf7 7ec8 } // n = 7, score = 100 // 488d04ed00000000 | dec eax // 4c03f5 | mov ecx, esi // 4803f5 | mov eax, dword ptr [esp + 0x80] // 48ffc3 | inc eax // 4c03f8 | inc esp // 4c3bf7 | sub ecx, eax // 7ec8 | mov dword ptr [esp + 0x80], eax $sequence_4 = { 4c8bcf 4d8bc5 498bd4 e8???????? 488b9580000000 41b901000000 4d8bc6 } // n = 7, score = 100 // 4c8bcf | dec ecx // 4d8bc5 | add edx, ecx // 498bd4 | dec ecx // e8???????? | // 488b9580000000 | add edx, edx // 41b901000000 | dec eax // 4d8bc6 | sub edx, ebx $sequence_5 = { 4d3bfe 0f8c45ffffff 4c8bac2488000000 4f8d7c2d00 498bde 4d3bf7 } // n = 6, score = 100 // 4d3bfe | dec eax // 0f8c45ffffff | mov edx, dword ptr [esp + 0x50] // 4c8bac2488000000 | dec eax // 4f8d7c2d00 | mov edx, dword ptr [esp + 0x60] // 498bde | dec esp // 4d3bf7 | mov eax, dword ptr [esp + 0x68] $sequence_6 = { 8807 e9???????? 81fb0b000100 0f8dfb030000 81fb0000007e 0f87f7030000 85db } // n = 7, score = 100 // 8807 | test ecx, ecx // e9???????? | // 81fb0b000100 | jg 0x555 // 0f8dfb030000 | inc ebp // 81fb0000007e | test edi, edi // 0f87f7030000 | jle 0x82d // 85db | dec edx $sequence_7 = { 4803c2 48c1f806 488bf8 488bd8 488b8424c0000000 4c8d1cf8 48c1e306 } // n = 7, score = 100 // 4803c2 | dec ebp // 48c1f806 | cmp ecx, eax // 488bf8 | jae 0x1659 // 488bd8 | dec eax // 488b8424c0000000 | mov eax, 0 // 4c8d1cf8 | add dword ptr [eax], eax // 48c1e306 | add byte ptr [eax], al $sequence_8 = { 4833c2 482bc2 488bd3 493bc2 7d1a 4c895c2428 4c89442420 } // n = 7, score = 100 // 4833c2 | nop word ptr [eax + eax] // 482bc2 | dec esp // 488bd3 | mov dword ptr [edi], esp // 493bc2 | dec esp // 7d1a | lea esp, [ebx + 1] // 4c895c2428 | dec ebp // 4c89442420 | mov eax, esp $sequence_9 = { e9???????? 48ffcd b938000000 90 488bc3 48d3e8 84c0 } // n = 7, score = 100 // e9???????? | // 48ffcd | test ecx, ecx // b938000000 | dec eax // 90 | mov ecx, edi // 488bc3 | dec esp // 48d3e8 | lea esp, [0x121dd] // 84c0 | dec esp condition: 7 of them and filesize < 864256 } ] }, { Malware : LambLoad , Description : According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. , YARA : [ rule win_lambload_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lambload.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffb5e4f7ffff e8???????? 0fb74624 57 57 6a03 } // n = 6, score = 100 // ffb5e4f7ffff | push dword ptr [ebp - 0x81c] // e8???????? | // 0fb74624 | movzx eax, word ptr [esi + 0x24] // 57 | push edi // 57 | push edi // 6a03 | push 3 $sequence_1 = { ff15???????? 47 83ff02 7caa 83c8ff 5f 5e } // n = 7, score = 100 // ff15???????? | // 47 | inc edi // 83ff02 | cmp edi, 2 // 7caa | jl 0xffffffac // 83c8ff | or eax, 0xffffffff // 5f | pop edi // 5e | pop esi $sequence_2 = { 74c5 57 57 57 ff7608 ff15???????? 85c0 } // n = 7, score = 100 // 74c5 | je 0xffffffc7 // 57 | push edi // 57 | push edi // 57 | push edi // ff7608 | push dword ptr [esi + 8] // ff15???????? | // 85c0 | test eax, eax $sequence_3 = { 8b6c2424 83c408 3be8 7e02 8be8 } // n = 5, score = 100 // 8b6c2424 | mov ebp, dword ptr [esp + 0x24] // 83c408 | add esp, 8 // 3be8 | cmp ebp, eax // 7e02 | jle 4 // 8be8 | mov ebp, eax $sequence_4 = { 897dfc 897dd8 83ff40 0f8d3b010000 8b34bd00490710 85f6 } // n = 6, score = 100 // 897dfc | mov dword ptr [ebp - 4], edi // 897dd8 | mov dword ptr [ebp - 0x28], edi // 83ff40 | cmp edi, 0x40 // 0f8d3b010000 | jge 0x141 // 8b34bd00490710 | mov esi, dword ptr [edi*4 + 0x10074900] // 85f6 | test esi, esi $sequence_5 = { 83c420 837e1804 750d b800308000 } // n = 4, score = 100 // 83c420 | add esp, 0x20 // 837e1804 | cmp dword ptr [esi + 0x18], 4 // 750d | jne 0xf // b800308000 | mov eax, 0x803000 $sequence_6 = { f7f9 8955fc e8???????? 99 b9ffff0000 f7f9 } // n = 6, score = 100 // f7f9 | idiv ecx // 8955fc | mov dword ptr [ebp - 4], edx // e8???????? | // 99 | cdq // b9ffff0000 | mov ecx, 0xffff // f7f9 | idiv ecx $sequence_7 = { be???????? 50 a5 e8???????? 83c40c } // n = 5, score = 100 // be???????? | // 50 | push eax // a5 | movsd dword ptr es:[edi], dword ptr [esi] // e8???????? | // 83c40c | add esp, 0xc $sequence_8 = { 0fb78c05ecfbffff 66898c05f4fdffff 83c002 663bce 75e8 53 8d85ecfbffff } // n = 7, score = 100 // 0fb78c05ecfbffff | movzx ecx, word ptr [ebp + eax - 0x414] // 66898c05f4fdffff | mov word ptr [ebp + eax - 0x20c], cx // 83c002 | add eax, 2 // 663bce | cmp cx, si // 75e8 | jne 0xffffffea // 53 | push ebx // 8d85ecfbffff | lea eax, [ebp - 0x414] $sequence_9 = { 33c0 8a540430 8a8be8330710 32ca 888be8330710 43 3bdd } // n = 7, score = 100 // 33c0 | xor eax, eax // 8a540430 | mov dl, byte ptr [esp + eax + 0x30] // 8a8be8330710 | mov cl, byte ptr [ebx + 0x100733e8] // 32ca | xor cl, dl // 888be8330710 | mov byte ptr [ebx + 0x100733e8], cl // 43 | inc ebx // 3bdd | cmp ebx, ebp condition: 7 of them and filesize < 1039360 } ] }, { Malware : LightlessCan , Description : LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan. In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:• ipconfig• net• netsh advfirewall firewall • netstat • reg• sc• ping (for both IPv4 and IPv6 protocols)• wmic process call create • nslookup • schstasks • systeminfo• arpThese native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic. LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan. In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India. Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:• ipconfig• net• netsh advfirewall firewall • netstat • reg• sc• ping (for both IPv4 and IPv6 protocols)• wmic process call create • nslookup • schstasks • systeminfo• arp These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools. LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic. , YARA : [ rule win_lightlesscan_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lightlesscan.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 33db 48895c2460 488b4d70 4885c9 7405 e8???????? } // n = 7, score = 100 // e8???????? | // 33db | mov dword ptr [esp + 0x60], edi // 48895c2460 | dec eax // 488b4d70 | mov eax, dword ptr [esp + 0x58] // 4885c9 | dec eax // 7405 | lea eax, [esp + 0x78] // e8???????? | $sequence_1 = { b890100000 e8???????? 482be0 48c7442458feffffff 48899c24c8100000 4889b424d0100000 4889bc24d8100000 } // n = 7, score = 100 // b890100000 | dec eax // e8???????? | // 482be0 | lea edx, [0x36eb0] // 48c7442458feffffff | inc ecx // 48899c24c8100000 | add esi, esi // 4889b424d0100000 | inc ecx // 4889bc24d8100000 | mov edx, esp $sequence_2 = { 4863d8 e8???????? 488bd3 b940000000 ffd0 488d0deaa20300 c705????????01000000 } // n = 7, score = 100 // 4863d8 | mov ebp, dword ptr [esp + 0xac0] // e8???????? | // 488bd3 | dec eax // b940000000 | mov ecx, dword ptr [ebp + 0x9b0] // ffd0 | dec eax // 488d0deaa20300 | xor ecx, esp // c705????????01000000 | $sequence_3 = { 488d0d50c00100 e8???????? 4983c8ff ba80000000 488905???????? 488d0da05d0500 4885c0 } // n = 7, score = 100 // 488d0d50c00100 | test esi, esi // e8???????? | // 4983c8ff | je 0x1188 // ba80000000 | dec eax // 488905???????? | // 488d0da05d0500 | dec eax // 4885c0 | jne 0x10e1 $sequence_4 = { 4881c440020000 5b f3c3 8815???????? 0100 a9150100c7 150100d615 } // n = 7, score = 100 // 4881c440020000 | push edi // 5b | dec eax // f3c3 | sub esp, 0x88 // 8815???????? | // 0100 | dec eax // a9150100c7 | mov dword ptr [eax - 0x18], ebx // 150100d615 | dec eax $sequence_5 = { 498bcc e8???????? 488d1564b70500 41b804000000 498bcc e8???????? 488d1567b70500 } // n = 7, score = 100 // 498bcc | dec esp // e8???????? | // 488d1564b70500 | lea eax, [ebp - 0x20] // 41b804000000 | mov edx, ebx // 498bcc | dec ecx // e8???????? | // 488d1567b70500 | mov ecx, ebp $sequence_6 = { 4889442420 e8???????? eb0c 4c8d0d68440100 e8???????? 488d0d8cc10100 } // n = 6, score = 100 // 4889442420 | mov dword ptr [esp + 0x20], edi // e8???????? | // eb0c | call edi // 4c8d0d68440100 | test eax, eax // e8???????? | // 488d0d8cc10100 | jne 0x623 $sequence_7 = { 488d0d23b40600 ffd0 48833d????????00 7415 488d0db04a0300 e8???????? 488b0d???????? } // n = 7, score = 100 // 488d0d23b40600 | je 0x4e2 // ffd0 | dec eax // 48833d????????00 | // 7415 | lea ecx, [0x37d39] // 488d0db04a0300 | dec eax // e8???????? | // 488b0d???????? | $sequence_8 = { 7506 ff15???????? 4489bc24f8000000 488b07 418bf7 0fb74814 } // n = 6, score = 100 // 7506 | lea eax, [0x5e6c3] // ff15???????? | // 4489bc24f8000000 | mov edx, 0x80 // 488b07 | jmp 0xc1a // 418bf7 | dec esp // 0fb74814 | lea eax, [0x5c2e7] $sequence_9 = { 488d4d30 33d2 41b801100000 e8???????? 33d2 41b8faff0000 488bce } // n = 7, score = 100 // 488d4d30 | mov dword ptr [ebp - 0x31], esp // 33d2 | dec esp // 41b801100000 | mov dword ptr [ebp - 0x11], esp // e8???????? | // 33d2 | add edi, eax // 41b8faff0000 | inc esp // 488bce | mov dword ptr [ebp - 0x39], esp condition: 7 of them and filesize < 1399808 } ] }, { Malware : miniBlindingCan , Description : miniBlindingCan is an HTTP(S) orchestrator.It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022. miniBlindingCan is an HTTP(S) orchestrator. It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C. The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022. , YARA : [ rule win_miniblindingcan_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.miniblindingcan.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 899424b0000000 81faff000000 7c37 b881808080 488bce f7e2 c1ea07 } // n = 7, score = 100 // 899424b0000000 | dec ecx // 81faff000000 | dec edi // 7c37 | movdqa xmmword ptr [esp + 0x240], xmm6 // b881808080 | xor ebx, dword ptr [ebp + eax*4 + 0x21260] // 488bce | inc ecx // f7e2 | mov eax, ecx // c1ea07 | inc ecx $sequence_1 = { 8bc6 45338c8c600a0200 c1e808 c1eb08 41c1ea10 0fb6c8 410fb6c0 } // n = 7, score = 100 // 8bc6 | dec eax // 45338c8c600a0200 | lea ecx, [ebp + 0x54] // c1e808 | xor edx, edx // c1eb08 | inc ecx // 41c1ea10 | mov eax, 0x1f4 // 0fb6c8 | xor edx, edx // 410fb6c0 | inc ecx $sequence_2 = { 48ffc1 49ffc8 75ed 488b542428 4c8d442420 488bce e8???????? } // n = 7, score = 100 // 48ffc1 | inc ecx // 49ffc8 | mov eax, 1 // 75ed | dec eax // 488b542428 | lea ebx, [0xe337] // 4c8d442420 | inc ecx // 488bce | test al, al // e8???????? | $sequence_3 = { 660f6e7310 488d4c2438 f30fe6f6 ff15???????? 488d542430 488d4c2438 ff15???????? } // n = 7, score = 100 // 660f6e7310 | add byte ptr [eax], al // 488d4c2438 | add byte ptr [eax - 0x77], cl // f30fe6f6 | inc ebp // ff15???????? | // 488d542430 | out dx, eax // 488d4c2438 | xor eax, eax // ff15???????? | $sequence_4 = { 483b442420 0f8710040000 4883fd0f 0f82e7030000 488d7df1 c606f0 } // n = 6, score = 100 // 483b442420 | mov ecx, dword ptr [esi + 0x4000] // 0f8710040000 | inc ecx // 4883fd0f | add dword ptr [esi + 0x4018], ebx // 0f82e7030000 | dec ebp // 488d7df1 | mov ebx, eax // c606f0 | test ebx, ebx $sequence_5 = { 488d0579340000 488905???????? e9???????? 81fb39380000 7513 488d0553340000 488905???????? } // n = 7, score = 100 // 488d0579340000 | dec eax // 488905???????? | // e9???????? | // 81fb39380000 | lea eax, [0x412f] // 7513 | cmp esi, 1 // 488d0553340000 | cmp ebx, 0x23f0 // 488905???????? | $sequence_6 = { 48ffc6 448bc1 f7e1 c1ea07 4c89442430 8bc2 } // n = 6, score = 100 // 48ffc6 | sub ecx, 5 // 448bc1 | je 0x2f4 // f7e1 | dec eax // c1ea07 | mov ecx, edi // 4c89442430 | mov word ptr [eax], si // 8bc2 | dec eax $sequence_7 = { 488bc8 ff15???????? 488d1528a70000 488bce 488905???????? ff15???????? 488bc8 } // n = 7, score = 100 // 488bc8 | lea eax, [0x21c1] // ff15???????? | // 488d1528a70000 | jne 0x1eb2 // 488bce | inc ecx // 488905???????? | // ff15???????? | // 488bc8 | cmp ebx, esi $sequence_8 = { 488b4590 83a0c8000000fd 83c8ff e9???????? 4183cfff f6431840 4c8d0dc50dffff } // n = 7, score = 100 // 488b4590 | lea eax, [0x5aa6] // 83a0c8000000fd | cmp ebx, 0x3839 // 83c8ff | jne 0x1446 // e9???????? | // 4183cfff | jne 0x1448 // f6431840 | dec eax // 4c8d0dc50dffff | lea eax, [0x2da7] $sequence_9 = { 740a b801000000 e9???????? 4533c9 } // n = 4, score = 100 // 740a | lea edx, [0x26e84] // b801000000 | inc esp // e9???????? | // 4533c9 | mov eax, ebx condition: 7 of them and filesize < 453632 } ] }, { Malware : POOLRAT , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : PostNapTea , Description : PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration. PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:• LG: logging into the C&C server• KE: acknowledging the succesful login to the C&C• FI: sending the status of a failed operation • SR: sending the status of a successful operation• GC: getting the next commandThere are five classes that represent command groups:• CCButton: for file manipulation and screen capturing• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,systeminfo, and netsh advfirewall. • CCComboBox: for file system management• CCList: for process management• CCBrush: for control of the malware itselfIt stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name. PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project. In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea. It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration. PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:• LG: logging into the C&C server• KE: acknowledging the succesful login to the C&C• FI: sending the status of a failed operation • SR: sending the status of a successful operation• GC: getting the next command There are five classes that represent command groups:• CCButton: for file manipulation and screen capturing• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,systeminfo, and netsh advfirewall. • CCComboBox: for file system management• CCList: for process management• CCBrush: for control of the malware itself It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function. Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name. , YARA : [ rule win_postnaptea_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.postnaptea.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c744247418f561f5 c744247867f50000 4863c2 488d4c2450 488d0c41 0fb7c2 662bc3 } // n = 7, score = 100 // c744247418f561f5 | dec eax // c744247867f50000 | mov edx, dword ptr [ecx + eax*8] // 4863c2 | dec ecx // 488d4c2450 | mov ecx, esi // 488d0c41 | dec eax // 0fb7c2 | test eax, eax // 662bc3 | jne 0x1440 $sequence_1 = { ffc2 83fa1a 72e3 6644896c2474 488d442440 488bd3 0f1f440000 } // n = 7, score = 100 // ffc2 | dec eax // 83fa1a | mov ecx, esi // 72e3 | nop // 6644896c2474 | dec eax // 488d442440 | lea edx, [ebp + 0xf38] // 488bd3 | dec eax // 0f1f440000 | lea ecx, [ebp + 0xa70] $sequence_2 = { ffd7 85c0 0f842c010000 4c8d052d4b0600 ba04010000 498bce e8???????? } // n = 7, score = 100 // ffd7 | dec eax // 85c0 | inc ebx // 0f842c010000 | cmp word ptr [eax + ebx*2], 0 // 4c8d052d4b0600 | jne 0x27a // ba04010000 | dec eax // 498bce | mov dword ptr [esp + 0x60], 7 // e8???????? | $sequence_3 = { e9???????? 418b8520280000 4d8bce 48634c2440 4c8bc6 2bc1 48034c2460 } // n = 7, score = 100 // e9???????? | // 418b8520280000 | dec ecx // 4d8bce | lea ecx, [ebp + 0x2c18] // 48634c2440 | dec eax // 4c8bc6 | lea edx, [esp + 0x40] // 2bc1 | dec eax // 48034c2460 | lea ecx, [esp + 0x78] $sequence_4 = { c745c000f50cf5 c745c407f528f5 c745c80cf508f5 c745cc02f53cf5 c745d006f50bf5 c745d419f50bf5 c745d81bf54ef5 } // n = 7, score = 100 // c745c000f50cf5 | jne 0xd95 // c745c407f528f5 | cmp byte ptr [ebx + 8], 0 // c745c80cf508f5 | dec eax // c745cc02f53cf5 | mov ecx, eax // c745d006f50bf5 | cmp byte ptr [eax + 0x19], 0 // c745d419f50bf5 | je 0xe43 // c745d81bf54ef5 | dec eax $sequence_5 = { ff15???????? 4533e4 4d85f6 0f8418100000 498bce e9???????? 448b85b0000000 } // n = 7, score = 100 // ff15???????? | // 4533e4 | cmp dword ptr [eax], ebp // 4d85f6 | jne 0x1135 // 0f8418100000 | mov dword ptr [ebp + 0x20], 0xf529f50e // 498bce | mov dword ptr [ebp + 0x24], 0xf503f569 // e9???????? | // 448b85b0000000 | dec eax $sequence_6 = { c7851001000031f56df5 c785140100006df54ef5 c7851801000005f50ef5 c7851c0100000ff50000 418bd4 0f1f440000 4863c2 } // n = 7, score = 100 // c7851001000031f56df5 | test eax, eax // c785140100006df54ef5 | jne 0xa35 // c7851801000005f50ef5 | mov dword ptr [ebp + 0x310], 0xf51ef502 // c7851c0100000ff50000 | mov dword ptr [ebp + 0x314], 0xf52cf53e // 418bd4 | dec eax // 0f1f440000 | mov edx, edi // 4863c2 | dec eax $sequence_7 = { c78520020000a081b081 c78524020000a281ba81 c78528020000fa81b181 c7852c020000ba81bb81 33c0 66898530020000 418bd5 } // n = 7, score = 100 // c78520020000a081b081 | mov dword ptr [esp + 0x68], eax // c78524020000a281ba81 | dec eax // c78528020000fa81b181 | mov edx, eax // c7852c020000ba81bb81 | dec eax // 33c0 | lea ecx, [ebp - 0x58] // 66898530020000 | dec eax // 418bd5 | cmp dword ptr [ebp - 0x48], 0 $sequence_8 = { 488b05???????? 4885c0 7515 488d55b0 b9bd59e821 e8???????? 488905???????? } // n = 7, score = 100 // 488b05???????? | // 4885c0 | mov word ptr [ebp + 0x18], ax // 7515 | inc ecx // 488d55b0 | mov edx, ebp // b9bd59e821 | nop word ptr [eax + eax] // e8???????? | // 488905???????? | $sequence_9 = { ffd7 c7856007000079f57af5 c785640700007bf515f5 c785680700000df528f5 c7856c0700006bf540f5 c7857007000020f506f5 c7857407000007f516f5 } // n = 7, score = 100 // ffd7 | inc dx // c7856007000079f57af5 | cmp dword ptr [eax + eax*2], 0 // c785640700007bf515f5 | dec eax // c785680700000df528f5 | mov dword ptr [ebp - 0x18], 7 // c7856c0700006bf540f5 | inc sp // c7857007000020f506f5 | mov dword ptr [ebp - 0x30], esi // c7857407000007f516f5 | inc ecx condition: 7 of them and filesize < 2457600 } ] }, { Malware : Rhadamanthys , Description : According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines. At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. There is no Yara-Signature yet. , YARA : [] }, { Malware : S.O.V.A. , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : SimpleTea , Description : SimpleTea for Linux is an HTTP(S) RAT. It was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two. SimpleTea for Linux is an HTTP(S) RAT. It was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time. It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic. It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3. SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two. There is no Yara-Signature yet. , YARA : [] }, { Malware : SimpleTea , Description : SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023. SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea). It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different. SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023. There is no Yara-Signature yet. , YARA : [] }, { Malware : SnatchCrypto , Description : Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence. Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence. , YARA : [ rule win_snatchcrypto_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.snatchcrypto.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7528 488bd3 488bcf e8???????? 448b87a8020000 488d15d43f0200 448906 } // n = 7, score = 200 // 7528 | mov dword ptr [eax], 0x16 // 488bd3 | jmp 0x648 // 488bcf | dec esp // e8???????? | // 448b87a8020000 | lea esp, [0x608a1] // 488d15d43f0200 | mov dword ptr [ebx], 0x80 // 448906 | dec esp $sequence_1 = { 4c8d442430 e8???????? 85c0 0f8533010000 8d7058 8d6814 eb36 } // n = 7, score = 200 // 4c8d442430 | test al, al // e8???????? | // 85c0 | jns 0x42f // 0f8533010000 | mov eax, 0xfffffe8b // 8d7058 | ret // 8d6814 | test al, 0x40 // eb36 | jne 0x159 $sequence_2 = { ff15???????? 488bf8 4885c0 750f ff15???????? 488d15f7730200 eb27 } // n = 7, score = 200 // ff15???????? | // 488bf8 | xor ecx, ecx // 4885c0 | inc esp // 750f | xor ebx, dword ptr [esi + 4] // ff15???????? | // 488d15f7730200 | movzx ecx, al // eb27 | mov eax, ebp $sequence_3 = { 0fb74348 ff4320 448b4b20 ffc0 488d1586a70200 440fb7c0 e8???????? } // n = 7, score = 200 // 0fb74348 | test ecx, ecx // ff4320 | je 0x1060 // 448b4b20 | dec esp // ffc0 | mov dword ptr [ebx + 0x130], esp // 488d1586a70200 | dec eax // 440fb7c0 | mov ecx, dword ptr [ebx + 0x130] // e8???????? | $sequence_4 = { 48894598 4889442458 4889442460 0fb6474d 41c1e608 440bf0 0fb6474e } // n = 7, score = 200 // 48894598 | inc eax // 4889442458 | dec ecx // 4889442460 | jne 0x69 // 0fb6474d | dec esp // 41c1e608 | lea eax, [0x64ea4] // 440bf0 | dec eax // 0fb6474e | mov ecx, edi $sequence_5 = { 440fb64c3580 4c8d05a73f0100 ba03000000 488bcf e8???????? 48ffc6 4883c702 } // n = 7, score = 200 // 440fb64c3580 | dec eax // 4c8d05a73f0100 | add ecx, 0x528 // ba03000000 | mov esi, eax // 488bcf | test eax, eax // e8???????? | // 48ffc6 | jne 0x1e51 // 4883c702 | dec eax $sequence_6 = { 4883ec38 ffca 744c 81faff1f0000 754b 33c0 4c8905???????? } // n = 7, score = 200 // 4883ec38 | cmp edx, 0x3c // ffca | dec eax // 744c | lea eax, [0x284aa] // 81faff1f0000 | dec esp // 754b | mov dword ptr [esp + 0x50], esi // 33c0 | dec esp // 4c8905???????? | $sequence_7 = { e8???????? 8bf8 85c0 7907 b8c0feffff eb3f 0fb78394030000 } // n = 7, score = 200 // e8???????? | // 8bf8 | inc ecx // 85c0 | mov ecx, esi // 7907 | inc esp // b8c0feffff | add ecx, dword ptr [esp + edi + 0x30] // eb3f | inc ecx // 0fb78394030000 | or ecx, edi $sequence_8 = { 83c702 3ac1 760a b8bafeffff e9???????? 7368 0fb78b94030000 } // n = 7, score = 200 // 83c702 | je 0x10a6 // 3ac1 | test eax, eax // 760a | mov ebx, eax // b8bafeffff | mov edx, ebx // e9???????? | // 7368 | dec eax // 0fb78b94030000 | mov ecx, ebp $sequence_9 = { 488d15e98d0200 498bce 4c8bc0 e8???????? 8d7e3e 448be3 e9???????? } // n = 7, score = 200 // 488d15e98d0200 | dec esp // 498bce | lea ecx, [ebp - 0x50] // 4c8bc0 | dec eax // e8???????? | // 8d7e3e | lea ecx, [ebp - 0x50] // 448be3 | jbe 0x1d8 // e9???????? | condition: 7 of them and filesize < 1400832 } ] }, { Malware : WebbyTea , Description : WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.It sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix \ ci\ , a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to \ cs\ .The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).The usual payload associated with WebbyTea is SnatchCrypto. WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption. It sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix \ ci\ , a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to \ cs\ . The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived). The usual payload associated with WebbyTea is SnatchCrypto. , YARA : [ rule win_webbytea_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.webbytea.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e9???????? c744242000000000 4533c9 4533c0 33d2 33c9 } // n = 6, score = 300 // e9???????? | // c744242000000000 | and esi, 0x3f // 4533c9 | dec ebp // 4533c0 | mov ebp, esp // 33d2 | or eax, 0xffffffff // 33c9 | or esi, 0xffffffff $sequence_1 = { c68424f100000072 c68424f200000065 c68424f300000061 c68424f400000074 } // n = 4, score = 300 // c68424f100000072 | mov word ptr [esp + 0x156], ax // c68424f200000065 | mov eax, 0x72 // c68424f300000061 | mov word ptr [esp + 0x158], ax // c68424f400000074 | mov eax, 0x74 $sequence_2 = { 8b00 ffc0 488b8c2488020000 8901 488d542430 488b4c2420 } // n = 6, score = 300 // 8b00 | mov eax, dword ptr [esp + 0x90] // ffc0 | dec eax // 488b8c2488020000 | mov edx, dword ptr [esp + 0x4620] // 8901 | dec eax // 488d542430 | add ecx, dword ptr [edx] // 488b4c2420 | dec eax $sequence_3 = { 488b8c2488020000 8901 488d542430 488b4c2420 ff15???????? 85c0 } // n = 6, score = 300 // 488b8c2488020000 | jge 0x102d // 8901 | dec eax // 488d542430 | arpl word ptr [esp + 0x20], ax // 488b4c2420 | inc eax // ff15???????? | // 85c0 | mov dword ptr [esp + 0x20], eax $sequence_4 = { 488b842488020000 8b00 ffc0 488b8c2488020000 } // n = 4, score = 300 // 488b842488020000 | mov eax, dword ptr [esp + 0x30] // 8b00 | dec eax // ffc0 | mov eax, dword ptr [esp + 0x30] // 488b8c2488020000 | dec eax $sequence_5 = { eb08 8b0424 ffc0 890424 8b442438 390424 } // n = 6, score = 300 // eb08 | sub eax, eax // 8b0424 | inc ecx // ffc0 | mov eax, dword ptr [eax - 4] // 890424 | shr eax, cl // 8b442438 | and ecx, 0xf // 390424 | dec edx $sequence_6 = { 488b842488020000 8b00 ffc0 488b8c2488020000 8901 488d542430 488b4c2420 } // n = 7, score = 300 // 488b842488020000 | dec eax // 8b00 | mov dword ptr [esp + 0x30], eax // ffc0 | dec eax // 488b8c2488020000 | mov ecx, dword ptr [esp + 0x60] // 8901 | jmp 0x4d9 // 488d542430 | dec eax // 488b4c2420 | mov eax, dword ptr [esp + 0x20] $sequence_7 = { c7042400000000 eb08 8b0424 ffc0 890424 8b442438 } // n = 6, score = 300 // c7042400000000 | sar eax, 6 // eb08 | dec eax // 8b0424 | lea edx, [0x16922] // ffc0 | and ecx, 0x3f // 890424 | je 0x69b // 8b442438 | dec eax $sequence_8 = { 488b8c2488020000 8901 488d542430 488b4c2420 } // n = 4, score = 300 // 488b8c2488020000 | mov ecx, dword ptr [esp + 0x28] // 8901 | mov eax, 1 // 488d542430 | dec eax // 488b4c2420 | mov ecx, dword ptr [esp + 0x28] $sequence_9 = { c68424f100000072 c68424f200000065 c68424f300000061 c68424f400000074 c68424f500000065 } // n = 5, score = 300 // c68424f100000072 | jne 0x5c8 // c68424f200000065 | dec eax // c68424f300000061 | lea eax, [esp + 0x9e0] // c68424f400000074 | cmp eax, 1 // c68424f500000065 | jne 0x644 condition: 7 of them and filesize < 552960 } ] }, { Malware : WinInetLoader , Description : There is no description at this point. , YARA : [ rule win_wininetloader_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.wininetloader.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.wininetloader\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7510 0fb611 0fb6c2 80fa28 7423 80fa29 741e } // n = 7, score = 100 // 7510 | dec eax // 0fb611 | lea esi, [edx + ecx] // 0fb6c2 | dec eax // 80fa28 | mov dword ptr [ebp + 0x5c0], esi // 7423 | dec eax // 80fa29 | lea edi, [ebp + 0x5b0] // 741e | dec ecx $sequence_1 = { 4c8bac2480000000 90 493bdf 74db 0fb633 498bcd 410fb61424 } // n = 7, score = 100 // 4c8bac2480000000 | nop // 90 | dec eax // 493bdf | mov dword ptr [edx + 0x28], ecx // 74db | dec eax // 0fb633 | mov eax, dword ptr [ebx + 8] // 498bcd | dec eax // 410fb61424 | mov dword ptr [edx + 0x18], eax $sequence_2 = { 48897c2460 4d8bc5 488b542438 488bc8 e8???????? 4b8d042e 4889442458 } // n = 7, score = 100 // 48897c2460 | dec eax // 4d8bc5 | mov dword ptr [ebx], ecx // 488b542438 | dec eax // 488bc8 | lea edx, [ebx + 8] // e8???????? | // 4b8d042e | dec eax // 4889442458 | lea ecx, [eax + 8] $sequence_3 = { 90 488d5508 48837d2008 480f435508 488b4518 4c8d0c42 4c8d4508 } // n = 7, score = 100 // 90 | mov eax, dword ptr [ecx + 0x18] // 488d5508 | and eax, 0xfffffff // 48837d2008 | cmp eax, 3 // 480f435508 | jne 0x526 // 488b4518 | dec eax // 4c8d0c42 | lea eax, [0xf0f97] // 4c8d4508 | dec eax $sequence_4 = { e8???????? 3a03 7516 488bcf e8???????? 4c8b45f8 488b4df0 } // n = 7, score = 100 // e8???????? | // 3a03 | lea ecx, [ebx + 0x10] // 7516 | dec esp // 488bcf | lea eax, [ebp + 0x150] // e8???????? | // 4c8b45f8 | dec eax // 488b4df0 | mov eax, 0xffffffff $sequence_5 = { 4c8be0 4889442450 4885db 7427 488b03 488bcb 488b4010 } // n = 7, score = 100 // 4c8be0 | mov dword ptr [eax + 8], ebx // 4889442450 | dec eax // 4885db | mov dword ptr [eax + 0x18], esi // 7427 | dec eax // 488b03 | xor eax, esp // 488bcb | dec eax // 488b4010 | mov dword ptr [ebp + 0x68], eax $sequence_6 = { 4c894d08 33db 448bf3 895c2470 49395910 752b 488d15b6ea1100 } // n = 7, score = 100 // 4c894d08 | dec eax // 33db | lea eax, [0x282f7] // 448bf3 | dec eax // 895c2470 | cmp ebp, eax // 49395910 | jl 0x42 // 752b | test edi, edi // 488d15b6ea1100 | dec eax $sequence_7 = { 3a8c2ab8a80e00 0f8585000000 488b03 48ffc2 8a08 48ffc0 488903 } // n = 7, score = 100 // 3a8c2ab8a80e00 | dec ecx // 0f8585000000 | mov ecx, esp // 488b03 | jbe 0x1e8b // 48ffc2 | mov edx, 0x1e // 8a08 | dec eax // 48ffc0 | mov ecx, edi // 488903 | mov edx, dword ptr [ebx + 0x34] $sequence_8 = { 488d1d48970500 807e5704 7704 488b5e48 48ffc7 803c3b00 75f7 } // n = 7, score = 100 // 488d1d48970500 | dec eax // 807e5704 | test esi, esi // 7704 | inc ebp // 488b5e48 | xor edi, edi // 48ffc7 | inc ebp // 803c3b00 | mov byte ptr [esp], bh // 75f7 | inc ebp $sequence_9 = { eb21 48c74424200f000000 4c8d0d54fd0900 4533c0 418d500f 488d4c2430 e8???????? } // n = 7, score = 100 // eb21 | jae 0x5e8 // 48c74424200f000000 | mov edx, 0x20 // 4c8d0d54fd0900 | dec eax // 4533c0 | sub edx, esi // 418d500f | dec eax // 488d4c2430 | mov dword ptr [edi + 0x18], 0xf // e8???????? | condition: 7 of them and filesize < 2659328 } ] }, { Malware : WyrmSpy , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Amadey , Description : Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \ tasks\ ) for all or specifically targeted computers compromised by the malware. Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \ tasks\ ) for all or specifically targeted computers compromised by the malware. , YARA : [ rule win_amadey_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.amadey.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ebb0 b8???????? 83c410 5b } // n = 4, score = 700 // ebb0 | jmp 0xffffffb2 // b8???????? | // 83c410 | add esp, 0x10 // 5b | pop ebx $sequence_1 = { e8???????? 89c2 8b45f4 89d1 ba00000000 f7f1 } // n = 6, score = 700 // e8???????? | // 89c2 | mov edx, eax // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 89d1 | mov ecx, edx // ba00000000 | mov edx, 0 // f7f1 | div ecx $sequence_2 = { c744240805000000 c744240402000000 890424 e8???????? } // n = 4, score = 700 // c744240805000000 | mov dword ptr [esp + 8], 5 // c744240402000000 | mov dword ptr [esp + 4], 2 // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_3 = { c9 c3 55 89e5 81ecc8010000 } // n = 5, score = 700 // c9 | leave // c3 | ret // 55 | push ebp // 89e5 | mov ebp, esp // 81ecc8010000 | sub esp, 0x1c8 $sequence_4 = { c70424???????? e8???????? 8b45fc 89442408 c7442404???????? 8b4508 890424 } // n = 7, score = 700 // c70424???????? | // e8???????? | // 8b45fc | mov eax, dword ptr [ebp - 4] // 89442408 | mov dword ptr [esp + 8], eax // c7442404???????? | // 8b4508 | mov eax, dword ptr [ebp + 8] // 890424 | mov dword ptr [esp], eax $sequence_5 = { c744240800020000 8d85f8fdffff 89442404 891424 e8???????? 83ec20 } // n = 6, score = 700 // c744240800020000 | mov dword ptr [esp + 8], 0x200 // 8d85f8fdffff | lea eax, [ebp - 0x208] // 89442404 | mov dword ptr [esp + 4], eax // 891424 | mov dword ptr [esp], edx // e8???????? | // 83ec20 | sub esp, 0x20 $sequence_6 = { c70424???????? e8???????? 890424 e8???????? 84c0 7407 c745fc05000000 } // n = 7, score = 700 // c70424???????? | // e8???????? | // 890424 | mov dword ptr [esp], eax // e8???????? | // 84c0 | test al, al // 7407 | je 9 // c745fc05000000 | mov dword ptr [ebp - 4], 5 $sequence_7 = { 83ec04 8945f4 837df400 7454 8b4508 890424 } // n = 6, score = 700 // 83ec04 | sub esp, 4 // 8945f4 | mov dword ptr [ebp - 0xc], eax // 837df400 | cmp dword ptr [ebp - 0xc], 0 // 7454 | je 0x56 // 8b4508 | mov eax, dword ptr [ebp + 8] // 890424 | mov dword ptr [esp], eax $sequence_8 = { 83fa10 722f 8b8d78feffff 42 } // n = 4, score = 600 // 83fa10 | cmp edx, 0x10 // 722f | jb 0x31 // 8b8d78feffff | mov ecx, dword ptr [ebp - 0x188] // 42 | inc edx $sequence_9 = { 8b8d78feffff 42 8bc1 81fa00100000 7214 8b49fc } // n = 6, score = 600 // 8b8d78feffff | mov ecx, dword ptr [ebp - 0x188] // 42 | inc edx // 8bc1 | mov eax, ecx // 81fa00100000 | cmp edx, 0x1000 // 7214 | jb 0x16 // 8b49fc | mov ecx, dword ptr [ecx - 4] $sequence_10 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 } // n = 5, score = 600 // 68???????? | // e8???????? | // 8d4dcc | lea ecx, [ebp - 0x34] // e8???????? | // 83c418 | add esp, 0x18 $sequence_11 = { 68???????? e8???????? 8d4db4 e8???????? 83c418 } // n = 5, score = 500 // 68???????? | // e8???????? | // 8d4db4 | lea ecx, [ebp - 0x4c] // e8???????? | // 83c418 | add esp, 0x18 $sequence_12 = { 52 6a02 6a00 51 ff75f8 ff15???????? ff75f8 } // n = 7, score = 500 // 52 | push edx // 6a02 | push 2 // 6a00 | push 0 // 51 | push ecx // ff75f8 | push dword ptr [ebp - 8] // ff15???????? | // ff75f8 | push dword ptr [ebp - 8] $sequence_13 = { 8bce e8???????? e8???????? 83c418 e8???????? e9???????? 52 } // n = 7, score = 500 // 8bce | mov ecx, esi // e8???????? | // e8???????? | // 83c418 | add esp, 0x18 // e8???????? | // e9???????? | // 52 | push edx $sequence_14 = { c705????????0c000000 eb31 c705????????0d000000 eb25 83f901 750c } // n = 6, score = 500 // c705????????0c000000 | // eb31 | jmp 0x33 // c705????????0d000000 | // eb25 | jmp 0x27 // 83f901 | cmp ecx, 1 // 750c | jne 0xe $sequence_15 = { 50 68???????? 83ec18 8bcc 68???????? e8???????? } // n = 6, score = 500 // 50 | push eax // 68???????? | // 83ec18 | sub esp, 0x18 // 8bcc | mov ecx, esp // 68???????? | // e8???????? | $sequence_16 = { 8bcc 68???????? e8???????? 8d8d78feffff e8???????? 83c418 } // n = 6, score = 500 // 8bcc | mov ecx, esp // 68???????? | // e8???????? | // 8d8d78feffff | lea ecx, [ebp - 0x188] // e8???????? | // 83c418 | add esp, 0x18 $sequence_17 = { c78584fdffff0f000000 c68570fdffff00 83fa10 722f 8b8d58fdffff 42 } // n = 6, score = 400 // c78584fdffff0f000000 | mov dword ptr [ebp - 0x27c], 0xf // c68570fdffff00 | mov byte ptr [ebp - 0x290], 0 // 83fa10 | cmp edx, 0x10 // 722f | jb 0x31 // 8b8d58fdffff | mov ecx, dword ptr [ebp - 0x2a8] // 42 | inc edx $sequence_18 = { c78520fdffff00000000 c78524fdffff0f000000 c68510fdffff00 83fa10 722f } // n = 5, score = 400 // c78520fdffff00000000 | mov dword ptr [ebp - 0x2e0], 0 // c78524fdffff0f000000 | mov dword ptr [ebp - 0x2dc], 0xf // c68510fdffff00 | mov byte ptr [ebp - 0x2f0], 0 // 83fa10 | cmp edx, 0x10 // 722f | jb 0x31 $sequence_19 = { 51 e8???????? 83c408 8b950cfdffff c78520fdffff00000000 c78524fdffff0f000000 } // n = 6, score = 400 // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 8b950cfdffff | mov edx, dword ptr [ebp - 0x2f4] // c78520fdffff00000000 | mov dword ptr [ebp - 0x2e0], 0 // c78524fdffff0f000000 | mov dword ptr [ebp - 0x2dc], 0xf condition: 7 of them and filesize < 529408 } ] }, { Malware : Atharvan , Description : There is no description at this point. , YARA : [ rule win_atharvan_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.atharvan.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c8d05ee7a0000 488b9540070000 488bce e8???????? 85c0 750b eb9e } // n = 7, score = 100 // 4c8d05ee7a0000 | dec eax // 488b9540070000 | mov edi, eax // 488bce | movzx ecx, byte ptr [edx + eax*4 + 0x1a992] // e8???????? | // 85c0 | movzx esi, byte ptr [edx + eax*4 + 0x1a993] // 750b | mov ebx, ecx // eb9e | cmova eax, edx $sequence_1 = { 423a9401d4ab0100 7566 488b03 48ffc1 8a10 48ffc0 488903 } // n = 7, score = 100 // 423a9401d4ab0100 | mov eax, eax // 7566 | dec eax // 488b03 | lea ecx, [ebp - 0x60] // 48ffc1 | mov edx, 0x103 // 8a10 | dec eax // 48ffc0 | lea edx, [0x1dd9c] // 488903 | mov byte ptr [esi], 0 $sequence_2 = { 498784f6105c0200 4885c0 7409 488bcb ff15???????? 4885db } // n = 6, score = 100 // 498784f6105c0200 | dec ecx // 4885c0 | xchg dword ptr [edi + esi*8 + 0x25368], eax // 7409 | xor ebx, ebx // 488bcb | mov edi, eax // ff15???????? | // 4885db | test eax, eax $sequence_3 = { 8d0480 03c0 442be8 0f84cffbffff 418d45ff 8b848228aa0100 } // n = 6, score = 100 // 8d0480 | dec eax // 03c0 | mov eax, ebp // 442be8 | dec eax // 0f84cffbffff | mov ecx, dword ptr [eax] // 418d45ff | dec eax // 8b848228aa0100 | lea eax, [0x133b8] $sequence_4 = { 750d 4c8bc6 e8???????? e9???????? 4c8bce 4c8d05e1dd0100 } // n = 6, score = 100 // 750d | cmp dl, byte ptr [ecx + ebx + 0x1abd8] // 4c8bc6 | je 0x97e // e8???????? | // e9???????? | // 4c8bce | inc edi // 4c8d05e1dd0100 | cmp dl, byte ptr [ecx + ebx + 0x1abe0] $sequence_5 = { 498bcf ff15???????? 498bcf ff15???????? 488b4c2440 4833cc e8???????? } // n = 7, score = 100 // 498bcf | arpl ax, dx // ff15???????? | // 498bcf | jmp 0x14f // ff15???????? | // 488b4c2440 | inc esp // 4833cc | mov esi, dword ptr [ebp + 0x150] // e8???????? | $sequence_6 = { b903000000 4c8d0564a10000 488d1565a10000 e8???????? } // n = 4, score = 100 // b903000000 | sub edx, eax // 4c8d0564a10000 | mov eax, 2 // 488d1565a10000 | sub al, byte ptr [ecx] // e8???????? | $sequence_7 = { 498bcf ff15???????? 488bd8 eb02 33db 4c8d3d028cffff 4885db } // n = 7, score = 100 // 498bcf | jne 0x131 // ff15???????? | // 488bd8 | dec eax // eb02 | lea ecx, [0x10e55] // 33db | dec eax // 4c8d3d028cffff | mov dword ptr [ebx + 0x48], ecx // 4885db | dec ecx $sequence_8 = { 7528 48833d????????00 741e 488d0d943e0100 e8???????? 85c0 } // n = 6, score = 100 // 7528 | dec eax // 48833d????????00 | // 741e | add edx, esi // 488d0d943e0100 | inc ebp // e8???????? | // 85c0 | xor ecx, ecx $sequence_9 = { 83f801 751f 488b0d???????? 488d1d356c0100 483bcb 740c } // n = 6, score = 100 // 83f801 | dec esp // 751f | lea eax, [0xa164] // 488b0d???????? | // 488d1d356c0100 | dec eax // 483bcb | lea edx, [0xa165] // 740c | dec eax condition: 7 of them and filesize < 348160 } ] }, { Malware : BottomLoader , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : DLRAT , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : HazyLoad , Description : There is no description at this point. , YARA : [ rule win_hazy_load_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.hazy_load.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.hazy_load\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b904000000 4c8d05f5c50000 488d15aeb20000 e8???????? 488bf8 4885c0 740f } // n = 7, score = 100 // b904000000 | mov ebp, esp // 4c8d05f5c50000 | dec eax // 488d15aeb20000 | sub esp, 0x80 // e8???????? | // 488bf8 | dec eax // 4885c0 | xor eax, esp // 740f | dec eax $sequence_1 = { 48897c2408 488b15???????? 488d3dd16d0100 8bc2 b940000000 83e03f 2bc8 } // n = 7, score = 100 // 48897c2408 | lea eax, [esp + 0x28] // 488b15???????? | // 488d3dd16d0100 | xor eax, eax // 8bc2 | dec eax // b940000000 | mov dword ptr [esp + 0x20], eax // 83e03f | xor ebx, ebx // 2bc8 | nop dword ptr [eax] $sequence_2 = { 488d0db8200100 4183e23f 4903e8 832700 498bf0 } // n = 5, score = 100 // 488d0db8200100 | dec eax // 4183e23f | lea edx, [0xaad8] // 4903e8 | dec esp // 832700 | lea eax, [0xaad5] // 498bf0 | dec eax $sequence_3 = { 488bf1 41bc02000000 4489742420 418bcc 448d4205 ff15???????? } // n = 6, score = 100 // 488bf1 | xor al, al // 41bc02000000 | add edi, eax // 4489742420 | cmp edi, 0x10 // 418bcc | jl 0xffffffee // 448d4205 | cmp edi, 0x10 // ff15???????? | $sequence_4 = { 4b87bcf750140200 33c0 488b5c2450 488b6c2458 488b742460 } // n = 5, score = 100 // 4b87bcf750140200 | dec eax // 33c0 | lea ecx, [0x12ced] // 488b5c2450 | dec eax // 488b6c2458 | add esp, 0x290 // 488b742460 | pop ebp $sequence_5 = { 483b0d???????? 7417 488d0570630100 483bc8 740b 83791000 7505 } // n = 7, score = 100 // 483b0d???????? | // 7417 | dec eax // 488d0570630100 | cwde // 483bc8 | dec eax // 740b | cmp eax, 0xe4 // 83791000 | jae 0x51 // 7505 | dec eax $sequence_6 = { 4883675000 488d05ade0ffff 83675800 488d4f28 } // n = 4, score = 100 // 4883675000 | dec eax // 488d05ade0ffff | arpl bx, ax // 83675800 | dec eax // 488d4f28 | lea edx, [ebp + 4] $sequence_7 = { 488d15a96a0100 83e13f 488bc5 48c1f806 48c1e106 } // n = 5, score = 100 // 488d15a96a0100 | mov ebp, eax // 83e13f | dec esp // 488bc5 | lea ecx, [0xffffca7f] // 48c1f806 | inc esp // 48c1e106 | lea eax, [edx + 5] $sequence_8 = { 442bc3 4803d0 4533c9 488bce ff15???????? 85c0 0f8eacfeffff } // n = 7, score = 100 // 442bc3 | lea ecx, [esp + 0x20] // 4803d0 | xor edx, edx // 4533c9 | dec eax // 488bce | lea ecx, [esp + 0x130] // ff15???????? | // 85c0 | inc ecx // 0f8eacfeffff | mov eax, 0x104 $sequence_9 = { 488d0dc0210100 4183e23f 4903e8 832300 } // n = 4, score = 100 // 488d0dc0210100 | mov eax, 5 // 4183e23f | mov dword ptr [ebp + 0x20], eax // 4903e8 | dec eax // 832300 | mov dword ptr [ebp - 1], eax condition: 7 of them and filesize < 315392 } ] }, { Malware : Lilith , Description : There is no description at this point. , YARA : [ rule win_lilith_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lilith.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 ff15???????? 6857040000 898698210000 ff15???????? } // n = 5, score = 200 // 50 | push eax // ff15???????? | // 6857040000 | push 0x457 // 898698210000 | mov dword ptr [esi + 0x2198], eax // ff15???????? | $sequence_1 = { e8???????? 8bce e8???????? 83c418 8bcf e8???????? 8d4dd0 } // n = 7, score = 200 // e8???????? | // 8bce | mov ecx, esi // e8???????? | // 83c418 | add esp, 0x18 // 8bcf | mov ecx, edi // e8???????? | // 8d4dd0 | lea ecx, [ebp - 0x30] $sequence_2 = { 8b0c85a84b4300 8b45e8 f644012880 7446 0fbec3 83e800 742e } // n = 7, score = 200 // 8b0c85a84b4300 | mov ecx, dword ptr [eax*4 + 0x434ba8] // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // f644012880 | test byte ptr [ecx + eax + 0x28], 0x80 // 7446 | je 0x48 // 0fbec3 | movsx eax, bl // 83e800 | sub eax, 0 // 742e | je 0x30 $sequence_3 = { 25f0070000 660f28a010e94200 660f28b800e54200 660f54f0 660f5cc6 660f59f4 660f5cf2 } // n = 7, score = 200 // 25f0070000 | and eax, 0x7f0 // 660f28a010e94200 | movapd xmm4, xmmword ptr [eax + 0x42e910] // 660f28b800e54200 | movapd xmm7, xmmword ptr [eax + 0x42e500] // 660f54f0 | andpd xmm6, xmm0 // 660f5cc6 | subpd xmm0, xmm6 // 660f59f4 | mulpd xmm6, xmm4 // 660f5cf2 | subpd xmm6, xmm2 $sequence_4 = { 8b0485a84b4300 80640828fe ff33 e8???????? 59 e9???????? 8b0b } // n = 7, score = 200 // 8b0485a84b4300 | mov eax, dword ptr [eax*4 + 0x434ba8] // 80640828fe | and byte ptr [eax + ecx + 0x28], 0xfe // ff33 | push dword ptr [ebx] // e8???????? | // 59 | pop ecx // e9???????? | // 8b0b | mov ecx, dword ptr [ebx] $sequence_5 = { c60000 833d????????10 b8???????? c745cc01000000 0f4305???????? } // n = 5, score = 200 // c60000 | mov byte ptr [eax], 0 // 833d????????10 | // b8???????? | // c745cc01000000 | mov dword ptr [ebp - 0x34], 1 // 0f4305???????? | $sequence_6 = { e9???????? c745dc03000000 c745e0c8874200 e9???????? } // n = 4, score = 200 // e9???????? | // c745dc03000000 | mov dword ptr [ebp - 0x24], 3 // c745e0c8874200 | mov dword ptr [ebp - 0x20], 0x4287c8 // e9???????? | $sequence_7 = { c1fa06 8934b8 8bc7 83e03f 6bc830 8b0495a84b4300 8b440818 } // n = 7, score = 200 // c1fa06 | sar edx, 6 // 8934b8 | mov dword ptr [eax + edi*4], esi // 8bc7 | mov eax, edi // 83e03f | and eax, 0x3f // 6bc830 | imul ecx, eax, 0x30 // 8b0495a84b4300 | mov eax, dword ptr [edx*4 + 0x434ba8] // 8b440818 | mov eax, dword ptr [eax + ecx + 0x18] $sequence_8 = { 8b4d08 898814434300 68???????? e8???????? 8be5 } // n = 5, score = 200 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 898814434300 | mov dword ptr [eax + 0x434314], ecx // 68???????? | // e8???????? | // 8be5 | mov esp, ebp $sequence_9 = { 660f122c8510a74200 03c0 660f28348520ab4200 ba7f3e0400 e9???????? 8bd0 } // n = 6, score = 200 // 660f122c8510a74200 | movlpd xmm5, qword ptr [eax*4 + 0x42a710] // 03c0 | add eax, eax // 660f28348520ab4200 | movapd xmm6, xmmword ptr [eax*4 + 0x42ab20] // ba7f3e0400 | mov edx, 0x43e7f // e9???????? | // 8bd0 | mov edx, eax condition: 7 of them and filesize < 499712 } ] }, { Malware : Meduza Stealer , Description : There is no description at this point. , YARA : [ rule win_meduza_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.meduza.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff75c8 8d55ac c645fc01 8d8d78ffffff e8???????? 83c404 8d4d94 } // n = 7, score = 100 // ff75c8 | push dword ptr [ebp - 0x38] // 8d55ac | lea edx, [ebp - 0x54] // c645fc01 | mov byte ptr [ebp - 4], 1 // 8d8d78ffffff | lea ecx, [ebp - 0x88] // e8???????? | // 83c404 | add esp, 4 // 8d4d94 | lea ecx, [ebp - 0x6c] $sequence_1 = { c645fc23 c785f8eaffff02000000 c78548f8ffff3ebfeb85 c7854cf8ffff59dea06d 8b8548f8ffff 8b8d4cf8ffff 898d04f3ffff } // n = 7, score = 100 // c645fc23 | mov byte ptr [ebp - 4], 0x23 // c785f8eaffff02000000 | mov dword ptr [ebp - 0x1508], 2 // c78548f8ffff3ebfeb85 | mov dword ptr [ebp - 0x7b8], 0x85ebbf3e // c7854cf8ffff59dea06d | mov dword ptr [ebp - 0x7b4], 0x6da0de59 // 8b8548f8ffff | mov eax, dword ptr [ebp - 0x7b8] // 8b8d4cf8ffff | mov ecx, dword ptr [ebp - 0x7b4] // 898d04f3ffff | mov dword ptr [ebp - 0xcfc], ecx $sequence_2 = { 83c408 c645fc15 8b4590 3b4580 0f84e9020000 66660f1f840000000000 8d7020 } // n = 7, score = 100 // 83c408 | add esp, 8 // c645fc15 | mov byte ptr [ebp - 4], 0x15 // 8b4590 | mov eax, dword ptr [ebp - 0x70] // 3b4580 | cmp eax, dword ptr [ebp - 0x80] // 0f84e9020000 | je 0x2ef // 66660f1f840000000000 | nop word ptr [eax + eax] // 8d7020 | lea esi, [eax + 0x20] $sequence_3 = { 8d45e0 c645fc02 50 e8???????? 8b4de4 83c404 8bf8 } // n = 7, score = 100 // 8d45e0 | lea eax, [ebp - 0x20] // c645fc02 | mov byte ptr [ebp - 4], 2 // 50 | push eax // e8???????? | // 8b4de4 | mov ecx, dword ptr [ebp - 0x1c] // 83c404 | add esp, 4 // 8bf8 | mov edi, eax $sequence_4 = { 898538f4ffff 898d3cf4ffff c785d8f6ffffdf03fddd c785dcf6ffffe227d929 8b85d8f6ffff 8b8ddcf6ffff 898540f4ffff } // n = 7, score = 100 // 898538f4ffff | mov dword ptr [ebp - 0xbc8], eax // 898d3cf4ffff | mov dword ptr [ebp - 0xbc4], ecx // c785d8f6ffffdf03fddd | mov dword ptr [ebp - 0x928], 0xddfd03df // c785dcf6ffffe227d929 | mov dword ptr [ebp - 0x924], 0x29d927e2 // 8b85d8f6ffff | mov eax, dword ptr [ebp - 0x928] // 8b8ddcf6ffff | mov ecx, dword ptr [ebp - 0x924] // 898540f4ffff | mov dword ptr [ebp - 0xbc0], eax $sequence_5 = { 898de4feffff 8985e0feffff c78558ffffff0d5f1759 c7855cfffffff2314621 8b8558ffffff 8b8d5cffffff 898decfeffff } // n = 7, score = 100 // 898de4feffff | mov dword ptr [ebp - 0x11c], ecx // 8985e0feffff | mov dword ptr [ebp - 0x120], eax // c78558ffffff0d5f1759 | mov dword ptr [ebp - 0xa8], 0x59175f0d // c7855cfffffff2314621 | mov dword ptr [ebp - 0xa4], 0x214631f2 // 8b8558ffffff | mov eax, dword ptr [ebp - 0xa8] // 8b8d5cffffff | mov ecx, dword ptr [ebp - 0xa4] // 898decfeffff | mov dword ptr [ebp - 0x114], ecx $sequence_6 = { c78548f8ffff68297235 c7854cf8ffff9d412b44 8b8548f8ffff 8b8d4cf8ffff 898dbcf5ffff 8985b8f5ffff c78548f8ffff5fcb84e8 } // n = 7, score = 100 // c78548f8ffff68297235 | mov dword ptr [ebp - 0x7b8], 0x35722968 // c7854cf8ffff9d412b44 | mov dword ptr [ebp - 0x7b4], 0x442b419d // 8b8548f8ffff | mov eax, dword ptr [ebp - 0x7b8] // 8b8d4cf8ffff | mov ecx, dword ptr [ebp - 0x7b4] // 898dbcf5ffff | mov dword ptr [ebp - 0xa44], ecx // 8985b8f5ffff | mov dword ptr [ebp - 0xa48], eax // c78548f8ffff5fcb84e8 | mov dword ptr [ebp - 0x7b8], 0xe884cb5f $sequence_7 = { 898ddce7ffff c785d8e4ffffdf03fddd c785dce4ffffe227d929 8b85d8e4ffff 8b8ddce4ffff 8985e0e7ffff } // n = 6, score = 100 // 898ddce7ffff | mov dword ptr [ebp - 0x1824], ecx // c785d8e4ffffdf03fddd | mov dword ptr [ebp - 0x1b28], 0xddfd03df // c785dce4ffffe227d929 | mov dword ptr [ebp - 0x1b24], 0x29d927e2 // 8b85d8e4ffff | mov eax, dword ptr [ebp - 0x1b28] // 8b8ddce4ffff | mov ecx, dword ptr [ebp - 0x1b24] // 8985e0e7ffff | mov dword ptr [ebp - 0x1820], eax $sequence_8 = { e9???????? 807b0c00 0f8485010000 6a02 68???????? ff5004 8b4314 } // n = 7, score = 100 // e9???????? | // 807b0c00 | cmp byte ptr [ebx + 0xc], 0 // 0f8485010000 | je 0x18b // 6a02 | push 2 // 68???????? | // ff5004 | call dword ptr [eax + 4] // 8b4314 | mov eax, dword ptr [ebx + 0x14] $sequence_9 = { c7854cf8ffff9d412b44 8b8548f8ffff 8b8d4cf8ffff 0f288d90f4ffff 898dfcfbffff 8d8d90f4ffff 8985f8fbffff } // n = 7, score = 100 // c7854cf8ffff9d412b44 | mov dword ptr [ebp - 0x7b4], 0x442b419d // 8b8548f8ffff | mov eax, dword ptr [ebp - 0x7b8] // 8b8d4cf8ffff | mov ecx, dword ptr [ebp - 0x7b4] // 0f288d90f4ffff | movaps xmm1, xmmword ptr [ebp - 0xb70] // 898dfcfbffff | mov dword ptr [ebp - 0x404], ecx // 8d8d90f4ffff | lea ecx, [ebp - 0xb70] // 8985f8fbffff | mov dword ptr [ebp - 0x408], eax condition: 7 of them and filesize < 1433600 } ] }, { Malware : NineRAT , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Raccoon , Description : Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data. Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data. , YARA : [ rule win_raccoon_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.raccoon.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf0 8975f0 85f6 7422 8d45ec c706???????? } // n = 6, score = 2400 // 8bf0 | mov esi, eax // 8975f0 | mov dword ptr [ebp - 0x10], esi // 85f6 | test esi, esi // 7422 | je 0x24 // 8d45ec | lea eax, [ebp - 0x14] // c706???????? | $sequence_1 = { e8???????? 68???????? eb31 51 } // n = 4, score = 2400 // e8???????? | // 68???????? | // eb31 | jmp 0x33 // 51 | push ecx $sequence_2 = { 8b45e8 3bc6 7c31 7f04 3bde 762b } // n = 6, score = 2400 // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 3bc6 | cmp eax, esi // 7c31 | jl 0x33 // 7f04 | jg 6 // 3bde | cmp ebx, esi // 762b | jbe 0x2d $sequence_3 = { 53 50 8d45e0 895dd0 } // n = 4, score = 2400 // 53 | push ebx // 50 | push eax // 8d45e0 | lea eax, [ebp - 0x20] // 895dd0 | mov dword ptr [ebp - 0x30], ebx $sequence_4 = { ff15???????? 8945f4 40 03c7 50 8945f0 } // n = 6, score = 2400 // ff15???????? | // 8945f4 | mov dword ptr [ebp - 0xc], eax // 40 | inc eax // 03c7 | add eax, edi // 50 | push eax // 8945f0 | mov dword ptr [ebp - 0x10], eax $sequence_5 = { ff15???????? 8bf0 83feff 7437 837b1410 7202 8b1b } // n = 7, score = 2400 // ff15???????? | // 8bf0 | mov esi, eax // 83feff | cmp esi, -1 // 7437 | je 0x39 // 837b1410 | cmp dword ptr [ebx + 0x14], 0x10 // 7202 | jb 4 // 8b1b | mov ebx, dword ptr [ebx] $sequence_6 = { 8d45ec c706???????? 50 53 ff75e4 895dec ff15???????? } // n = 7, score = 2400 // 8d45ec | lea eax, [ebp - 0x14] // c706???????? | // 50 | push eax // 53 | push ebx // ff75e4 | push dword ptr [ebp - 0x1c] // 895dec | mov dword ptr [ebp - 0x14], ebx // ff15???????? | $sequence_7 = { 57 33db 8bf9 53 6aff 53 } // n = 6, score = 2400 // 57 | push edi // 33db | xor ebx, ebx // 8bf9 | mov edi, ecx // 53 | push ebx // 6aff | push -1 // 53 | push ebx $sequence_8 = { 6a01 52 52 52 52 } // n = 5, score = 2400 // 6a01 | push 1 // 52 | push edx // 52 | push edx // 52 | push edx // 52 | push edx $sequence_9 = { 0f85dd000000 57 57 57 57 8d45fc } // n = 6, score = 2400 // 0f85dd000000 | jne 0xe3 // 57 | push edi // 57 | push edi // 57 | push edi // 57 | push edi // 8d45fc | lea eax, [ebp - 4] condition: 7 of them and filesize < 1212416 } ] }, { Malware : RecordBreaker , Description : This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++. This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++. , YARA : [ rule win_recordbreaker_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.recordbreaker.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 2bf7 8bcf d1fe 56 53 e8???????? } // n = 6, score = 700 // 2bf7 | sub esi, edi // 8bcf | mov ecx, edi // d1fe | sar esi, 1 // 56 | push esi // 53 | push ebx // e8???????? | $sequence_1 = { 42 66890c38 8d0412 0fb70c30 663bcb } // n = 5, score = 700 // 42 | inc edx // 66890c38 | mov word ptr [eax + edi], cx // 8d0412 | lea eax, [edx + edx] // 0fb70c30 | movzx ecx, word ptr [eax + esi] // 663bcb | cmp cx, bx $sequence_2 = { 59 85c0 7408 6afe } // n = 4, score = 700 // 59 | pop ecx // 85c0 | test eax, eax // 7408 | je 0xa // 6afe | push -2 $sequence_3 = { 6a02 ff75fc ff15???????? 6a03 ff75fc ff15???????? 6a04 } // n = 7, score = 700 // 6a02 | push 2 // ff75fc | push dword ptr [ebp - 4] // ff15???????? | // 6a03 | push 3 // ff75fc | push dword ptr [ebp - 4] // ff15???????? | // 6a04 | push 4 $sequence_4 = { 8bd7 8bc8 e8???????? 8b15???????? 8bc8 e8???????? 8bd3 } // n = 7, score = 700 // 8bd7 | mov edx, edi // 8bc8 | mov ecx, eax // e8???????? | // 8b15???????? | // 8bc8 | mov ecx, eax // e8???????? | // 8bd3 | mov edx, ebx $sequence_5 = { 6a1a 53 6a00 8bf8 } // n = 4, score = 700 // 6a1a | push 0x1a // 53 | push ebx // 6a00 | push 0 // 8bf8 | mov edi, eax $sequence_6 = { 881e 46 49 83ea01 } // n = 4, score = 700 // 881e | mov byte ptr [esi], bl // 46 | inc esi // 49 | dec ecx // 83ea01 | sub edx, 1 $sequence_7 = { 8b15???????? 8bc8 e8???????? 8b55ec } // n = 4, score = 700 // 8b15???????? | // 8bc8 | mov ecx, eax // e8???????? | // 8b55ec | mov edx, dword ptr [ebp - 0x14] $sequence_8 = { 2bc6 d1f8 56 8d3c46 33c0 } // n = 5, score = 700 // 2bc6 | sub eax, esi // d1f8 | sar eax, 1 // 56 | push esi // 8d3c46 | lea edi, [esi + eax*2] // 33c0 | xor eax, eax $sequence_9 = { 8b4d0c 8b07 5f 5e } // n = 4, score = 700 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 8b07 | mov eax, dword ptr [edi] // 5f | pop edi // 5e | pop esi condition: 7 of them and filesize < 232312 } , import \ pe\ rule win_recordbreaker_w0 { meta: description = \ Detect variants of Raccoon Stealer v2\ author = \ Jake Goldi\ date = \ 2022-09-20\ hash1 = \ 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\ version=\ 1.0\ phase = \ experimental\ url = \ https://d01a.github.io/raccoon-stealer/#iocs\ references = \ https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\ source = \ https://raw.githubusercontent.com/taogoldi/YARA/main/stealers/raccoon/raccoon_stealer.yara\ credits = \ @0xd01a\ malware = \ Win32.PWS.Raccoon\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker\ malpedia_rule_date = \ 20220921\ malpedia_hash = \ \ malpedia_version = \ 20220921\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $s1 = \ ffcookies.txt\ wide ascii nocase $s2 = \ wallet.dat\ wide ascii nocase $s3 = \ ru\ wide ascii nocase $s4 = \ record\ wide ascii nocase /* E8 CC 11 00 00 call mw_rc4_decrypt 6A 55 push 85 ; cchLocaleName 8D 8D 1C FF FF FF lea ecx, [ebp-0E4h] 89 45 D8 mov [ebp-28h], eax A1 50 E0 4F 00 mov eax, GetUserDefaultLocaleName 51 push ecx ; lpLocaleName FF D0 call eax ; GetUserDefaultLocaleName 85 C0 test eax, eax 74 24 jz short loc_4F75B5 BE 00 E0 4F 00 */ $op1 = { e8 cc 11 00 00 6a 55 8d 8d 1c ff ff ff 89 45 d8 a1 50 e0 ?? 00 51 ff d0 85 c0 74 24 be 00 e0 ?? 00 } /* 8B 3D 90 E0 4F 00 mov edi, lstrlenW 8B DA mov ebx, edx 53 push ebx ; lpString 89 4D FC mov [ebp+lpString], ecx FF D7 call edi ; lstrlenW FF 75 FC push [ebp+lpString] ; lpString 8B F0 mov esi, eax FF D7 call edi ; lstrlenW 8B 0D 48 E0 4F 00 mov ecx, LocalAlloc 8D B8 80 00 00 00 lea edi, [eax+80h] 03 FE add edi, esi 8D 04 3F lea eax, [edi+edi] 50 push eax ; uBytes 6A 40 push 64 ; uFlags FF D1 call ecx ; LocalAlloc */ $op2 = { 8b 3d 90 e0 ?? 00 8b da 53 89 4d fc ff d7 ff 75 fc 8b f0 ff d7 8b 0d 48 e0 ?? 00 8d b8 80 00 00 00 03 fe 8d 04 3f 50 6a 40 ff d1 } condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($s*)) and (all of ($op*))) } , rule win_recordbreaker_w1 { meta: description = \ detect_Raccoon_Stealer_v2\ author = \ @malgamy12\ date = \ 16/11/2022\ license = \ DRL 1.1\ hash = \ 0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909\ hash = \ 0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256\ hash = \ 048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059\ hash = \ 89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc\ hash = \ 516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e\ hash = \ 0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256\ hash = \ 3ae9d121aa4b989118d76e8b0ff941b9b72ccac746de8b3a5d9f7d037361be53\ hash = \ bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e\ hash = \ 960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63\ hash = \ bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker\ malpedia_rule_date = \ 20230118\ malpedia_hash = \ \ malpedia_version = \ 20230118\ malpedia_license = \ DRL 1.1\ malpedia_sharing = \ TLP:WHITE\ strings: $s0 = \ \\ffcookies.txt\ wide $s1 = \ wallet.dat\ wide $s2 = \ Network\\Cookies\ wide $s3 = \ Wn0nlDEXjIzjLlkEHYxNvTAXHXRteWg0ieGKVyD52CvONbW7G91RvQDwSZi/N2ISm\ ascii $op1 = {6B F3 ?? 03 F7 8B 7D ?? [3] A5} $op2 = {8A 0C 86 8B 45 ?? 8B 7D ?? 32 0C 38 8B 7D ?? 8B 86 [4] 88 0C 07 8B C7 8B 7D ?? 40} condition: uint16(0) == 0x5A4D and (all of them) } ] }, { Malware : Rhysida , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Rhysida , Description : There is no description at this point. , YARA : [ rule win_rhysida_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.rhysida.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ba28000000 4889c1 e8???????? 8945f8 837df800 7407 b804000000 } // n = 7, score = 300 // ba28000000 | dec ebp // 4889c1 | lea edx, [eax + 0x10] // e8???????? | // 8945f8 | inc ebp // 837df800 | mov ebx, esi // 7407 | inc ecx // b804000000 | sub ebx, edi $sequence_1 = { 4863d0 488b4510 4801d0 0fb600 0fb6c0 8b55f4 c1ea06 } // n = 7, score = 300 // 4863d0 | ucomiss xmm0, xmm1 // 488b4510 | jbe 0xd48 // 4801d0 | dec eax // 0fb600 | mov eax, dword ptr [ebp + 0x28] // 0fb6c0 | movss xmm0, dword ptr [eax + 0x1c] // 8b55f4 | subss xmm0, dword ptr [ebp + 0x30] // c1ea06 | movss xmm0, dword ptr [ebp - 0x34] $sequence_2 = { f6431920 0f84c7feffff 4983c101 e9???????? 4531c0 4889f2 89e9 } // n = 7, score = 300 // f6431920 | inc ecx // 0f84c7feffff | mov eax, 0x4f3 // 4983c101 | dec eax // e9???????? | // 4531c0 | lea edx, [0x68369] // 4889f2 | dec eax // 89e9 | lea ecx, [0x683b2] $sequence_3 = { 8b45fc 4863c8 4889c8 48c1e002 4801c8 48c1e003 4889c1 } // n = 7, score = 300 // 8b45fc | mov ecx, ecx // 4863c8 | inc ecx // 4889c8 | mov eax, 1 // 48c1e002 | dec eax // 4801c8 | mov ecx, eax // 48c1e003 | mov dword ptr [ebp + 0x10326c], eax // 4889c1 | cmp dword ptr [ebp + 0x10326c], 1 $sequence_4 = { baafa96e5e 89c8 f7ea c1fa0b 89c8 c1f81f 29c2 } // n = 7, score = 300 // baafa96e5e | lea esi, [0x3e089] // 89c8 | dec eax // f7ea | lea ecx, [0x3d482] // c1fa0b | dec esp // 89c8 | lea edx, [0x3dc7b] // c1f81f | dec esp // 29c2 | lea eax, [0x3d874] $sequence_5 = { 8b45f8 4863d0 488b4510 4801d0 0fb600 0fb6d0 8b45f8 } // n = 7, score = 300 // 8b45f8 | mov eax, eax // 4863d0 | dec eax // 488b4510 | shrd eax, edx, 0x3c // 4801d0 | dec ebp // 0fb600 | and eax, edi // 0fb6d0 | dec esp // 8b45f8 | mov dword ptr [ecx], eax $sequence_6 = { e8???????? eb01 90 8b45f0 0faf45b8 89c2 488d45a0 } // n = 7, score = 300 // e8???????? | // eb01 | punpcklwd mm1, mm5 // 90 | inc sp // 8b45f0 | punpcklwd mm7, mm3 // 0faf45b8 | movdqa xmm2, xmm1 // 89c2 | inc bp // 488d45a0 | punpcklwd mm3, mm4 $sequence_7 = { 85c0 74da 85db 4889742428 0f848d010000 8d4bff 488d742460 } // n = 7, score = 300 // 85c0 | mov eax, dword ptr [ebp - 0x10] // 74da | lea ecx, [eax - 1] // 85db | mov eax, dword ptr [ebp - 0xc] // 4889742428 | sub eax, dword ptr [ebp - 8] // 0f848d010000 | dec eax // 8d4bff | lea edx, [eax*4] // 488d742460 | dec eax $sequence_8 = { c1e903 f348ab ff15???????? 83f812 7472 488b8b38020000 e8???????? } // n = 7, score = 300 // c1e903 | mov eax, ebx // f348ab | dec esp // ff15???????? | // 83f812 | lea esp, [esp + 0x40] // 7472 | dec esp // 488b8b38020000 | mov ecx, esp // e8???????? | $sequence_9 = { 5f 5d 415c 415d c3 b80d000000 ebd7 } // n = 7, score = 300 // 5f | mov ecx, dword ptr [ebp + 0x28] // 5d | dec eax // 415c | mov ebp, esp // 415d | dec eax // c3 | sub esp, 0x50 // b80d000000 | dec eax // ebd7 | mov dword ptr [ebp + 0x10], ecx condition: 7 of them and filesize < 2369536 } ] }, { Malware : Unidentified 100 (APT-Q-12) , Description : There is no description at this point. , YARA : [ rule win_unidentified_100_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.unidentified_100.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d9424f0030000 488b4c2448 e8???????? e9???????? 4c8d8c2490070000 4533c0 488d942470130000 } // n = 7, score = 100 // 488d9424f0030000 | lea edx, [0x9759] // 488b4c2448 | dec eax // e8???????? | // e9???????? | // 4c8d8c2490070000 | test eax, eax // 4533c0 | je 0x1b6f // 488d942470130000 | mov ecx, 0x22 $sequence_1 = { 4889442420 4c8d8c24e0020000 448b442458 8b54245c 8b4c2454 } // n = 5, score = 100 // 4889442420 | add ecx, ecx // 4c8d8c24e0020000 | dec eax // 448b442458 | arpl cx, cx // 8b54245c | mov byte ptr [esp + ecx + 0x78], al // 8b4c2454 | mov eax, dword ptr [esp + 0x34] $sequence_2 = { 0f8dac000000 c644242000 eb0b 0fb6442420 fec0 88442420 0fb6442420 } // n = 7, score = 100 // 0f8dac000000 | lea ebx, [0x1d5e7] // c644242000 | dec eax // eb0b | lea edi, [0x1d5e0] // 0fb6442420 | jmp 0x1c5a // fec0 | dec eax // 88442420 | mov eax, dword ptr [ebx] // 0fb6442420 | dec eax $sequence_3 = { 448bc3 488d1580860000 e8???????? 85c0 7429 } // n = 5, score = 100 // 448bc3 | dec eax // 488d1580860000 | lea ecx, [0xf1b7] // e8???????? | // 85c0 | dec eax // 7429 | lea ebx, [0x19517] $sequence_4 = { 488bf8 33c0 b9fe010000 f3aa 4c8b8c24b8060000 4c8b8424b0060000 488d156dfd0100 } // n = 7, score = 100 // 488bf8 | dec eax // 33c0 | mov dword ptr [esp + 0x80], edx // b9fe010000 | mov dword ptr [esp + 0x38], eax // f3aa | dec eax // 4c8b8c24b8060000 | mov edi, eax // 4c8b8424b0060000 | movzx ecx, byte ptr [edx + eax*4 + 0x1e522] // 488d156dfd0100 | movzx esi, byte ptr [edx + eax*4 + 0x1e523] $sequence_5 = { eb1d 488d05a7690100 ffcb 488d0c9b 488d0cc8 ff15???????? ff0d???????? } // n = 7, score = 100 // eb1d | lea ecx, [0x1fbdd] // 488d05a7690100 | dec eax // ffcb | xor eax, esp // 488d0c9b | dec eax // 488d0cc8 | mov dword ptr [esp + 0x420], eax // ff15???????? | // ff0d???????? | $sequence_6 = { 488d05a7690100 ffcb 488d0c9b 488d0cc8 ff15???????? } // n = 5, score = 100 // 488d05a7690100 | dec eax // ffcb | arpl word ptr [esp], ax // 488d0c9b | dec eax // 488d0cc8 | mov ecx, dword ptr [esp + 0x30] // ff15???????? | $sequence_7 = { ffc0 8944243c 486344243c 483b442458 7320 486344243c } // n = 6, score = 100 // ffc0 | dec eax // 8944243c | mov dword ptr [ebp - 9], ebx // 486344243c | dec esp // 483b442458 | mov esp, ebx // 7320 | dec esp // 486344243c | mov dword ptr [ebp - 0x49], ebp $sequence_8 = { 33c0 b97a010000 f3aa 488d8424b0190000 488d0deee80100 } // n = 5, score = 100 // 33c0 | mov ecx, 0xa6 // b97a010000 | rep stosb byte ptr es:[edi], al // f3aa | dec eax // 488d8424b0190000 | lea eax, [esp + 0x6e0] // 488d0deee80100 | dec eax $sequence_9 = { 488b842490030000 4889842490000000 48c7442458ffffffff 48ff442458 488b842490000000 488b4c2458 66833c4800 } // n = 7, score = 100 // 488b842490030000 | cmp eax, 1 // 4889842490000000 | je 0x1d22 // 48c7442458ffffffff | dec eax // 48ff442458 | lea ecx, [esp + 0x140] // 488b842490000000 | mov dword ptr [esp + 0x50], eax // 488b4c2458 | cmp dword ptr [esp + 0x50], -1 // 66833c4800 | cmp eax, 1 condition: 7 of them and filesize < 372736 } ] }, { Malware : BADCALL , Description : BADCALL is a Trojan malware variant used by the group Lazarus Group. BADCALL is a Trojan malware variant used by the group Lazarus Group. There is no Yara-Signature yet. , YARA : [] }, { Malware : BADCALL , Description : There is no description at this point. , YARA : [ rule win_badcall_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.badcall.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 2bc6 3d00400000 7605 b800400000 } // n = 4, score = 400 // 2bc6 | sub eax, esi // 3d00400000 | cmp eax, 0x4000 // 7605 | jbe 7 // b800400000 | mov eax, 0x4000 $sequence_1 = { a3???????? a1???????? 50 c705????????04000000 } // n = 4, score = 400 // a3???????? | // a1???????? | // 50 | push eax // c705????????04000000 | $sequence_2 = { 7605 b800400000 8b4f04 6a00 50 } // n = 5, score = 400 // 7605 | jbe 7 // b800400000 | mov eax, 0x4000 // 8b4f04 | mov ecx, dword ptr [edi + 4] // 6a00 | push 0 // 50 | push eax $sequence_3 = { 7557 33c0 68???????? a3???????? a3???????? a3???????? } // n = 6, score = 400 // 7557 | jne 0x59 // 33c0 | xor eax, eax // 68???????? | // a3???????? | // a3???????? | // a3???????? | $sequence_4 = { 48 7455 48 7434 } // n = 4, score = 400 // 48 | dec eax // 7455 | je 0x57 // 48 | dec eax // 7434 | je 0x36 $sequence_5 = { 8b6c2414 682c010000 8bcf e8???????? } // n = 4, score = 400 // 8b6c2414 | mov ebp, dword ptr [esp + 0x14] // 682c010000 | push 0x12c // 8bcf | mov ecx, edi // e8???????? | $sequence_6 = { 50 c705????????04000000 ff15???????? c20400 a1???????? } // n = 5, score = 400 // 50 | push eax // c705????????04000000 | // ff15???????? | // c20400 | ret 4 // a1???????? | $sequence_7 = { ff15???????? c20400 c705????????01000000 a1???????? 68???????? } // n = 5, score = 400 // ff15???????? | // c20400 | ret 4 // c705????????01000000 | // a1???????? | // 68???????? | $sequence_8 = { 7434 83e803 7557 33c0 } // n = 4, score = 400 // 7434 | je 0x36 // 83e803 | sub eax, 3 // 7557 | jne 0x59 // 33c0 | xor eax, eax $sequence_9 = { 8954240a 66c74424080200 8954240e 894c240c 89542412 } // n = 5, score = 300 // 8954240a | mov dword ptr [esp + 0xa], edx // 66c74424080200 | mov word ptr [esp + 8], 2 // 8954240e | mov dword ptr [esp + 0xe], edx // 894c240c | mov dword ptr [esp + 0xc], ecx // 89542412 | mov dword ptr [esp + 0x12], edx $sequence_10 = { 8b6c2414 8bc7 2bc6 3d00400000 } // n = 4, score = 300 // 8b6c2414 | mov ebp, dword ptr [esp + 0x14] // 8bc7 | mov eax, edi // 2bc6 | sub eax, esi // 3d00400000 | cmp eax, 0x4000 $sequence_11 = { 85c0 7e3b 8b4604 8d542418 52 } // n = 5, score = 300 // 85c0 | test eax, eax // 7e3b | jle 0x3d // 8b4604 | mov eax, dword ptr [esi + 4] // 8d542418 | lea edx, [esp + 0x18] // 52 | push edx $sequence_12 = { 85db 8bf9 763f 8b6c2414 682c010000 } // n = 5, score = 300 // 85db | test ebx, ebx // 8bf9 | mov edi, ecx // 763f | jbe 0x41 // 8b6c2414 | mov ebp, dword ptr [esp + 0x14] // 682c010000 | push 0x12c $sequence_13 = { e8???????? 85c0 7534 8bc3 2bc6 3d00400000 } // n = 6, score = 300 // e8???????? | // 85c0 | test eax, eax // 7534 | jne 0x36 // 8bc3 | mov eax, ebx // 2bc6 | sub eax, esi // 3d00400000 | cmp eax, 0x4000 $sequence_14 = { 83fe01 7518 53 ff15???????? } // n = 4, score = 200 // 83fe01 | cmp esi, 1 // 7518 | jne 0x1a // 53 | push ebx // ff15???????? | $sequence_15 = { 85c0 740e 8b4c241c 51 6a01 } // n = 5, score = 200 // 85c0 | test eax, eax // 740e | je 0x10 // 8b4c241c | mov ecx, dword ptr [esp + 0x1c] // 51 | push ecx // 6a01 | push 1 condition: 7 of them and filesize < 483328 } ] }, { Malware : GootLoader , Description : According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file. According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file. There is no Yara-Signature yet. , YARA : [] }, { Malware : GraphDrop , Description : PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel. PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel. , YARA : [ rule win_graphdown_w0 { meta: author = \ Insikt Group, Recorded Future\ date = \ 2023-05-11\ description = \ Detects unpacked GraphicalProton samples\ version = \ 1.0\ hash = \ 38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534\ hash = \ 60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdown\ malpedia_rule_date = \ 20230728\ malpedia_hash = \ \ malpedia_version = \ 20230728\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $chaskey = { 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 08 89 08 4? 8b 44 ?4 08 8b 48 04 c1 e9 1b 4? 8b 44 ?4 08 8b 50 04 c1 e2 05 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 0c 4? 8b 44 ?4 08 03 48 08 89 48 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 18 4? 8b 44 ?4 08 8b 50 0c c1 e2 08 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4 08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 48 08 89 48 08 4? 8b 44 ?4 08 8b 08 c1 e9 10 4? 8b 44 ?4 08 8b 10 c1 e2 10 09 d1 4? 8b 44 ?4 08 03 48 0c 4? 8b 44 ?4 08 89 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 13 4? 8b 44 ?4 08 8b 50 0c c1 e2 0d 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 c1 e9 19 4? 8b 44 ?4 08 8b 50 04 c1 e2 07 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 08 c1 e9 10 4? 8b 44 ?4 08 8b 50 08 c1 e2 10 09 d1 4? 8b 44 ?4 08 89 48 08 } $decrypt = { 8b 44 ?? ?? 89 c1 0f b6 44 0c 50 4? 8b 4c ?? ?? 8b 54 ?? ?? 4? 89 d0 4? 0f b6 14 01 31 c2 4? 88 14 01 8b 44 ?? ?? 83 c0 01 89 44 ?? ?? e9 ?? ?? ?? ?? 8b 44 ?? ?? 8b 4c ?? ?? 29 c1 89 4c ?? ?? 8b 44 ?? ?? 4? 8b 54 ?? ?? 89 c0 4? 89 c0 4? 01 c2 4? 89 54 ?? ?? } $bmp_header = { 66 c7 00 42 4d c7 40 02 00 00 00 00 66 c7 40 06 00 00 66 c7 40 08 00 00 c7 40 0a 00 00 00 00 59 c3 } $parse_bmp = { 89 02 4? 8b 4? ?? ba 03 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 04 4? 8b 4? ?? ba 07 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 08 4? 8b 4? ?? ba 09 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 0a 4? 8b 4? ?? ba 0b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 0c 4? 8b 4? ?? ba 0f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 10 4? 8b 4? ?? ba 13 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 14 4? 8b 4? ?? ba 17 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 18 4? 8b 4? ?? ba 1b 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 1c 4? 8b 4? ?? ba 1d 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 1e 4? 8b 4? ?? ba 1f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 20 4? 8b 4? ?? ba 23 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 24 4? 8b 4? ?? ba 27 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 28 4? 8b 4? ?? ba 2b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 2c 4? 8b 4? ?? ba 2f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 30 4? 8b 4? ?? ba 33 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 34 4? 8b 40 14 4? 89 4? ?? 4? 8b 40 18 4? 89 4? ?? 4? 8b 4? ?? 4? 0f af 4? ?? 4? 6b c0 03 4? 89 4? ?? 4? 8b 4? ?? 4? c1 e8 03 4? 83 e8 36 4? 89 40 38 } condition: uint16(0) == 0x5a4d and filesize > 1MB and all of them } , rule win_graphdrop_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.graphdrop.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4154 90 415c 90 } // n = 4, score = 300 // 4154 | je 0x1f84 // 90 | mov dword ptr [esp + 0x84], 0xfffffffe // 415c | cmp edx, dword ptr [ecx + 0x12] // 90 | dec eax $sequence_1 = { 4155 49c7c501000000 4150 4152 415a } // n = 5, score = 300 // 4155 | dec eax // 49c7c501000000 | mov eax, dword ptr [ebx + 0x10] // 4150 | jne 0x6f4 // 4152 | dec eax // 415a | and dword ptr [esp + 0x70], 0 $sequence_2 = { 52 0f77 90 5a } // n = 4, score = 300 // 52 | inc ecx // 0f77 | mov ecx, 4 // 90 | inc ecx // 5a | mov eax, 0x3000 $sequence_3 = { 0f77 0f77 5b 0f77 } // n = 4, score = 300 // 0f77 | pslld mm5, 0x50 // 0f77 | inc ecx // 5b | pop ecx // 0f77 | inc ecx $sequence_4 = { 49c7c501000000 4150 4152 415a 4158 } // n = 5, score = 300 // 49c7c501000000 | jmp 0x1106 // 4150 | inc esp // 4152 | mov ah, byte ptr [ebp + 0x50] // 415a | inc esp // 4158 | mov dword ptr [ebp - 0x20], ebx $sequence_5 = { 52 50 58 5a 49ffc9 } // n = 5, score = 300 // 52 | inc esp // 50 | mov dh, byte ptr [esp + 0x30] // 58 | dec esp // 5a | mov ebx, dword ptr [esp + 0x68] // 49ffc9 | je 0x39c $sequence_6 = { 49c7c501000000 4150 4152 415a 4158 49ffcd } // n = 6, score = 300 // 49c7c501000000 | dec eax // 4150 | mov ecx, dword ptr [ebp + 0x188] // 4152 | dec eax // 415a | lea eax, [ebp + 0x128] // 4158 | dec eax // 49ffcd | mov dword ptr [ebp - 0x40], ecx $sequence_7 = { 4150 4152 415a 4158 } // n = 4, score = 300 // 4150 | dec esp // 4152 | mov dword ptr [esp + 0x18], eax // 415a | psadbw mm2, mm4 // 4158 | inc ecx $sequence_8 = { 4155 49c7c501000000 4150 4152 415a 4158 49ffcd } // n = 7, score = 300 // 4155 | dec eax // 49c7c501000000 | mov eax, dword ptr [ebp - 0x30] // 4150 | dec eax // 4152 | add eax, 0x98 // 415a | dec eax // 4158 | mov dword ptr [esp + 0x10], edx // 49ffcd | push ebp $sequence_9 = { 4152 415a 4158 49ffcd } // n = 4, score = 300 // 4152 | sub byte ptr [edx], dh // 415a | rol byte ptr [ebx + 0x47cb9], 0 // 4158 | add dh, byte ptr [ebp + 0xd] // 49ffcd | xor al, al condition: 7 of them and filesize < 4186112 } ] }, { Malware : IconicStealer , Description : Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library. Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library. , YARA : [ rule win_iconic_stealer_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.iconic_stealer.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e9???????? 4c8b13 4c8d05e6c60300 488bc6 488bce 83e03f 48c1f906 } // n = 7, score = 100 // e9???????? | // 4c8b13 | mov ecx, eax // 4c8d05e6c60300 | inc ecx // 488bc6 | mov eax, eax // 488bce | and eax, 0xff00 // 83e03f | shl ecx, 0x10 // 48c1f906 | inc esp $sequence_1 = { eb29 488d0c76 8d4601 898790000000 488b8788000000 c704c876000000 8954c804 } // n = 7, score = 100 // eb29 | test eax, eax // 488d0c76 | je 0xbdd // 8d4601 | dec esp // 898790000000 | mov eax, eax // 488b8788000000 | inc esp // c704c876000000 | mov dword ptr [eax + ecx*8 + 8], eax // 8954c804 | mov dword ptr [eax + ecx*8 + 0xc], edx $sequence_2 = { 894338 66897318 66894b3e 6644896316 6644894b3c 663bf1 0f85dc000000 } // n = 7, score = 100 // 894338 | mov dword ptr [eax], ecx // 66897318 | inc ebp // 66894b3e | movzx eax, ah // 6644896316 | dec eax // 6644894b3c | mov ecx, dword ptr [ebp - 0x20] // 663bf1 | dec eax // 0f85dc000000 | mov eax, dword ptr [ebp - 0x28] $sequence_3 = { e8???????? 4881c430020000 415f 415d 415c 5f 5e } // n = 7, score = 100 // e8???????? | // 4881c430020000 | inc ecx // 415f | mov ebp, ecx // 415d | jmp 0x438 // 415c | inc esp // 5f | mov dword ptr [ecx], ecx // 5e | dec eax $sequence_4 = { 5f 5e 5d c3 40f6c504 7419 4c8bc7 } // n = 7, score = 100 // 5f | mov eax, edi // 5e | sar eax, 1 // 5d | dec esp // c3 | arpl ax, dx // 40f6c504 | dec ebx // 7419 | lea edx, [edx + edx*2] // 4c8bc7 | dec ebp $sequence_5 = { eb05 b901000000 894f28 4885db 741f 8b4f28 48895f10 } // n = 7, score = 100 // eb05 | cmp byte ptr [ecx + 0x3f], ch // b901000000 | jne 0x6a2 // 894f28 | dec eax // 4885db | mov ecx, dword ptr [eax] // 741f | lea edx, [ebp + 4] // 8b4f28 | dec esp // 48895f10 | mov edi, eax $sequence_6 = { f2490f2ad5 488d4dc7 f20f5e15???????? 66490f7ed0 e8???????? e9???????? 448b44242c } // n = 7, score = 100 // f2490f2ad5 | mov dword ptr [esp + 0x34], esi // 488d4dc7 | dec eax // f20f5e15???????? | // 66490f7ed0 | mov ecx, dword ptr [ebx + 0x70] // e8???????? | // e9???????? | // 448b44242c | test byte ptr [ecx + 0x34], 4 $sequence_7 = { ffc7 4883c108 3bfa 7cf1 e9???????? 488b4b20 4885c9 } // n = 7, score = 100 // ffc7 | dec eax // 4883c108 | mov ecx, dword ptr [esp + 0xa0] // 3bfa | dec eax // 7cf1 | mov eax, dword ptr [esp + 0xa8] // e9???????? | // 488b4b20 | dec eax // 4885c9 | test eax, eax $sequence_8 = { e9???????? 488b75a8 4c8b442470 8b06 83c003 413b00 7e1f } // n = 7, score = 100 // e9???????? | // 488b75a8 | cmp ecx, eax // 4c8b442470 | jne 0x13cd // 8b06 | test ecx, ecx // 83c003 | jne 0x13e6 // 413b00 | test ebx, ebx // 7e1f | js 0x1421 $sequence_9 = { c7430400000000 41ba1f000000 49bb1142082184104208 418b49f8 85c9 745b 8d4701 } // n = 7, score = 100 // c7430400000000 | inc ecx // 41ba1f000000 | cmp dword ptr [eax], ecx // 49bb1142082184104208 | inc ecx // 418b49f8 | mov eax, dword ptr [edi + 0x7c] // 85c9 | bt eax, edi // 745b | jb 0xd43 // 8d4701 | bts eax, edi condition: 7 of them and filesize < 2401280 } , rule win_iconicstealer_w0 { meta: author = \ threatintel@volexity.com\ date = \ 2023-03-30\ description = \ Detect the ICONICSTEALER malware family.\ hash1 = \ 8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423\ reference = \ https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\ memory_suitable = 1 license = \ See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer\ malpedia_version = \ 20230331\ malpedia_rule_date = \ 20230331\ malpedia_hash = \ \ malpedia_license = \ \ malpedia_sharing = \ TLP:WHITE\ strings: $str1 = \ \\3CXDesktopApp\\config.json\ wide $str2 = \ url, title FROM urls\ wide $str3 = \ url, title FROM moz_places\ wide condition: all of them } ] }, { Malware : KV , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : FAKEUPDATES , Description : FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.FAKEUPDATES has been heavily used by UNC1543,a financially motivated group. FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT. FAKEUPDATES has been heavily used by UNC1543,a financially motivated group. There is no Yara-Signature yet. , YARA : [] }, { Malware : DICELOADER , Description : A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash. A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash. , YARA : [ rule win_diceloader_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.diceloader.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7419 e8???????? 8bf0 83f8fe 0f840a010000 83f8ff } // n = 6, score = 100 // 7419 | lea edx, [0x117] // e8???????? | // 8bf0 | dec eax // 83f8fe | arpl word ptr [edi + 8], bp // 0f840a010000 | mov edx, 8 // 83f8ff | mov dword ptr [ebp + 0x5f8], ecx $sequence_1 = { 75cf 488325????????00 488d0d3a220000 448905???????? c705????????01000000 ff15???????? 488325????????00 } // n = 7, score = 100 // 75cf | imul eax, ecx, 7 // 488325????????00 | // 488d0d3a220000 | dec eax // 448905???????? | // c705????????01000000 | // ff15???????? | // 488325????????00 | $sequence_2 = { 75e5 448d4301 41b9983a0000 488d1daa2a0000 8bcf 488bd3 ff15???????? } // n = 7, score = 100 // 75e5 | inc ebp // 448d4301 | lea ebp, [esi + 4] // 41b9983a0000 | add al, bl // 488d1daa2a0000 | mov byte ptr [ebp + 0x61], al // 8bcf | inc ebp // 488bd3 | xor esp, esp // ff15???????? | $sequence_3 = { 8b0491 4903c5 498907 33c9 eb2a } // n = 5, score = 100 // 8b0491 | inc ebp // 4903c5 | xor eax, eax // 498907 | lea ecx, [edx + 6] // 33c9 | call eax // eb2a | and dword ptr [ebx + 8], 0 $sequence_4 = { 498b7318 498be3 5f c3 4053 4883ec20 33db } // n = 7, score = 100 // 498b7318 | dec esp // 498be3 | mov esp, esi // 5f | inc esp // c3 | lea ecx, [ecx + 0x40] // 4053 | dec ecx // 4883ec20 | cmovne eax, esp // 33db | dec esp $sequence_5 = { 7453 33d2 458d460e 488d4c2420 e8???????? 0fb7ce } // n = 6, score = 100 // 7453 | je 0xc59 // 33d2 | shr eax, 2 // 458d460e | imul eax, eax, 7 // 488d4c2420 | sub ebx, eax // e8???????? | // 0fb7ce | jne 0xc7d $sequence_6 = { 8bf0 83f8fe 0f840a010000 83f8ff 0f8406010000 4533ff 3bf3 } // n = 7, score = 100 // 8bf0 | dec esp // 83f8fe | sub ecx, dword ptr [ebp + 0x30] // 0f840a010000 | test eax, eax // 83f8ff | jne 0x18e1 // 0f8406010000 | dec esp // 4533ff | mov edi, dword ptr [esp + 0x98] // 3bf3 | inc esp $sequence_7 = { 4c8d4820 ba05000000 44894024 448bc1 c740e808000000 8d4afe e8???????? } // n = 7, score = 100 // 4c8d4820 | xor edx, edx // ba05000000 | dec esp // 44894024 | arpl bx, ax // 448bc1 | dec eax // c740e808000000 | lea ecx, [edi + 0x13] // 8d4afe | dec eax // e8???????? | $sequence_8 = { e8???????? 498bd5 488d0dea1f0000 e8???????? } // n = 4, score = 100 // e8???????? | // 498bd5 | mov edi, dword ptr [esp + 0x98] // 488d0dea1f0000 | dec ecx // e8???????? | $sequence_9 = { 8d4860 e8???????? 488bcd 488bf8 895808 } // n = 5, score = 100 // 8d4860 | test eax, eax // e8???????? | // 488bcd | jne 0x22c // 488bf8 | dec esp // 895808 | mov edi, dword ptr [esp + 0x98] condition: 7 of them and filesize < 41984 } ] }, { Malware : Headlace , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : KEYPLUG , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Krasue RAT , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : LuaDream , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : P2Pinfect , Description : P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system. P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system. , YARA : [ rule elf_p2pinfect_w0 { meta: description = \ Detects P2Pinfect worm on Linux\ author = \ nbill@cadosecurity.com\ license = \ Apache License 2.0\ date = \ 2023-07-28\ hash1 = \ 87a3fc1088449dbd3554fe029a1878a525e64ab4ccf71b23edb03619ba94403a\ hash2 = \ ce047893ac5bd2100db3448bd62c324e471ffcddd48433788bfe885e5f071a89\ hash3 = \ b1fab9d92a29ca7e8c0b0c4c45f759adf69b7387da9aebb1d1e90ea9ab7de76c\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect\ malpedia_rule_date = \ 20231213\ malpedia_hash = \ \ malpedia_version = \ 20231213\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $magic = { 7f 45 4c 46 } $a1 = \ p2pinfect\ $a2 = \ p2pmod\ $b1 = { 48 8D 35 C2 13 22 00 6A 19 5A 4C 89 FF E8 A3 EF 17 00 48 8D 35 C9 13 22 00 6A 1E 5A 4C 89 FF E8 91 EF 17 00 48 8D 35 D5 13 22 00 6A 0E 5A 4C 89 FF E8 7F EF 17 00 48 8D 35 D1 13 22 00 6A 0F 5A 4C 89 FF E8 6D EF 17 00 48 8D 35 81 A5 21 00 4C 89 FF 4C 89 F2 E8 5B EF 17 00 } $b2 = { 48 83 E4 80 48 81 EC 80 0F 00 00 48 C7 04 24 00 00 00 00 48 81 EC 00 05 00 00 49 89 D0 49 89 F5 48 89 BC 24 88 00 00 00 0F B6 86 20 08 00 00 48 8D 0D A3 4D 18 00 48 63 04 81 48 01 C8 6A 01 5E 6A 02 41 5F 4C 89 6C 24 48 48 89 94 24 90 00 00 00 FF E0 } $b3 = { 4C 89 F7 49 89 D8 E8 10 BB 00 00 49 83 66 68 00 49 C7 46 70 0A 00 00 00 66 41 C7 46 78 01 00 6A 10 59 48 8D 84 24 50 04 00 00 48 89 C7 4C 89 F6 F3 48 A5 48 89 C7 E8 FA 76 01 00 } $b4 = { 48 8B 3D 0F 3F 06 00 48 8B 35 10 3F 06 00 E8 20 8E 04 00 49 8B 46 10 48 89 05 08 3F 06 00 41 0F 10 06 0F 11 05 ED 3E 06 00 48 8D 35 A4 D0 FF FF 6A 0F 5F FF 15 25 3D 06 00 48 83 F8 FF 75 06 } $b5 = { 49 29 F7 4C 89 F7 4C 89 FA FF 15 DB 92 21 00 48 8B 84 24 40 02 00 00 4C 01 E0 48 8B 8C 24 98 02 00 00 48 89 01 48 8B 84 24 80 00 00 00 48 89 28 48 8B BC 24 68 01 00 00 48 8D 77 10 48 8B 84 24 48 02 00 00 48 F7 D0 48 8B 94 24 50 02 00 00 48 01 C2 48 C1 E2 04 FF 15 FE 92 21 00 4C 8B A4 24 10 01 00 00 49 83 FC 01 4C 8B 3C 24 48 8B B4 24 38 01 00 00 0F 86 C0 02 00 00 } condition: $magic at 0 and (all of ($a*) or any of ($b*)) } ] }, { Malware : POWERTRASH , Description : This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: \ POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.\ This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: \ POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.\ There is no Yara-Signature yet. , YARA : [] }, { Malware : STONEBOAT , Description : According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory. According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory. There is no Yara-Signature yet. , YARA : [] }, { Malware : Vetta Loader , Description : Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services.https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services.https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf There is no Yara-Signature yet. , YARA : [] }, { Malware : CageyChameleon , Description : CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations. CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations. There is no Yara-Signature yet. , YARA : [] }, { Malware : CloudEyE , Description : CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. , YARA : [ rule win_cloudeye_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.cloudeye.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c002 668b1c08 668b140e 6639d3 75e4 83e902 83f900 } // n = 7, score = 100 // 83c002 | add eax, 2 // 668b1c08 | mov bx, word ptr [eax + ecx] // 668b140e | mov dx, word ptr [esi + ecx] // 6639d3 | cmp bx, dx // 75e4 | jne 0xffffffe6 // 83e902 | sub ecx, 2 // 83f900 | cmp ecx, 0 $sequence_1 = { 7545 66f7c14179 685595db6d e8???????? } // n = 4, score = 100 // 7545 | jne 0x47 // 66f7c14179 | test cx, 0x7941 // 685595db6d | push 0x6ddb9555 // e8???????? | $sequence_2 = { e8???????? 5f 59 83c628 41 3b8f04080000 75a8 } // n = 7, score = 100 // e8???????? | // 5f | pop edi // 59 | pop ecx // 83c628 | add esi, 0x28 // 41 | inc ecx // 3b8f04080000 | cmp ecx, dword ptr [edi + 0x804] // 75a8 | jne 0xffffffaa $sequence_3 = { 7408 0185f4000000 eba4 85d8 } // n = 4, score = 100 // 7408 | je 0xa // 0185f4000000 | add dword ptr [ebp + 0xf4], eax // eba4 | jmp 0xffffffa6 // 85d8 | test eax, ebx $sequence_4 = { 89f8 0500080000 50 6aff } // n = 4, score = 100 // 89f8 | mov eax, edi // 0500080000 | add eax, 0x800 // 50 | push eax // 6aff | push -1 $sequence_5 = { 6685d2 e8???????? 84ef 80fd37 57 e8???????? 58 } // n = 7, score = 100 // 6685d2 | test dx, dx // e8???????? | // 84ef | test bh, ch // 80fd37 | cmp ch, 0x37 // 57 | push edi // e8???????? | // 58 | pop eax $sequence_6 = { c3 38ed 817e24200000e0 7473 } // n = 4, score = 100 // c3 | ret // 38ed | cmp ch, ch // 817e24200000e0 | cmp dword ptr [esi + 0x24], 0xe0000020 // 7473 | je 0x75 $sequence_7 = { 668b00 6631c8 39c8 6631c3 6681fb4d5a 7407 6639c1 } // n = 7, score = 100 // 668b00 | mov ax, word ptr [eax] // 6631c8 | xor ax, cx // 39c8 | cmp eax, ecx // 6631c3 | xor bx, ax // 6681fb4d5a | cmp bx, 0x5a4d // 7407 | je 9 // 6639c1 | cmp cx, ax $sequence_8 = { 0fbae11f 0f82d63c0000 61 0faee8 0f31 0faee8 c1e220 } // n = 7, score = 100 // 0fbae11f | bt ecx, 0x1f // 0f82d63c0000 | jb 0x3cdc // 61 | popal // 0faee8 | lfence // 0f31 | rdtsc // 0faee8 | lfence // c1e220 | shl edx, 0x20 $sequence_9 = { 75e4 83e902 83f900 7deb ff742404 } // n = 5, score = 100 // 75e4 | jne 0xffffffe6 // 83e902 | sub ecx, 2 // 83f900 | cmp ecx, 0 // 7deb | jge 0xffffffed // ff742404 | push dword ptr [esp + 4] condition: 7 of them and filesize < 90112 } , rule win_cloudeye_w0 { meta: author = \ ditekshen\ description = \ Shellcode injector and downloader via RegAsm.exe payload\ source = \ https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar\ malpedia_version = \ 20200204\ malpedia_sharing = \ TLP:WHITE\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\ malpedia_license = \ \ strings: $s1 = \ wininet.dll\ fullword ascii $s2 = \ ShellExecuteW\ fullword ascii $s3 = \ SHCreateDirectoryExW\ fullword ascii $s4 = \ Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\ fullword ascii $s5 = \ Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\ fullword ascii $o1 = \ msvbvm60.dll\ fullword wide $o2 = \ \\syswow64\\\ fullword wide $o3 = \ \\system32\\\ fullword wide $o4 = \ \\Microsoft.NET\\Framework\\\ fullword wide $o5 = \ USERPROFILE=\ wide nocase $o6 = \ windir=\ fullword wide $o7 = \ APPDATA=\ nocase wide $o8 = \ RegAsm.exe\ fullword wide $url1 = \ https://drive.google.com/uc?export=download&id=\ ascii $url2 = \ https://onedrive.live.com/download?cid=\ ascii $url3 = \ http://myurl/myfile.bin\ fullword ascii $url4 = \ http\ ascii // fallback condition: all of ($s*) and 2 of ($o*) and 1 of ($url*) } ] }, { Malware : Gameover P2P , Description : Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers. Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers. , YARA : [ rule win_gameover_p2p_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.gameover_p2p.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b01 8975dc 85c0 740f ffb09c010000 8d45d4 50 } // n = 7, score = 100 // 8b01 | mov eax, dword ptr [ecx] // 8975dc | mov dword ptr [ebp - 0x24], esi // 85c0 | test eax, eax // 740f | je 0x11 // ffb09c010000 | push dword ptr [eax + 0x19c] // 8d45d4 | lea eax, [ebp - 0x2c] // 50 | push eax $sequence_1 = { 8d873c010000 50 889f38010000 ffd6 } // n = 4, score = 100 // 8d873c010000 | lea eax, [edi + 0x13c] // 50 | push eax // 889f38010000 | mov byte ptr [edi + 0x138], bl // ffd6 | call esi $sequence_2 = { ba???????? 8d8d70fdffff e8???????? 85c0 0f95c0 84c0 7509 } // n = 7, score = 100 // ba???????? | // 8d8d70fdffff | lea ecx, [ebp - 0x290] // e8???????? | // 85c0 | test eax, eax // 0f95c0 | setne al // 84c0 | test al, al // 7509 | jne 0xb $sequence_3 = { 743f 53 8d442420 50 57 56 ff742428 } // n = 7, score = 100 // 743f | je 0x41 // 53 | push ebx // 8d442420 | lea eax, [esp + 0x20] // 50 | push eax // 57 | push edi // 56 | push esi // ff742428 | push dword ptr [esp + 0x28] $sequence_4 = { 7769 8a442412 0fb6c0 668901 8a442413 0fb6c0 66894102 } // n = 7, score = 100 // 7769 | ja 0x6b // 8a442412 | mov al, byte ptr [esp + 0x12] // 0fb6c0 | movzx eax, al // 668901 | mov word ptr [ecx], ax // 8a442413 | mov al, byte ptr [esp + 0x13] // 0fb6c0 | movzx eax, al // 66894102 | mov word ptr [ecx + 2], ax $sequence_5 = { 7415 ff770c 8d442418 51 } // n = 4, score = 100 // 7415 | je 0x17 // ff770c | push dword ptr [edi + 0xc] // 8d442418 | lea eax, [esp + 0x18] // 51 | push ecx $sequence_6 = { e8???????? 8bf8 689a000000 8bd3 8bce 897c242c } // n = 6, score = 100 // e8???????? | // 8bf8 | mov edi, eax // 689a000000 | push 0x9a // 8bd3 | mov edx, ebx // 8bce | mov ecx, esi // 897c242c | mov dword ptr [esp + 0x2c], edi $sequence_7 = { b9a6000000 8d5588 e8???????? e8???????? 8bc8 e8???????? 8b750c } // n = 7, score = 100 // b9a6000000 | mov ecx, 0xa6 // 8d5588 | lea edx, [ebp - 0x78] // e8???????? | // e8???????? | // 8bc8 | mov ecx, eax // e8???????? | // 8b750c | mov esi, dword ptr [ebp + 0xc] $sequence_8 = { 85c0 7548 68???????? ff35???????? ffd6 85c0 7537 } // n = 7, score = 100 // 85c0 | test eax, eax // 7548 | jne 0x4a // 68???????? | // ff35???????? | // ffd6 | call esi // 85c0 | test eax, eax // 7537 | jne 0x39 $sequence_9 = { f3ab 33db 6818010000 66ab 8d842410010000 53 50 } // n = 7, score = 100 // f3ab | rep stosd dword ptr es:[edi], eax // 33db | xor ebx, ebx // 6818010000 | push 0x118 // 66ab | stosw word ptr es:[edi], ax // 8d842410010000 | lea eax, [esp + 0x110] // 53 | push ebx // 50 | push eax condition: 7 of them and filesize < 598016 } ] }, { Malware : GoTitan , Description : GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT. GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT. There is no Yara-Signature yet. , YARA : [] }, { Malware : miniTypeFrame , Description : miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows.Its functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044. miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows. Its functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044. There is no Yara-Signature yet. , YARA : [] }, { Malware : Murofet , Description : There is no description at this point. , YARA : [ rule win_murofet_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.murofet.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3c02 72e5 e8???????? a2???????? 84c0 7510 } // n = 6, score = 300 // 3c02 | cmp al, 2 // 72e5 | jb 0xffffffe7 // e8???????? | // a2???????? | // 84c0 | test al, al // 7510 | jne 0x12 $sequence_1 = { 7504 3c02 72bf b001 } // n = 4, score = 300 // 7504 | jne 6 // 3c02 | cmp al, 2 // 72bf | jb 0xffffffc1 // b001 | mov al, 1 $sequence_2 = { 3c02 72e5 e8???????? a2???????? } // n = 4, score = 300 // 3c02 | cmp al, 2 // 72e5 | jb 0xffffffe7 // e8???????? | // a2???????? | $sequence_3 = { e8???????? e8???????? 3c02 72e5 e8???????? a2???????? 84c0 } // n = 7, score = 300 // e8???????? | // e8???????? | // 3c02 | cmp al, 2 // 72e5 | jb 0xffffffe7 // e8???????? | // a2???????? | // 84c0 | test al, al $sequence_4 = { 6a10 8d4624 55 50 ff15???????? 83c40c } // n = 6, score = 300 // 6a10 | push 0x10 // 8d4624 | lea eax, [esi + 0x24] // 55 | push ebp // 50 | push eax // ff15???????? | // 83c40c | add esp, 0xc $sequence_5 = { c3 e8???????? 33c0 c20400 55 8bec 83ec68 } // n = 7, score = 300 // c3 | ret // e8???????? | // 33c0 | xor eax, eax // c20400 | ret 4 // 55 | push ebp // 8bec | mov ebp, esp // 83ec68 | sub esp, 0x68 $sequence_6 = { e8???????? 33c0 c20400 55 8bec 83ec68 53 } // n = 7, score = 300 // e8???????? | // 33c0 | xor eax, eax // c20400 | ret 4 // 55 | push ebp // 8bec | mov ebp, esp // 83ec68 | sub esp, 0x68 // 53 | push ebx $sequence_7 = { 6a10 8d4624 55 50 } // n = 4, score = 300 // 6a10 | push 0x10 // 8d4624 | lea eax, [esi + 0x24] // 55 | push ebp // 50 | push eax $sequence_8 = { 72e5 e8???????? a2???????? 84c0 7510 } // n = 5, score = 300 // 72e5 | jb 0xffffffe7 // e8???????? | // a2???????? | // 84c0 | test al, al // 7510 | jne 0x12 $sequence_9 = { ff15???????? c6443eff00 83f8ff 7509 56 } // n = 5, score = 300 // ff15???????? | // c6443eff00 | mov byte ptr [esi + edi - 1], 0 // 83f8ff | cmp eax, -1 // 7509 | jne 0xb // 56 | push esi condition: 7 of them and filesize < 622592 } ] }, { Malware : OriginBot , Description : OriginBot is a modular information stealer which can also download and execute other malicious payloads. OriginBot is a modular information stealer which can also download and execute other malicious payloads. There is no Yara-Signature yet. , YARA : [] }, { Malware : PureCrypter , Description : According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format There is no Yara-Signature yet. , YARA : [] }, { Malware : Racket Downloader , Description : Racket Downloader is an HTTP(S) downloader.It uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic. It sends an HTTP POST request containing a particular value that inspired its name, like \ ?product_field=racket\ or \ prd_fld=racket\ .Racket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022. Racket Downloader is an HTTP(S) downloader. It uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic. It sends an HTTP POST request containing a particular value that inspired its name, like \ ?product_field=racket\ or \ prd_fld=racket\ . Racket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022. , YARA : [ rule win_racket_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.racket.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.racket\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffd3 8b8eec000000 8bf8 8b1d???????? 8d45ec 57 50 } // n = 7, score = 100 // ffd3 | call ebx // 8b8eec000000 | mov ecx, dword ptr [esi + 0xec] // 8bf8 | mov edi, eax // 8b1d???????? | // 8d45ec | lea eax, [ebp - 0x14] // 57 | push edi // 50 | push eax $sequence_1 = { 807d0800 743b e8???????? 6a00 ff7604 6845090000 ff35???????? } // n = 7, score = 100 // 807d0800 | cmp byte ptr [ebp + 8], 0 // 743b | je 0x3d // e8???????? | // 6a00 | push 0 // ff7604 | push dword ptr [esi + 4] // 6845090000 | push 0x945 // ff35???????? | $sequence_2 = { 57 0f1f840000000000 8bc1 c745fc02000000 2bc2 8dbb78fdffff 81c680fdffff } // n = 7, score = 100 // 57 | push edi // 0f1f840000000000 | nop dword ptr [eax + eax] // 8bc1 | mov eax, ecx // c745fc02000000 | mov dword ptr [ebp - 4], 2 // 2bc2 | sub eax, edx // 8dbb78fdffff | lea edi, [ebx - 0x288] // 81c680fdffff | add esi, 0xfffffd80 $sequence_3 = { 0f44c1 50 ff75f4 8b473c 68a2090000 ff34856cb30610 ff15???????? } // n = 7, score = 100 // 0f44c1 | cmove eax, ecx // 50 | push eax // ff75f4 | push dword ptr [ebp - 0xc] // 8b473c | mov eax, dword ptr [edi + 0x3c] // 68a2090000 | push 0x9a2 // ff34856cb30610 | push dword ptr [eax*4 + 0x1006b36c] // ff15???????? | $sequence_4 = { 40 50 68???????? 6aff 8d85fcfdffff 6800010000 50 } // n = 7, score = 100 // 40 | inc eax // 50 | push eax // 68???????? | // 6aff | push -1 // 8d85fcfdffff | lea eax, [ebp - 0x204] // 6800010000 | push 0x100 // 50 | push eax $sequence_5 = { 0f8433020000 833d????????00 0f8426020000 833d????????00 0f8419020000 833d????????00 0f840c020000 } // n = 7, score = 100 // 0f8433020000 | je 0x239 // 833d????????00 | // 0f8426020000 | je 0x22c // 833d????????00 | // 0f8419020000 | je 0x21f // 833d????????00 | // 0f840c020000 | je 0x212 $sequence_6 = { 83c430 3945cc 8b45b8 7501 40 8b4dc0 } // n = 6, score = 100 // 83c430 | add esp, 0x30 // 3945cc | cmp dword ptr [ebp - 0x34], eax // 8b45b8 | mov eax, dword ptr [ebp - 0x48] // 7501 | jne 3 // 40 | inc eax // 8b4dc0 | mov ecx, dword ptr [ebp - 0x40] $sequence_7 = { 8b4e04 85c9 7537 8b4510 8b7838 85ff 7e75 } // n = 7, score = 100 // 8b4e04 | mov ecx, dword ptr [esi + 4] // 85c9 | test ecx, ecx // 7537 | jne 0x39 // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 8b7838 | mov edi, dword ptr [eax + 0x38] // 85ff | test edi, edi // 7e75 | jle 0x77 $sequence_8 = { ff740e08 68ac080000 ff35???????? ff15???????? 83c420 2bd8 7418 } // n = 7, score = 100 // ff740e08 | push dword ptr [esi + ecx + 8] // 68ac080000 | push 0x8ac // ff35???????? | // ff15???????? | // 83c420 | add esp, 0x20 // 2bd8 | sub ebx, eax // 7418 | je 0x1a $sequence_9 = { 6a00 68d6070000 897ddc ff34856cb30610 8975d0 ff15???????? 83c410 } // n = 7, score = 100 // 6a00 | push 0 // 68d6070000 | push 0x7d6 // 897ddc | mov dword ptr [ebp - 0x24], edi // ff34856cb30610 | push dword ptr [eax*4 + 0x1006b36c] // 8975d0 | mov dword ptr [ebp - 0x30], esi // ff15???????? | // 83c410 | add esp, 0x10 condition: 7 of them and filesize < 985088 } ] }, { Malware : RustBucket , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : TYPEFRAME , Description : TYPEFRAME is a RAT. It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system's firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000.The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication. TYPEFRAME is a RAT. It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system's firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000. The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication. There is no Yara-Signature yet. , YARA : [] }, { Malware : Qilin , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : X-Files Stealer , Description : There is no description at this point. , YARA : [ rule win_xfilesstealer_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.xfilesstealer.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffd3 33c9 85c0 7524 448b4c2450 4c8d05c3f12600 ba00040000 } // n = 7, score = 100 // ffd3 | inc ebp // 33c9 | test esi, esi // 85c0 | jne 0x1838 // 7524 | test cl, cl // 448b4c2450 | jne 0x1838 // 4c8d05c3f12600 | cmp ebx, 0x2c // ba00040000 | cmp ebx, 0x27 $sequence_1 = { e8???????? 8bf8 488d4dc0 e8???????? 85ff 0f88cb000000 488d55c0 } // n = 7, score = 100 // e8???????? | // 8bf8 | inc esp // 488d4dc0 | mov eax, esi // e8???????? | // 85ff | inc ecx // 0f88cb000000 | mov edx, esi // 488d55c0 | dec eax $sequence_2 = { ffd3 498b4f58 894114 498b4758 33ff 897818 498b4758 } // n = 7, score = 100 // ffd3 | jne 0x97 // 498b4f58 | dec eax // 894114 | mov edx, edi // 498b4758 | dec eax // 33ff | mov ecx, esi // 897818 | test al, al // 498b4758 | je 0x97 $sequence_3 = { eb00 90 488d4d48 e8???????? 90 837d5800 7411 } // n = 7, score = 100 // eb00 | je 0x1286 // 90 | dec eax // 488d4d48 | lea ecx, [ebp + 0x1f0] // e8???????? | // 90 | jne 0x1195 // 837d5800 | inc ecx // 7411 | mov ecx, dword ptr [eax] $sequence_4 = { e8???????? 4c392b 7439 488b05???????? 488906 488d0d439c8900 48894e08 } // n = 7, score = 100 // e8???????? | // 4c392b | mov ecx, dword ptr [ecx + 0x4b0] // 7439 | inc ecx // 488b05???????? | // 488906 | mov edx, eax // 488d0d439c8900 | dec ecx // 48894e08 | mov ecx, ecx $sequence_5 = { ffd3 4c63c0 48c744243080060000 4c89442428 48c744242020205248 4c8d0dee771b00 ba00400000 } // n = 7, score = 100 // ffd3 | mov eax, dword ptr [esp + 0x30] // 4c63c0 | test al, al // 48c744243080060000 | jne 0x4b // 4c89442428 | dec eax // 48c744242020205248 | lea ecx, [esp + 0x20] // 4c8d0dee771b00 | mov dword ptr [esp + 0x28], 0x3d2 // ba00400000 | mov eax, dword ptr [esp + 0x30] $sequence_6 = { b801000000 e9???????? 85ed 7512 4d8bc6 488bd6 488bcb } // n = 7, score = 100 // b801000000 | mov ebx, eax // e9???????? | // 85ed | mov ecx, ebx // 7512 | dec esp // 4d8bc6 | lea eax, [0x3857e8] // 488bd6 | mov edx, 0x104 // 488bcb | dec eax $sequence_7 = { ff15???????? 8bd8 85c0 7e09 0fb7d8 81cb00000780 488d4db0 } // n = 7, score = 100 // ff15???????? | // 8bd8 | mov ecx, dword ptr [esi] // 85c0 | dec eax // 7e09 | mov eax, dword ptr [esi + 0x108] // 0fb7d8 | sub ecx, 0x10 // 81cb00000780 | dec eax // 488d4db0 | add ecx, ecx $sequence_8 = { 89742428 4489742420 4c8d4df8 4c8d45d8 488b55f0 488d8d30010000 e8???????? } // n = 7, score = 100 // 89742428 | mov dword ptr [esi + eax*2], edi // 4489742420 | cmp eax, -1 // 4c8d4df8 | je 0x618 // 4c8d45d8 | dec ecx // 488b55f0 | mov ecx, esi // 488d8d30010000 | dec eax // e8???????? | $sequence_9 = { ff5208 33c0 4883c448 c3 488d4c2420 c744242890010000 e8???????? } // n = 7, score = 100 // ff5208 | mov eax, edi // 33c0 | dec ecx // 4883c448 | mov edx, ebp // c3 | dec ecx // 488d4c2420 | mov ecx, edi // c744242890010000 | cmp eax, 5 // e8???????? | condition: 7 of them and filesize < 20821780 } , rule win_xfilesstealer_w0 { meta: author = \ Johannes Bader @viql\ date = \ 2022-04-15\ version = \ v1.0\ description = \ detects XFiles-Stealer\ hash = \ d06072f959d895f2fc9a57f44bf6357596c5c3410e90dabe06b171161f37d690\ tlp = \ TLP:WHITE\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer\ malpedia_rule_date = \ 20220425\ malpedia_hash = \ \ malpedia_version = \ 20220425\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $ad_1 = \ Telegram bot - @XFILESShop_Bot\ wide $ad_2 = \ Telegram support - @XFILES_Seller\ wide $names_1 = \ XFiles.Models.Yeti\ $names_2 = \ anti_vzlom_popki\ // анти взлом попки $names_3 = \ assType\ $names_4 = \ hackrjaw\ $upload_1 = \ zipx\ wide $upload_2 = \ user_id\ wide $upload_3 = \ passworlds_x\ wide $upload_4 = \ ip_x\ wide $upload_5 = \ cc_x\ wide $upload_6 = \ cookies_x\ wide $upload_7 = \ zip_x\ wide $upload_8 = \ contry_x\ wide $upload_9 = \ tag_x\ wide $upload_10 = \ piece\ wide condition: uint16(0) == 0x5A4D and ( all of ($ad_*) or all of ($names_*) or all of ($upload_*) ) } ] }, { Malware : Ave Maria , Description : Information stealer which uses AutoIT for wrapping. Information stealer which uses AutoIT for wrapping. , YARA : [ rule win_ave_maria_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.ave_maria.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b07 ff740610 8d4614 50 8d45f8 50 } // n = 6, score = 400 // 8b07 | mov eax, dword ptr [edi] // ff740610 | push dword ptr [esi + eax + 0x10] // 8d4614 | lea eax, [esi + 0x14] // 50 | push eax // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax $sequence_1 = { 52 8b08 6a01 50 ff510c 85c0 74c1 } // n = 7, score = 400 // 52 | push edx // 8b08 | mov ecx, dword ptr [eax] // 6a01 | push 1 // 50 | push eax // ff510c | call dword ptr [ecx + 0xc] // 85c0 | test eax, eax // 74c1 | je 0xffffffc3 $sequence_2 = { 6a0a 03c1 59 8bf8 f3a5 8d4d30 } // n = 6, score = 400 // 6a0a | push 0xa // 03c1 | add eax, ecx // 59 | pop ecx // 8bf8 | mov edi, eax // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8d4d30 | lea ecx, [ebp + 0x30] $sequence_3 = { 0f57c0 c745e015000000 50 8d4de0 0f1145e8 e8???????? 8bc8 } // n = 7, score = 400 // 0f57c0 | xorps xmm0, xmm0 // c745e015000000 | mov dword ptr [ebp - 0x20], 0x15 // 50 | push eax // 8d4de0 | lea ecx, [ebp - 0x20] // 0f1145e8 | movups xmmword ptr [ebp - 0x18], xmm0 // e8???????? | // 8bc8 | mov ecx, eax $sequence_4 = { 803800 7509 33c0 5b c3 33c0 40 } // n = 7, score = 400 // 803800 | cmp byte ptr [eax], 0 // 7509 | jne 0xb // 33c0 | xor eax, eax // 5b | pop ebx // c3 | ret // 33c0 | xor eax, eax // 40 | inc eax $sequence_5 = { 8bc7 99 2bc1 8bcf 1bd6 52 50 } // n = 7, score = 400 // 8bc7 | mov eax, edi // 99 | cdq // 2bc1 | sub eax, ecx // 8bcf | mov ecx, edi // 1bd6 | sbb edx, esi // 52 | push edx // 50 | push eax $sequence_6 = { ff500c 8b06 68???????? ff37 8b08 } // n = 5, score = 400 // ff500c | call dword ptr [eax + 0xc] // 8b06 | mov eax, dword ptr [esi] // 68???????? | // ff37 | push dword ptr [edi] // 8b08 | mov ecx, dword ptr [eax] $sequence_7 = { 51 54 8bce e8???????? 8b4d08 e8???????? 83c410 } // n = 7, score = 400 // 51 | push ecx // 54 | push esp // 8bce | mov ecx, esi // e8???????? | // 8b4d08 | mov ecx, dword ptr [ebp + 8] // e8???????? | // 83c410 | add esp, 0x10 $sequence_8 = { 300431 41 3bcf 7ced 5f 8bc6 5e } // n = 7, score = 400 // 300431 | xor byte ptr [ecx + esi], al // 41 | inc ecx // 3bcf | cmp ecx, edi // 7ced | jl 0xffffffef // 5f | pop edi // 8bc6 | mov eax, esi // 5e | pop esi $sequence_9 = { 83ec18 53 8bd9 56 57 895df8 } // n = 6, score = 400 // 83ec18 | sub esp, 0x18 // 53 | push ebx // 8bd9 | mov ebx, ecx // 56 | push esi // 57 | push edi // 895df8 | mov dword ptr [ebp - 8], ebx condition: 7 of them and filesize < 237568 } ] }, { Malware : Bankshot , Description : There is no description at this point. , YARA : [ rule win_bankshot_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.bankshot.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } // n = 7, score = 300 // 8bf8 | dec eax // 8d5101 | lea ecx, [0x961e] // 8a01 | mov ebx, eax // 41 | test ecx, ecx // 84c0 | jne 0x1bb // 75f9 | dec eax // 57 | lea ecx, [esp + 0x350] $sequence_1 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 } // n = 6, score = 300 // 8bec | dec eax // 81ec48040000 | mov dword ptr [esp + 0x30], 0x80000002 // a1???????? | // 33c5 | dec eax // 8945f8 | lea ecx, [esp + 0x240] // 53 | xor edx, edx $sequence_2 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 } // n = 7, score = 200 // e9???????? | // 57 | or byte ptr [esi + edx + 0x19], al // 33ff | mov eax, edi // 8bcf | mov dword ptr [ebp - 0x1c], ecx // 8bc7 | cmp dword ptr [eax + 0x1001e1c0], ebx // 894de4 | je 0xf9 // 3998c0e10110 | test ebx, ebx $sequence_3 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 } // n = 7, score = 200 // c74048b8e40110 | jbe 0xfffffff2 // 8b4508 | mov eax, dword ptr [ebp + 8] // 6689486c | mov dword ptr [eax + 0x350], ecx // 8b4508 | mov eax, dword ptr [ebp + 8] // 66898872010000 | pop ecx // 8b4508 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 83a04c03000000 | mov eax, dword ptr [ebp + 8] $sequence_4 = { 33c9 33d2 66898c45f47fffff 8d8df47fffff 8d7102 668b01 83c102 } // n = 7, score = 200 // 33c9 | mov edi, eax // 33d2 | lea edx, [ecx + 1] // 66898c45f47fffff | mov al, byte ptr [ecx] // 8d8df47fffff | inc ecx // 8d7102 | test al, al // 668b01 | jne 5 // 83c102 | push edi $sequence_5 = { 89855c38ffff fec1 888d6438ffff 85fa 0f84a4000000 } // n = 5, score = 200 // 89855c38ffff | xor byte ptr [ebp + ecx - 0xc26c], 0xaa // fec1 | inc ecx // 888d6438ffff | cmp ecx, edx // 85fa | jl 4 // 0f84a4000000 | cmp dword ptr [ebp - 0xc26c], 0x2000 $sequence_6 = { 8b45fc 817848b8e40110 7409 ff7048 e8???????? } // n = 5, score = 200 // 8b45fc | lea ecx, [ebp - 0x110] // 817848b8e40110 | push ecx // 7409 | lea edx, [ebp - 0x118] // ff7048 | mov ecx, dword ptr [edx*4 + 0x7188c8] // e8???????? | $sequence_7 = { 0f84a6000000 680c400000 8d85e4bfffff 53 50 } // n = 5, score = 200 // 0f84a6000000 | mov ebp, esp // 680c400000 | sub esp, 0x448 // 8d85e4bfffff | xor eax, ebp // 53 | mov dword ptr [ebp - 8], eax // 50 | push ebx $sequence_8 = { 680c000200 e8???????? 8bf8 83c404 85ff 0f8429060000 6915????????04010000 } // n = 7, score = 200 // 680c000200 | mov word ptr [ebp + eax*2 - 0x800c], cx // e8???????? | // 8bf8 | lea ecx, [ebp - 0x800c] // 83c404 | lea esi, [ecx + 2] // 85ff | mov ax, word ptr [ecx] // 0f8429060000 | add ecx, 2 // 6915????????04010000 | $sequence_9 = { 83c40c 8d85bcbaffff 33f6 6828050000 56 50 } // n = 6, score = 200 // 83c40c | jae 0xdf2 // 8d85bcbaffff | lea ecx, [ebp - 0xc260] // 33f6 | lea edx, [ecx + 1] // 6828050000 | mov al, byte ptr [ecx] // 56 | inc ecx // 50 | test al, al $sequence_10 = { e8???????? 83c40c e8???????? 99 b907000000 } // n = 5, score = 200 // e8???????? | // 83c40c | mov eax, dword ptr [ebx*4 + 0x10017fc8] // e8???????? | // 99 | mov dword ptr [ebp - 0x2c], eax // b907000000 | mov dword ptr [ebp - 0x18], edx $sequence_11 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } // n = 7, score = 200 // e8???????? | // 83c404 | mov eax, dword ptr [ebp - 4] // 89861c020000 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // 8b45e0 | je 0x18 // 8d4e0c | push dword ptr [eax + 0x48] // 6a06 | cmp dword ptr [eax + 0x1001e1c0], ebx // 8d90c4e10110 | je 0xf0 $sequence_12 = { 0f1f4000 80b40d943dffffaa 41 3bca 7cf3 } // n = 5, score = 200 // 0f1f4000 | push ebp // 80b40d943dffffaa | mov ebp, esp // 41 | sub esp, 0x448 // 3bca | xor eax, ebp // 7cf3 | mov dword ptr [ebp - 8], eax $sequence_13 = { c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } // n = 6, score = 200 // c700???????? | // 8b4508 | lea edx, [eax + 0x1001e1c4] // 898850030000 | mov al, byte ptr [edi + 0x1001e1bc] // 8b4508 | or byte ptr [esi + edx + 0x19], al // 59 | inc edx // c74048b8e40110 | movzx eax, byte ptr [ecx + 1] $sequence_14 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 } // n = 6, score = 200 // 50 | mov eax, dword ptr [ebp + 8] // e8???????? | // 83c40c | pop ecx // 6b45e430 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 8945e0 | mov eax, dword ptr [ebp + 8] // 8d80d0e10110 | mov dword ptr [ebp - 0x20], eax $sequence_15 = { 8b542420 8987d0000000 8b442424 898fd4000000 8917 } // n = 5, score = 100 // 8b542420 | add esp, 4 // 8987d0000000 | jmp 0x3b // 8b442424 | lea edx, [ebx + 0xc] // 898fd4000000 | push 1 // 8917 | lea ecx, [esp + 0x14] $sequence_16 = { e8???????? 488d0de7030000 e8???????? 33c0 4883c420 } // n = 5, score = 100 // e8???????? | // 488d0de7030000 | mov dword ptr [esp + 0x60], ebp // e8???????? | // 33c0 | mov ebx, ebp // 4883c420 | dec eax $sequence_17 = { 488d0d1e960000 c705????????30000000 8bd8 c705????????02000000 48c705????????07000000 48893d???????? } // n = 6, score = 100 // 488d0d1e960000 | lea edx, [0x5358] // c705????????30000000 | // 8bd8 | inc ebp // c705????????02000000 | // 48c705????????07000000 | // 48893d???????? | $sequence_18 = { 8b0c95c8887100 8844192e 8b0495c8887100 804c182d04 ff4604 eb08 } // n = 6, score = 100 // 8b0c95c8887100 | cdq // 8844192e | mov ecx, 7 // 8b0495c8887100 | idiv ecx // 804c182d04 | add esp, 0xc // ff4604 | cdq // eb08 | mov ecx, 7 $sequence_19 = { 51 ff15???????? 8bf0 83feff 89742410 7544 ff15???????? } // n = 7, score = 100 // 51 | push 0 // ff15???????? | // 8bf0 | push 3 // 83feff | lea eax, [esp + 0x4c0] // 89742410 | push 0xc0000000 // 7544 | push eax // ff15???????? | $sequence_20 = { ff15???????? 68???????? 57 8985bcfbffff } // n = 4, score = 100 // ff15???????? | // 68???????? | // 57 | jne 5 // 8985bcfbffff | push edi $sequence_21 = { 48c744243002000080 e8???????? 488d8c2440020000 33d2 } // n = 4, score = 100 // 48c744243002000080 | inc ecx // e8???????? | // 488d8c2440020000 | mov ecx, 0x58 // 33d2 | dec eax $sequence_22 = { 52 8d85c4fbffff 50 ff15???????? 8d8dd0fdffff } // n = 5, score = 100 // 52 | mov edx, dword ptr [esp + 0x20] // 8d85c4fbffff | mov dword ptr [edi + 0xd0], eax // 50 | mov eax, dword ptr [esp + 0x24] // ff15???????? | // 8d8dd0fdffff | mov dword ptr [edi + 0xd4], ecx $sequence_23 = { 57 83e502 4d ff15???????? 85f6 7407 } // n = 6, score = 100 // 57 | add esp, 0xc // 83e502 | cdq // 4d | mov ecx, 7 // ff15???????? | // 85f6 | idiv ecx // 7407 | add esp, 0xc $sequence_24 = { 8d1c85b4ef0110 33c0 f00fb10b 8b15???????? 83cfff 8bca } // n = 6, score = 100 // 8d1c85b4ef0110 | imul esi, esi, 0x30 // 33c0 | mov ecx, dword ptr [ecx*4 + 0x1001f180] // f00fb10b | and byte ptr [ecx + esi + 0x28], 0xfd // 8b15???????? | // 83cfff | pop edi // 8bca | pop esi $sequence_25 = { 7508 8b36 85f6 75e7 eb3a 81c694010000 } // n = 6, score = 100 // 7508 | ret 4 // 8b36 | mov ecx, dword ptr [esp + 0x3c1c] // 85f6 | or eax, 0xffffffff // 75e7 | jne 0x33 // eb3a | mov dword ptr [edi*4 + 0x10017fc8], eax // 81c694010000 | test eax, eax $sequence_26 = { e9???????? 8d8df0feffff 51 8d95e8feffff } // n = 4, score = 100 // e9???????? | // 8d8df0feffff | cdq // 51 | mov ecx, 7 // 8d95e8feffff | add esp, 0xc $sequence_27 = { ff15???????? 8b8df8f3ffff c7410800000000 8b95f8f3ffff 837a0400 } // n = 5, score = 100 // ff15???????? | // 8b8df8f3ffff | add esp, 0xc // c7410800000000 | cdq // 8b95f8f3ffff | mov ecx, 7 // 837a0400 | add esp, 0xc $sequence_28 = { 8dbc24de040000 668974245c f3ab 66ab } // n = 4, score = 100 // 8dbc24de040000 | cdq // 668974245c | mov ecx, 7 // f3ab | idiv ecx // 66ab | push 3 $sequence_29 = { 85c9 0f85b5010000 488d8c2450030000 e8???????? e9???????? 498d4906 } // n = 6, score = 100 // 85c9 | lea eax, [ecx - 0x2a] // 0f85b5010000 | dec eax // 488d8c2450030000 | lea eax, [esp + 0x38] // e8???????? | // e9???????? | // 498d4906 | dec eax $sequence_30 = { ff15???????? 41b958000000 488d1558530000 458d41d6 } // n = 4, score = 100 // ff15???????? | // 41b958000000 | inc ecx // 488d1558530000 | mov eax, 0x4000 // 458d41d6 | dec eax $sequence_31 = { 8895affbffff 8b859cfbffff 8a8daffbffff 8808 8b9588fbffff } // n = 5, score = 100 // 8895affbffff | idiv ecx // 8b859cfbffff | push edx // 8a8daffbffff | lea eax, [ebp - 0x43c] // 8808 | push eax // 8b9588fbffff | lea ecx, [ebp - 0x230] $sequence_32 = { 8b15???????? 6a01 8d4c2414 6a04 51 8944241c } // n = 6, score = 100 // 8b15???????? | // 6a01 | cdq // 8d4c2414 | mov ecx, 7 // 6a04 | add esp, 0xc // 51 | cdq // 8944241c | mov ecx, 7 $sequence_33 = { c1f906 6bc030 03048d80f10110 50 ff15???????? 5d } // n = 6, score = 100 // c1f906 | cmp ecx, dword ptr [eax*8 + 0x10017b20] // 6bc030 | je 0x37 // 03048d80f10110 | inc eax // 50 | mov dword ptr [ebp - 0x20], 0x1001bae0 // ff15???????? | // 5d | jmp 0xffffffbd $sequence_34 = { 33cc e8???????? 8be5 5d c20400 8b8c241c3c0000 83c8ff } // n = 7, score = 100 // 33cc | mov ebp, esp // e8???????? | // 8be5 | sub esp, 0x448 // 5d | xor eax, ebp // c20400 | mov dword ptr [ebp - 8], eax // 8b8c241c3c0000 | push ebx // 83c8ff | mov edi, eax $sequence_35 = { 7531 e8???????? 8904bdc87f0110 85c0 7514 } // n = 5, score = 100 // 7531 | lea edx, [ecx + 1] // e8???????? | // 8904bdc87f0110 | mov al, byte ptr [ecx] // 85c0 | inc ecx // 7514 | test al, al $sequence_36 = { 6a03 6a00 6a03 8d8424c0040000 68000000c0 50 ff15???????? } // n = 7, score = 100 // 6a03 | jne 0xffffffef // 6a00 | jmp 0x44 // 6a03 | add esi, 0x194 // 8d8424c0040000 | jmp 5 // 68000000c0 | push eax // 50 | push -0xa // ff15???????? | $sequence_37 = { 33d2 488bc8 4889742448 ff15???????? 896c2460 8bdd } // n = 6, score = 100 // 33d2 | xor edx, edx // 488bc8 | dec eax // 4889742448 | mov ecx, eax // ff15???????? | // 896c2460 | dec eax // 8bdd | mov dword ptr [esp + 0x48], esi $sequence_38 = { 488d9560040000 41b800400000 488bce 89442460 89442468 4889442420 ff15???????? } // n = 7, score = 100 // 488d9560040000 | lea ecx, [0x3e7] // 41b800400000 | xor eax, eax // 488bce | dec eax // 89442460 | add esp, 0x20 // 89442468 | dec eax // 4889442420 | lea edx, [ebp + 0x460] // ff15???????? | $sequence_39 = { e8???????? 83c404 eb36 8d530c } // n = 4, score = 100 // e8???????? | // 83c404 | mov eax, dword ptr [edi*4 + 0x10017fc8] // eb36 | or dword ptr [ebx + eax + 0x18], 0xffffffff // 8d530c | add esp, 0xc $sequence_40 = { 8d7201 8a0a 42 84c9 75f9 6a00 } // n = 6, score = 100 // 8d7201 | xor eax, ebp // 8a0a | mov dword ptr [ebp - 8], eax // 42 | push ebx // 84c9 | xor ecx, esp // 75f9 | mov esp, ebp // 6a00 | pop ebp $sequence_41 = { 8815???????? 488d442438 488d353a490000 41b919000200 4533c0 48c7c102000080 } // n = 6, score = 100 // 8815???????? | // 488d442438 | mov ecx, esi // 488d353a490000 | mov dword ptr [esp + 0x60], eax // 41b919000200 | mov dword ptr [esp + 0x68], eax // 4533c0 | dec eax // 48c7c102000080 | mov dword ptr [esp + 0x20], eax $sequence_42 = { 6bd030 895de4 8b049dc87f0110 8945d4 8955e8 8a5c1029 80fb02 } // n = 7, score = 100 // 6bd030 | sub esp, 0x448 // 895de4 | xor eax, ebp // 8b049dc87f0110 | mov dword ptr [ebp - 8], eax // 8945d4 | push ebx // 8955e8 | push ebp // 8a5c1029 | mov ebp, esp // 80fb02 | sub esp, 0x448 $sequence_43 = { 8b8544d4ffff 83c001 6689856cd4ffff 8a4d1c } // n = 4, score = 100 // 8b8544d4ffff | push ecx // 83c001 | mov ecx, dword ptr [ebp - 4] // 6689856cd4ffff | mov eax, 1 // 8a4d1c | mov esp, ebp $sequence_44 = { 51 68???????? 8b4dfc e8???????? b801000000 8be5 } // n = 6, score = 100 // 51 | mov dword ptr [edi], edx // 68???????? | // 8b4dfc | push 0xa00 // e8???????? | // b801000000 | push 0x1990 // 8be5 | push eax condition: 7 of them and filesize < 860160 } ] }, { Malware : Behinder , Description : A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github. A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github. There is no Yara-Signature yet. , YARA : [] }, { Malware : BlackCat , Description : ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021. ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. , YARA : [ rule elf_blackcat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects elf.blackcat.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 0f0b 90 90 90 90 53 } // n = 7, score = 200 // e8???????? | // 0f0b | mov eax, ebx // 90 | mov eax, ebx // 90 | jae 0x15e6 // 90 | shr eax, 6 // 90 | mov edx, ebx // 53 | and edx, 0x3f $sequence_1 = { 69c0???????? c1e811 6bf064 29f2 0fb7d2 } // n = 5, score = 200 // 69c0???????? | // c1e811 | mov dword ptr [esp + 0x58], 8 // 6bf064 | dec eax // 29f2 | lea edi, [0x121f94] // 0fb7d2 | dec eax $sequence_2 = { e8???????? 0f0b 90 53 } // n = 4, score = 200 // e8???????? | // 0f0b | mov edi, dword ptr [ecx + 0x14] // 90 | mov ebp, dword ptr [ecx + 0x18] // 53 | mov ebx, dword ptr [ecx + 0xc] $sequence_3 = { 89c1 3d???????? 7319 c1e906 } // n = 4, score = 200 // 89c1 | mov ebp, dword ptr [esp + 0x84] // 3d???????? | // 7319 | mov dword ptr [esi + 8], 0xffffffff // c1e906 | cmp dword ptr [esi + 8], 0 $sequence_4 = { 660f7f8424f0010000 660f7f8424e0010000 660f7f8424d0010000 660f7f8424c0010000 660f7f8424b0010000 } // n = 5, score = 200 // 660f7f8424f0010000 | dec eax // 660f7f8424e0010000 | cmp eax, -1 // 660f7f8424d0010000 | jne 0x22c // 660f7f8424c0010000 | dec eax // 660f7f8424b0010000 | lea esi, [esp + 0x20] $sequence_5 = { d1e9 01d1 c1e902 8d14cd00000000 } // n = 4, score = 200 // d1e9 | mov esi, dword ptr [esp + 0x14] // 01d1 | mov eax, edi // c1e902 | lea edi, [ecx + edx] // 8d14cd00000000 | lea esi, [esi - 0x4b514] $sequence_6 = { b801000000 81f9???????? 0f823fffffff b802000000 } // n = 4, score = 200 // b801000000 | mov ecx, dword ptr [esp + 0x10] // 81f9???????? | // 0f823fffffff | movsd qword ptr [eax], xmm0 // b802000000 | mov dword ptr [eax + 8], edi $sequence_7 = { 69c0???????? c1e810 29c2 0fb7d2 d1ea } // n = 5, score = 200 // 69c0???????? | // c1e810 | dec eax // 29c2 | mov esi, dword ptr [esp + 0x20] // 0fb7d2 | dec eax // d1ea | mov dword ptr [esp + 0x58], 3 $sequence_8 = { 762a 0fb6c8 8d1489 8d0cd1 } // n = 4, score = 200 // 762a | mov ebx, dword ptr [esp + 0x138] // 0fb6c8 | dec eax // 8d1489 | mov eax, dword ptr [esp + 0xe0] // 8d0cd1 | mov cl, 1 $sequence_9 = { e8???????? 0f0b e8???????? 0f0b 90 90 90 } // n = 7, score = 200 // e8???????? | // 0f0b | dec ecx // e8???????? | // 0f0b | mov dword ptr [ecx], eax // 90 | dec ecx // 90 | mov dword ptr [ecx + 8], ebx // 90 | dec ecx condition: 7 of them and filesize < 8011776 } ] }, { Malware : BlueSky , Description : Ransomware. Ransomware. There is no Yara-Signature yet. , YARA : [] }, { Malware : Chrysaor , Description : , YARA : [] }, { Malware : CommonMagic , Description : There is no description at this point. , YARA : [ rule win_common_magic_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.common_magic.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d049d78824100 8b30 8945fc 90 } // n = 4, score = 100 // 8d049d78824100 | lea eax, [ebx*4 + 0x418278] // 8b30 | mov esi, dword ptr [eax] // 8945fc | mov dword ptr [ebp - 4], eax // 90 | nop $sequence_1 = { 03c0 eb3c 8bd1 b8feffff7f d1ea 2bc2 } // n = 6, score = 100 // 03c0 | add eax, eax // eb3c | jmp 0x3e // 8bd1 | mov edx, ecx // b8feffff7f | mov eax, 0x7ffffffe // d1ea | shr edx, 1 // 2bc2 | sub eax, edx $sequence_2 = { c78578ffffff00000000 c7857cffffff00000000 8d9574ffffff c645fc09 8d8d84feffff } // n = 5, score = 100 // c78578ffffff00000000 | mov dword ptr [ebp - 0x88], 0 // c7857cffffff00000000 | mov dword ptr [ebp - 0x84], 0 // 8d9574ffffff | lea edx, [ebp - 0x8c] // c645fc09 | mov byte ptr [ebp - 4], 9 // 8d8d84feffff | lea ecx, [ebp - 0x17c] $sequence_3 = { 6689855cffffff b8feffff7f 2bc1 c7856cffffff00000000 c78570ffffff07000000 } // n = 5, score = 100 // 6689855cffffff | mov word ptr [ebp - 0xa4], ax // b8feffff7f | mov eax, 0x7ffffffe // 2bc1 | sub eax, ecx // c7856cffffff00000000 | mov dword ptr [ebp - 0x94], 0 // c78570ffffff07000000 | mov dword ptr [ebp - 0x90], 7 $sequence_4 = { 33c9 8bc1 3914c5e84a4100 7408 } // n = 4, score = 100 // 33c9 | xor ecx, ecx // 8bc1 | mov eax, ecx // 3914c5e84a4100 | cmp dword ptr [eax*8 + 0x414ae8], edx // 7408 | je 0xa $sequence_5 = { c7459c65007800 c745a065000000 83f817 0f82140c0000 83bd58ffffff08 8d8544ffffff } // n = 6, score = 100 // c7459c65007800 | mov dword ptr [ebp - 0x64], 0x780065 // c745a065000000 | mov dword ptr [ebp - 0x60], 0x65 // 83f817 | cmp eax, 0x17 // 0f82140c0000 | jb 0xc1a // 83bd58ffffff08 | cmp dword ptr [ebp - 0xa8], 8 // 8d8544ffffff | lea eax, [ebp - 0xbc] $sequence_6 = { 51 50 51 ffb580feffff 8d8d5cffffff } // n = 5, score = 100 // 51 | push ecx // 50 | push eax // 51 | push ecx // ffb580feffff | push dword ptr [ebp - 0x180] // 8d8d5cffffff | lea ecx, [ebp - 0xa4] $sequence_7 = { 51 ffb580feffff 8d8d5cffffff e8???????? 838d78feffff06 8d8de4feffff 83bdf8feffff08 } // n = 7, score = 100 // 51 | push ecx // ffb580feffff | push dword ptr [ebp - 0x180] // 8d8d5cffffff | lea ecx, [ebp - 0xa4] // e8???????? | // 838d78feffff06 | or dword ptr [ebp - 0x188], 6 // 8d8de4feffff | lea ecx, [ebp - 0x11c] // 83bdf8feffff08 | cmp dword ptr [ebp - 0x108], 8 $sequence_8 = { 8b0c8570804100 8a043b 03ce 8b75dc 03cb 43 } // n = 6, score = 100 // 8b0c8570804100 | mov ecx, dword ptr [eax*4 + 0x418070] // 8a043b | mov al, byte ptr [ebx + edi] // 03ce | add ecx, esi // 8b75dc | mov esi, dword ptr [ebp - 0x24] // 03cb | add ecx, ebx // 43 | inc ebx $sequence_9 = { 2bc2 3bc8 760e b8ffffff7f befeffff7f 03c0 } // n = 6, score = 100 // 2bc2 | sub eax, edx // 3bc8 | cmp ecx, eax // 760e | jbe 0x10 // b8ffffff7f | mov eax, 0x7fffffff // befeffff7f | mov esi, 0x7ffffffe // 03c0 | add eax, eax condition: 7 of them and filesize < 212992 } ] }, { Malware : DeimosC2 , Description : Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind. Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind. , YARA : [ rule win_deimos_c2_w0 { meta: description = \ Detect the beacon used in the DeimosC2 framework (x64 version)\ author = \ Arkbird_SOLG\ reference = \ https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\ date = \ 2022-11-08\ hash1 = \ 4f069ec1dc6e88a2b4e1c50a8dda6a7935f91424724499b41ff1c3a9f87b143c\ hash2 = \ 21827cb6d8409ddea5097384d86f3004f5ec4ebe387a9340d8f3443598bdd2af\ hash3 = \ dbc5b2946b58deb1c40d787e3c5386b9020086b5d01dbbfbaccc44b322aca68c\ hash4 = \ 6f3394a5980ddbc28c7e889c636cddabd48a710588a5c10427d10a19d07b1c0a\ tlp = \ Clear\ adversary = \ -\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos_c2\ malpedia_rule_date = \ 20230221\ malpedia_hash = \ 2ee0eebba83dce3d019a90519f2f972c0fcf9686\ malpedia_version = \ 20230125\ malpedia_license = \ \ malpedia_sharing = \ TLP:WHITE\ strings: $s1 = { 48 83 ec 70 48 89 6c 24 68 48 8d 6c 24 68 48 c7 44 24 30 00 00 00 00 48 c7 44 24 28 00 00 00 00 48 8b 05 a7 [2] 00 48 89 04 24 48 c7 44 24 08 ff ff ff ff 48 8d 44 24 30 48 89 44 24 10 48 8d 44 24 28 48 89 44 24 18 e8 59 18 00 00 48 83 7c 24 20 00 74 35 31 c0 31 c9 eb 24 48 89 ca 48 89 c1 bb 01 00 00 00 48 d3 e3 48 23 5c 24 30 48 8d 72 01 48 85 db 48 0f 45 d6 48 ff c0 48 89 d1 48 83 f8 40 7c d6 48 85 c9 75 3e 0f 57 c0 0f 11 44 24 38 0f 11 44 24 48 0f 11 44 24 58 48 8b 05 0b [2] 00 48 89 04 24 48 8d 44 24 38 48 89 44 24 08 e8 30 17 00 00 8b 44 24 58 89 44 24 78 48 8b 6c } $s2 = { 48 8b 05 a0 [2] 00 48 8d 0d [3] 00 48 89 04 24 48 89 4c 24 08 48 c7 44 24 10 08 02 00 00 e8 12 22 00 00 48 8b 44 24 18 48 85 c0 74 33 48 3d 08 02 00 00 77 2b 48 8d 1d [3] 00 c6 04 03 5c 48 ff c0 48 89 05 [3] 00 e9 d6 fe ff ff 31 c0 e8 9f 2e 03 00 ba 09 02 00 00 e8 c5 2e 03 00 48 8d 05 [3] 00 48 89 04 24 48 c7 44 24 } $s3 = { 48 8b 15 36 [2] 00 48 89 14 24 48 89 4c 24 08 48 89 44 24 10 48 c7 44 24 18 00 10 00 00 48 c7 44 24 20 04 00 00 00 e8 e1 a6 01 00 48 83 7c 24 28 00 40 0f 94 c6 48 8b 44 24 38 48 8b 4c 24 48 48 8b 54 24 68 48 8b 5c 24 40 e9 61 ff ff ff 48 8b 6c 24 50 48 83 c4 58 c3 48 8b 6c 24 50 48 83 } $s4 = { 48 81 ec b0 00 00 00 48 89 ac 24 a8 00 00 00 48 8d ac 24 a8 00 00 00 48 c7 44 24 48 00 00 00 00 48 8b 05 12 [2] 00 48 89 04 24 48 c7 44 24 08 ff ff ff ff 48 c7 44 24 10 fe ff ff ff 48 c7 44 24 18 ff ff ff ff 48 8d 44 24 48 48 89 44 24 20 0f 57 c0 0f 11 44 24 28 48 c7 44 24 38 02 00 00 00 e8 fb 05 00 00 65 48 8b 04 25 28 00 00 00 48 8b 80 00 00 00 00 48 8b 40 30 48 89 84 24 98 00 00 00 84 00 48 8d 88 10 03 00 00 48 89 8c 24 a0 00 00 00 48 89 0c 24 e8 45 81 fd ff 48 8b 44 24 48 48 8b 8c 24 98 00 00 00 48 89 81 18 03 00 00 48 8b 84 24 a0 00 00 00 48 89 04 24 e8 10 83 fd ff 0f 57 c0 0f 11 44 24 68 0f 11 44 24 78 0f 11 84 24 88 00 00 00 48 8b 05 84 [2] 00 48 89 04 24 48 8d 44 24 68 48 89 44 24 08 48 8d 44 24 68 48 89 44 24 10 48 c7 44 24 18 30 00 00 00 e8 de 03 00 00 48 83 7c } condition: uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*) } , rule win_deimos_c2_w1 { meta: description = \ Detect the beacon used in the DeimosC2 framework (x86 version)\ author = \ Arkbird_SOLG\ reference = \ https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\ date = \ 2022-11-08\ hash1 = \ 29305f74260d56f94a80d514505dbef949b0e6fae7989a9cd84e956ec4f6cffe\ hash2 = \ 980b4076a9571ef2c1ef0328ce63074f22adeb29ef1001f328783ca5783979cc\ hash3 = \ a325c7729d39e5530b2c0804cd28b4dfb1d7560736ae5cbc7631fa5949cf7940\ hash4 = \ 8c6ab7a051eedf9f119778bdc71cd96a40f52101657881e84262237083ba4a51\ tlp = \ Clear\ adversary = \ -\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos_c2\ malpedia_rule_date = \ 20230221\ malpedia_hash = \ 2ee0eebba83dce3d019a90519f2f972c0fcf9686\ malpedia_version = \ 20230125\ malpedia_license = \ \ malpedia_sharing = \ TLP:WHITE\ strings: $s1 = { 83 ec 40 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 8b 05 84 [2] 00 89 04 24 c7 44 24 04 ff ff ff ff 8d 44 24 18 89 44 24 08 8d 44 24 14 89 44 24 0c e8 b1 15 00 00 8b 44 24 10 85 c0 74 32 31 c0 31 c9 eb 03 40 89 d1 83 f8 20 7d 20 19 d2 89 cb 89 c1 bd 01 00 00 00 d3 e5 21 d5 23 6c 24 18 85 ed 74 05 8d 53 01 eb dc 89 da eb d8 85 c9 75 2d 8d 7c 24 1c 31 c0 e8 a3 cc 02 00 8b 0d 74 [2] 00 89 0c 24 8d 4c 24 1c 89 4c 24 04 e8 d6 14 00 00 8b 4c 24 30 89 4c 24 44 83 c4 } $s2 = { 8b 05 78 [2] 00 8d 0d [3] 00 89 04 24 89 4c 24 04 c7 44 24 08 08 02 00 00 e8 f0 1d 00 00 8b 44 24 0c 85 c0 74 2e 3d 08 02 00 00 77 27 8d 1d [3] 00 c6 04 03 5c 40 89 05 [3] 00 e9 0b ff ff ff 31 c0 e8 24 d3 02 00 ba 09 02 00 00 e8 4a d3 02 00 8d 05 [2] 77 00 89 04 24 c7 44 24 } $s3 = { 8b 15 38 [2] 00 89 14 24 89 4c 24 04 89 44 24 08 c7 44 24 0c 00 10 00 00 c7 44 24 10 04 00 00 00 e8 32 9c 01 00 8b 44 24 14 85 c0 87 dd 0f 94 c3 87 dd 8b 44 24 18 8b 4c 24 24 8b 54 24 30 8b 5c 24 1c e9 73 ff ff ff 83 c4 28 c3 83 c4 28 c3 e8 d3 dd 01 00 8d 05 [3] 00 89 04 24 c7 44 24 04 19 00 00 00 e8 5d e6 01 00 8b 44 24 18 89 04 24 c7 44 24 04 00 00 00 00 e8 59 e3 01 00 8d 05 [3] 00 89 04 24 c7 44 24 04 19 00 00 00 e8 33 e6 01 00 8b 44 24 20 89 04 24 c7 44 24 04 00 00 00 } $s4 = { 83 ec 58 c7 44 24 24 00 00 00 00 8b 05 9c [2] 00 89 04 24 c7 44 24 04 ff ff ff ff c7 44 24 08 fe ff ff ff c7 44 24 0c ff ff ff ff 8d 44 24 24 89 44 24 10 c7 44 24 14 00 00 00 00 c7 44 24 18 00 00 00 00 c7 44 24 1c 02 00 00 00 e8 89 04 00 00 64 8b 05 14 00 00 00 8b 80 00 00 00 00 8b 40 18 89 44 24 50 84 00 8d 88 b8 01 00 00 89 4c 24 54 89 0c 24 e8 91 ab fd ff 8b 44 24 24 8b 4c 24 50 89 81 bc 01 00 00 8b 44 24 54 89 04 24 e8 57 ad fd ff 8d 7c 24 34 31 c0 e8 75 ba 02 00 8b 05 30 [2] 00 89 04 24 8d 44 24 34 89 44 24 04 8d 44 24 34 89 44 24 08 c7 44 24 0c 1c 00 00 00 e8 16 03 00 00 8b 44 } condition: uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*) } ] }, { Malware : Godzilla Webshell , Description : There is no description at this point. , YARA : [ rule jsp_godzilla_webshell_w0 { meta: description = \ Generic JSP webshell which uses reflection to execute user input\ license = \ Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE\ author = \ Arnim Rupp\ date = \ 2021/01/07\ hash = \ 62e6c6065b5ca45819c1fc049518c81d7d165744\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell\ malpedia_rule_date = \ 20230215\ malpedia_version = \ 20230215\ malpedia_sharing = \ TLP:WHITE\ malpedia_hash = \ \ malpedia_license = \ \ strings: $ws_exec = \ invoke\ fullword wide ascii $ws_class = \ Class\ fullword wide ascii $fp = \ SOAPConnection\ //strings from private rule capa_jsp_safe $cjsp_short1 = \ <%\ ascii wide $cjsp_short2 = \ %>\ wide ascii $cjsp_long1 = \ \ date = \ 2015-05-27\ description = \ Identify njRat\ source = \ https://github.com/mattulm/sfiles_yara/blob/master/malware/Njrat.yar\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\ malpedia_version = \ 20170517\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $a1 = \ netsh firewall add allowedprogram \ wide $a2 = \ SEE_MASK_NOZONECHECKS\ wide $b1 = \ [TAP]\ wide $b2 = \ & exit\ wide $c1 = \ md.exe /k ping 0 & del \ wide $c2 = \ cmd.exe /c ping 127.0.0.1 & del\ wide $c3 = \ cmd.exe /c ping\ wide condition: 1 of ($a*) and 1 of ($b*) and 1 of ($c*) } ] }, { Malware : PoshC2 , Description : PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. There is no Yara-Signature yet. , YARA : [] }, { Malware : PowerMagic , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : QUIETCANARY , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : SiestaGraph , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : StrifeWater RAT , Description : There is no description at this point. , YARA : [ rule win_strifewater_rat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.strifewater_rat.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83630800 488d0d10400500 48890b c6434400 448ac6 488bd0 } // n = 6, score = 100 // 83630800 | dec eax // 488d0d10400500 | lea edx, [0x825e1] // 48890b | jmp 0x486 // c6434400 | dec eax // 448ac6 | mov dword ptr [esp + 0xc0], eax // 488bd0 | dec eax $sequence_1 = { 4183c9ff 4d8bc7 66448926 4889742420 8d4a03 ff15???????? f7d8 } // n = 7, score = 100 // 4183c9ff | nop // 4d8bc7 | mov edi, dword ptr [esp + 0x70] // 66448926 | dec eax // 4889742420 | lea edx, [esp + 0x60] // 8d4a03 | dec eax // ff15???????? | // f7d8 | cmp dword ptr [esp + 0x78], 0x10 $sequence_2 = { 663b3d???????? 0f8559010000 663b1d???????? 0f854c010000 66443b35???????? 0f853e010000 } // n = 6, score = 100 // 663b3d???????? | // 0f8559010000 | lea edi, [eax + esi] // 663b1d???????? | // 0f854c010000 | dec ebp // 66443b35???????? | // 0f853e010000 | test edi, edi $sequence_3 = { 488d05bb720600 488bf9 488901 8bda 488b4910 e8???????? 488b4f18 } // n = 7, score = 100 // 488d05bb720600 | dec eax // 488bf9 | lea ecx, [esp + 0x20] // 488901 | ret // 8bda | dec eax // 488b4910 | lea edx, [0x4f06b] // e8???????? | // 488b4f18 | dec eax $sequence_4 = { 4803c0 480101 4803db eb22 498b06 498bce } // n = 6, score = 100 // 4803c0 | mov word ptr [ebp + eax + 0x190], cx // 480101 | js 0x975 // 4803db | cmp eax, 0xe4 // eb22 | jae 0x975 // 498b06 | dec eax // 498bce | cwde $sequence_5 = { 488bf8 48898424c0000000 488b4e08 4885c9 7509 488d15fc350900 eb0d } // n = 7, score = 100 // 488bf8 | nop // 48898424c0000000 | dec eax // 488b4e08 | lea edx, [ebp + 0x150] // 4885c9 | dec eax // 7509 | lea ecx, [ebp + 0x190] // 488d15fc350900 | dec eax // eb0d | cmp dword ptr [eax + 0x18], 0x10 $sequence_6 = { 0903 e9???????? 488d05d8940500 0f100f 0f1006 f30f7f4dd0 f30f7f45e0 } // n = 7, score = 100 // 0903 | lea ecx, [0x460f9] // e9???????? | // 488d05d8940500 | dec eax // 0f100f | mov dword ptr [ebx], ecx // 0f1006 | dec eax // f30f7f4dd0 | lea edx, [ebx + 8] // f30f7f45e0 | xor ecx, ecx $sequence_7 = { 418d45ff 410fb68c8332b30800 410fb6b48333b30800 8bd9 } // n = 4, score = 100 // 418d45ff | dec eax // 410fb68c8332b30800 | lea eax, [0x3b0c7] // 410fb6b48333b30800 | dec eax // 8bd9 | mov ebx, ecx $sequence_8 = { 498b4e08 4c8d4508 33d2 ff15???????? 488b7508 4c8d4530 488bce } // n = 7, score = 100 // 498b4e08 | dec eax // 4c8d4508 | test ecx, ecx // 33d2 | je 0x1d4 // ff15???????? | // 488b7508 | dec esp // 4c8d4530 | lea eax, [0x41c6f] // 488bce | dec esp $sequence_9 = { 884dd8 488bd3 482bd7 48d1fa 4883fa0f 7426 41b001 } // n = 7, score = 100 // 884dd8 | dec eax // 488bd3 | add ebx, 0xa // 482bd7 | bts dword ptr [edi], 0x12 // 48d1fa | jmp 0x1024 // 4883fa0f | inc ecx // 7426 | mov eax, 8 // 41b001 | dec eax condition: 7 of them and filesize < 1552384 } ] }, { Malware : tomiris , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : TrickBot , Description : A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.- Q4 2016 - Detected in wildOct 2016 - 1st Report2017 - Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 - Use XMRIG (Monero) minerFeb 2018 - Theft BitcoinMar 2018 - Unfinished ransomware moduleQ3/4 2018 - Trickbot starts being spread through Emotet.Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication. - Q4 2016 - Detected in wildOct 2016 - 1st Report2017 - Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 - Use XMRIG (Monero) minerFeb 2018 - Theft BitcoinMar 2018 - Unfinished ransomware moduleQ3/4 2018 - Trickbot starts being spread through Emotet. Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed , YARA : [ rule win_trickbot_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.trickbot.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c002 eb0d 2500000080 f7d8 1bc0 83e007 40 } // n = 7, score = 4500 // 83c002 | add eax, 2 // eb0d | jmp 0xf // 2500000080 | and eax, 0x80000000 // f7d8 | neg eax // 1bc0 | sbb eax, eax // 83e007 | and eax, 7 // 40 | inc eax $sequence_1 = { 1bc0 83e020 83c020 eb36 } // n = 4, score = 4500 // 1bc0 | sbb eax, eax // 83e020 | and eax, 0x20 // 83c020 | add eax, 0x20 // eb36 | jmp 0x38 $sequence_2 = { eb36 2500000080 f7d8 1bc0 83e070 83c010 } // n = 6, score = 4500 // eb36 | jmp 0x38 // 2500000080 | and eax, 0x80000000 // f7d8 | neg eax // 1bc0 | sbb eax, eax // 83e070 | and eax, 0x70 // 83c010 | add eax, 0x10 $sequence_3 = { f7d8 1bc0 83e002 83c002 eb0d } // n = 5, score = 4500 // f7d8 | neg eax // 1bc0 | sbb eax, eax // 83e002 | and eax, 2 // 83c002 | add eax, 2 // eb0d | jmp 0xf $sequence_4 = { 83e070 83c010 eb25 a900000040 7411 2500000080 } // n = 6, score = 4500 // 83e070 | and eax, 0x70 // 83c010 | add eax, 0x10 // eb25 | jmp 0x27 // a900000040 | test eax, 0x40000000 // 7411 | je 0x13 // 2500000080 | and eax, 0x80000000 $sequence_5 = { 7429 a900000040 7411 2500000080 f7d8 1bc0 83e020 } // n = 7, score = 4500 // 7429 | je 0x2b // a900000040 | test eax, 0x40000000 // 7411 | je 0x13 // 2500000080 | and eax, 0x80000000 // f7d8 | neg eax // 1bc0 | sbb eax, eax // 83e020 | and eax, 0x20 $sequence_6 = { 8b07 a900000020 7429 a900000040 } // n = 4, score = 4300 // 8b07 | mov eax, dword ptr [edi] // a900000020 | test eax, 0x20000000 // 7429 | je 0x2b // a900000040 | test eax, 0x40000000 $sequence_7 = { c705????????fdffffff c705????????feffffff c705????????ffffffff e8???????? } // n = 4, score = 3700 // c705????????fdffffff | // c705????????feffffff | // c705????????ffffffff | // e8???????? | $sequence_8 = { 895df4 895dec 66c745f00005 895dfc } // n = 4, score = 3500 // 895df4 | neg eax // 895dec | je 0x13 // 66c745f00005 | and eax, 0x80000000 // 895dfc | neg eax $sequence_9 = { 33ff 57 6880000000 6a02 57 6a01 68000000c0 } // n = 7, score = 3400 // 33ff | dec eax // 57 | mov dword ptr [esp + 0x40], eax // 6880000000 | dec eax // 6a02 | mov eax, dword ptr [ecx + 0x48] // 57 | dec eax // 6a01 | mov dword ptr [esp + 0x38], eax // 68000000c0 | dec eax $sequence_10 = { 41 83c028 3bce 7ce9 } // n = 4, score = 3000 // 41 | inc ecx // 83c028 | add eax, 0x28 // 3bce | cmp ecx, esi // 7ce9 | jl 0xffffffeb $sequence_11 = { 488b01 4c8b4120 488b5118 488b4910 } // n = 4, score = 2800 // 488b01 | dec eax // 4c8b4120 | mov dword ptr [esp + 0x30], eax // 488b5118 | dec eax // 488b4910 | mov eax, dword ptr [ecx + 0x38] $sequence_12 = { 53 6a03 53 6a01 6800010000 } // n = 5, score = 2800 // 53 | mov eax, dword ptr [ecx + 0x40] // 6a03 | dec eax // 53 | mov dword ptr [esp + 0x30], eax // 6a01 | dec eax // 6800010000 | mov eax, dword ptr [ecx + 0x50] $sequence_13 = { 4889442428 488b4130 488b4910 4889442420 41ffd2 } // n = 5, score = 2800 // 4889442428 | dec eax // 488b4130 | mov dword ptr [esp + 0x30], eax // 488b4910 | dec eax // 4889442420 | mov eax, dword ptr [ecx + 0x38] // 41ffd2 | dec eax $sequence_14 = { 488b01 488b5118 488b4910 ffd0 } // n = 4, score = 2800 // 488b01 | dec eax // 488b5118 | mov eax, dword ptr [ecx + 0x48] // 488b4910 | dec esp // ffd0 | mov edx, dword ptr [ecx] $sequence_15 = { 4c8b4928 4c8b4120 488b5118 4889442438 488b4140 } // n = 5, score = 2800 // 4c8b4928 | mov ecx, dword ptr [ecx + 0x28] // 4c8b4120 | dec esp // 488b5118 | mov eax, dword ptr [ecx + 0x20] // 4889442438 | dec eax // 488b4140 | mov edx, dword ptr [ecx + 0x18] $sequence_16 = { 488b4148 4c8b11 4c8b4928 4c8b4120 } // n = 4, score = 2800 // 488b4148 | mov dword ptr [esp + 0x20], eax // 4c8b11 | inc ecx // 4c8b4928 | call edx // 4c8b4120 | dec eax $sequence_17 = { 4889442430 488b4138 4889442428 488b4130 } // n = 4, score = 2800 // 4889442430 | dec eax // 488b4138 | mov dword ptr [esp + 0x28], eax // 4889442428 | dec eax // 488b4130 | mov eax, dword ptr [ecx + 0x30] $sequence_18 = { 488b5118 4889442440 488b4148 4889442438 488b4140 } // n = 5, score = 2800 // 488b5118 | mov edx, dword ptr [ecx + 0x18] // 4889442440 | dec eax // 488b4148 | mov dword ptr [esp + 0x40], eax // 4889442438 | dec eax // 488b4140 | mov eax, dword ptr [ecx + 0x48] $sequence_19 = { 4889442438 488b4140 4889442430 488b4138 } // n = 4, score = 2800 // 4889442438 | dec eax // 488b4140 | mov dword ptr [esp + 0x38], eax // 4889442430 | dec eax // 488b4138 | mov eax, dword ptr [ecx + 0x40] $sequence_20 = { 6820bf0200 68905f0100 68905f0100 50 ff15???????? } // n = 5, score = 2000 // 6820bf0200 | dec eax // 68905f0100 | mov dword ptr [esp + 0x38], eax // 68905f0100 | dec eax // 50 | mov eax, dword ptr [ecx + 0x40] // ff15???????? | $sequence_21 = { 2bc2 d1e8 03c2 c1e806 6bc05f } // n = 5, score = 2000 // 2bc2 | mov eax, dword ptr [ecx + 0x50] // d1e8 | dec esp // 03c2 | mov edx, dword ptr [ecx] // c1e806 | dec esp // 6bc05f | mov ecx, dword ptr [ecx + 0x28] $sequence_22 = { 83780400 7404 8b4008 c3 } // n = 4, score = 2000 // 83780400 | mov eax, dword ptr [ecx + 0x30] // 7404 | dec eax // 8b4008 | mov ecx, dword ptr [ecx + 0x10] // c3 | dec eax $sequence_23 = { 51 68e9fd0000 50 e8???????? } // n = 4, score = 1800 // 51 | dec eax // 68e9fd0000 | mov eax, dword ptr [ecx + 0x48] // 50 | dec eax // e8???????? | $sequence_24 = { 6a40 6800300000 6a70 6a00 } // n = 4, score = 1800 // 6a40 | mov eax, dword ptr [ecx + 0x38] // 6800300000 | dec eax // 6a70 | mov dword ptr [esp + 0x28], eax // 6a00 | dec eax $sequence_25 = { 833800 751c 83781000 7516 } // n = 4, score = 1600 // 833800 | mov eax, dword ptr [ecx + 0x50] // 751c | dec esp // 83781000 | mov edx, dword ptr [ecx] // 7516 | dec esp $sequence_26 = { c3 6a01 ff15???????? 50 } // n = 4, score = 1500 // c3 | ret // 6a01 | push 1 // ff15???????? | // 50 | push eax $sequence_27 = { 8b01 59 03d0 52 } // n = 4, score = 1300 // 8b01 | mov edx, dword ptr [ecx + 0x18] // 59 | dec eax // 03d0 | mov dword ptr [esp + 0x38], eax // 52 | dec eax $sequence_28 = { 85c0 7f0b e8???????? 8b05???????? } // n = 4, score = 1300 // 85c0 | mov dword ptr [esp + 0x20], eax // 7f0b | inc ecx // e8???????? | // 8b05???????? | $sequence_29 = { 03d0 52 ebdc 89450c } // n = 4, score = 1300 // 03d0 | mov eax, dword ptr [ecx + 0x38] // 52 | dec eax // ebdc | mov dword ptr [esp + 0x28], eax // 89450c | dec eax $sequence_30 = { 8bc1 66ad 85c0 741c } // n = 4, score = 1300 // 8bc1 | mov ecx, dword ptr [ecx + 0x28] // 66ad | dec esp // 85c0 | mov eax, dword ptr [ecx + 0x20] // 741c | dec eax $sequence_31 = { e8???????? 83f801 7411 ba0a000000 } // n = 4, score = 1300 // e8???????? | // 83f801 | mov dword ptr [esp + 0x30], eax // 7411 | dec eax // ba0a000000 | mov eax, dword ptr [ecx + 0x38] $sequence_32 = { 85c0 741c 3bc1 7213 } // n = 4, score = 1200 // 85c0 | mov dword ptr [esp + 0x20], eax // 741c | dec eax // 3bc1 | mov eax, dword ptr [ecx + 0x38] // 7213 | dec eax $sequence_33 = { 7405 e8???????? ff15???????? 8bc3 } // n = 4, score = 1200 // 7405 | dec eax // e8???????? | // ff15???????? | // 8bc3 | mov dword ptr [esp + 0x28], eax $sequence_34 = { c1e102 2bc1 8b00 894508 } // n = 4, score = 1200 // c1e102 | dec esp // 2bc1 | mov eax, dword ptr [ecx + 0x20] // 8b00 | dec eax // 894508 | mov edx, dword ptr [ecx + 0x18] $sequence_35 = { 50 8b450c ff4d0c ba28000000 } // n = 4, score = 1200 // 50 | mov ecx, dword ptr [ecx + 0x28] // 8b450c | dec esp // ff4d0c | mov eax, dword ptr [ecx + 0x20] // ba28000000 | dec eax $sequence_36 = { 895510 8b4a04 ff5508 8b5510 8b4a0c } // n = 5, score = 1100 // 895510 | neg eax // 8b4a04 | sbb eax, eax // ff5508 | sbb eax, eax // 8b5510 | and eax, 2 // 8b4a0c | add eax, 2 $sequence_37 = { 2bc1 8b00 3bc7 72f2 } // n = 4, score = 1100 // 2bc1 | dec esp // 8b00 | mov eax, dword ptr [ecx + 0x20] // 3bc7 | dec eax // 72f2 | mov edx, dword ptr [ecx + 0x18] $sequence_38 = { 8b4a04 ff5508 50 51 } // n = 4, score = 1100 // 8b4a04 | mov dword ptr [esp + 0x38], eax // ff5508 | dec eax // 50 | mov eax, dword ptr [ecx + 0x40] // 51 | dec eax $sequence_39 = { ff4d0c ba28000000 f7e2 8d9500040000 03d0 895510 } // n = 6, score = 1000 // ff4d0c | dec eax // ba28000000 | mov dword ptr [esp + 0x40], eax // f7e2 | dec eax // 8d9500040000 | mov eax, dword ptr [ecx + 0x48] // 03d0 | dec eax // 895510 | mov dword ptr [esp + 0x38], eax $sequence_40 = { 740f 8bc8 e8???????? 8bc3 } // n = 4, score = 900 // 740f | jmp 0x36 // 8bc8 | test eax, 0x20000000 // e8???????? | // 8bc3 | je 0x2b $sequence_41 = { 58 41 41 41 41 } // n = 5, score = 900 // 58 | dec eax // 41 | mov edx, dword ptr [ecx + 0x18] // 41 | dec eax // 41 | mov dword ptr [esp + 0x40], eax // 41 | dec eax $sequence_42 = { 8bcf e8???????? 8bf0 85ed } // n = 4, score = 900 // 8bcf | mov dword ptr [esp + 0x30], eax // e8???????? | // 8bf0 | dec eax // 85ed | mov eax, dword ptr [ecx + 0x38] $sequence_43 = { 85c0 7911 8bc8 e8???????? bb11000000 } // n = 5, score = 900 // 85c0 | test eax, 0x40000000 // 7911 | je 0x20 // 8bc8 | and eax, 0x80000000 // e8???????? | // bb11000000 | neg eax $sequence_44 = { e8???????? 85c0 7507 e8???????? eb5b } // n = 5, score = 900 // e8???????? | // 85c0 | jmp 0x27 // 7507 | test eax, 0x40000000 // e8???????? | // eb5b | je 0x1a $sequence_45 = { 89742428 c744242000001f00 ff15???????? 85c0 7911 } // n = 5, score = 900 // 89742428 | add eax, 0x20 // c744242000001f00 | jmp 0x40 // ff15???????? | // 85c0 | jmp 0x38 // 7911 | and eax, 0x80000000 $sequence_46 = { 7c22 3c39 7f1e 0fbec0 } // n = 4, score = 900 // 7c22 | test eax, 0x40000000 // 3c39 | je 0x1a // 7f1e | and eax, 0x80000000 // 0fbec0 | add eax, 0x10 $sequence_47 = { 3bd1 0f8293000000 038e8c000000 3bd1 0f8385000000 } // n = 5, score = 900 // 3bd1 | add eax, 0x20 // 0f8293000000 | jmp 0x38 // 038e8c000000 | and eax, 0x80000000 // 3bd1 | neg eax // 0f8385000000 | add eax, 0x20 $sequence_48 = { ffc1 663938 75f5 6603c9 } // n = 4, score = 900 // ffc1 | and eax, 2 // 663938 | add eax, 2 // 75f5 | jmp 0x15 // 6603c9 | and eax, 0x80000000 $sequence_49 = { ff15???????? 8bf0 c1ee1f 83f601 } // n = 4, score = 900 // ff15???????? | // 8bf0 | dec eax // c1ee1f | mov eax, dword ptr [ecx + 0x40] // 83f601 | dec eax $sequence_50 = { 85d2 745b 3bd1 0f8293000000 } // n = 4, score = 900 // 85d2 | neg eax // 745b | and eax, 0x70 // 3bd1 | add eax, 0x10 // 0f8293000000 | jmp 0x2d $sequence_51 = { 41 50 2bc1 8b00 } // n = 4, score = 800 // 41 | mov eax, dword ptr [ecx + 0x30] // 50 | dec eax // 2bc1 | mov eax, dword ptr [ecx + 0x50] // 8b00 | dec esp $sequence_52 = { 8bc8 33c0 85c9 0f95c0 eb02 } // n = 5, score = 800 // 8bc8 | dec eax // 33c0 | mov dword ptr [esp + 0x28], eax // 85c9 | dec eax // 0f95c0 | mov eax, dword ptr [ecx + 0x30] // eb02 | dec eax $sequence_53 = { 894504 68f0ff0000 59 8bf7 8bd7 } // n = 5, score = 700 // 894504 | sbb eax, eax // 68f0ff0000 | and eax, 0x20 // 59 | add eax, 2 // 8bf7 | jmp 0xf // 8bd7 | and eax, 0x80000000 $sequence_54 = { 8bc7 e8???????? 85c0 0f849f000000 } // n = 4, score = 700 // 8bc7 | mov dword ptr [esp + 0x28], eax // e8???????? | // 85c0 | dec eax // 0f849f000000 | mov eax, dword ptr [ecx + 0x30] $sequence_55 = { 8bf7 8bd7 fc 8bc1 } // n = 4, score = 700 // 8bf7 | jmp 0x38 // 8bd7 | and eax, 0x80000000 // fc | neg eax // 8bc1 | sbb eax, eax $sequence_56 = { 59 50 e2fd 8bc7 } // n = 4, score = 700 // 59 | add eax, 0x10 // 50 | and eax, 2 // e2fd | add eax, 2 // 8bc7 | jmp 0x12 $sequence_57 = { 8dbf00500310 8bd6 897d08 3bc8 } // n = 4, score = 200 // 8dbf00500310 | mov dword ptr [esp + 0x28], eax // 8bd6 | dec eax // 897d08 | mov eax, dword ptr [ecx + 0x30] // 3bc8 | dec eax $sequence_58 = { 6a00 ff15???????? 6a00 6a00 6a00 8d45dc } // n = 6, score = 200 // 6a00 | mov dword ptr [esp + 0x38], eax // ff15???????? | // 6a00 | dec eax // 6a00 | mov eax, dword ptr [ecx + 0x40] // 6a00 | dec eax // 8d45dc | mov dword ptr [esp + 0x30], eax $sequence_59 = { 8b7d10 2bf9 53 50 } // n = 4, score = 200 // 8b7d10 | mov ecx, dword ptr [ecx + 0x10] // 2bf9 | dec eax // 53 | mov dword ptr [esp + 0x20], eax // 50 | dec eax $sequence_60 = { 83c001 8945d4 8b4dfc 51 8b55d4 } // n = 5, score = 100 // 83c001 | mov dword ptr [esp + 0x28], eax // 8945d4 | dec eax // 8b4dfc | mov eax, dword ptr [ecx + 0x30] // 51 | dec eax // 8b55d4 | mov ecx, dword ptr [ecx + 0x10] $sequence_61 = { 8b4dd0 894dd8 837dd840 760b 8b55d8 } // n = 5, score = 100 // 8b4dd0 | dec eax // 894dd8 | mov edx, dword ptr [ecx + 0x18] // 837dd840 | dec eax // 760b | mov dword ptr [esp + 0x38], eax // 8b55d8 | dec eax $sequence_62 = { 8d3c0e 2b75f8 33c7 2bd0 ff4dfc 75ba 8b4508 } // n = 7, score = 100 // 8d3c0e | neg eax // 2b75f8 | and eax, 0x20 // 33c7 | add eax, 0x20 // 2bd0 | jmp 0x3b // ff4dfc | and eax, 0x80000000 // 75ba | neg eax // 8b4508 | sbb eax, eax $sequence_63 = { 42 42 3b5508 7202 8bd6 83c104 } // n = 6, score = 100 // 42 | mov edx, dword ptr [ecx + 0x18] // 42 | dec eax // 3b5508 | mov ecx, dword ptr [ecx + 0x10] // 7202 | dec eax // 8bd6 | mov eax, dword ptr [ecx + 0x50] // 83c104 | dec esp $sequence_64 = { bf31e7bf31 e7bf 31e7 bf31e7bf31 e7bf } // n = 5, score = 100 // bf31e7bf31 | add eax, 2 // e7bf | jmp 0x15 // 31e7 | and eax, 0x80000000 // bf31e7bf31 | neg eax // e7bf | test eax, 0x20000000 $sequence_65 = { 8b01 3302 52 8bd0 51 03cf 51 } // n = 7, score = 100 // 8b01 | mov ecx, dword ptr [ecx + 0x28] // 3302 | dec esp // 52 | mov eax, dword ptr [ecx + 0x20] // 8bd0 | dec eax // 51 | mov edx, dword ptr [ecx + 0x18] // 03cf | dec eax // 51 | mov dword ptr [esp + 0x38], eax $sequence_66 = { 56 57 33f6 bf???????? 833cf594f3000101 } // n = 5, score = 100 // 56 | add eax, 2 // 57 | jmp 0xf // 33f6 | and eax, 0x80000000 // bf???????? | // 833cf594f3000101 | neg eax $sequence_67 = { 8945cc ebee 8b45d8 48 50 8b45cc 40 } // n = 7, score = 100 // 8945cc | dec eax // ebee | mov eax, dword ptr [ecx + 0x38] // 8b45d8 | dec eax // 48 | mov eax, dword ptr [ecx + 0x48] // 50 | dec esp // 8b45cc | mov edx, dword ptr [ecx] // 40 | dec esp $sequence_68 = { ff75f8 ff15???????? 8945fc 837dfc00 750d } // n = 5, score = 100 // ff75f8 | mov edx, dword ptr [ecx] // ff15???????? | // 8945fc | dec esp // 837dfc00 | mov ecx, dword ptr [ecx + 0x28] // 750d | dec esp $sequence_69 = { 6a00 6858020000 ff15???????? 837dfc00 74ce } // n = 5, score = 100 // 6a00 | mov eax, dword ptr [ecx + 0x20] // 6858020000 | dec eax // ff15???????? | // 837dfc00 | mov dword ptr [esp + 0x40], eax // 74ce | dec eax $sequence_70 = { e8???????? 03c6 50 e8???????? 8b7710 83c40c 2bf3 } // n = 7, score = 100 // e8???????? | // 03c6 | neg eax // 50 | sbb eax, eax // e8???????? | // 8b7710 | and eax, 0x80000000 // 83c40c | neg eax // 2bf3 | sbb eax, eax $sequence_71 = { 55 8bec 83ec34 c745cc00000000 6a00 685b020000 6a00 } // n = 7, score = 100 // 55 | mov eax, dword ptr [ecx + 0x40] // 8bec | dec eax // 83ec34 | mov dword ptr [esp + 0x30], eax // c745cc00000000 | dec eax // 6a00 | mov eax, dword ptr [ecx] // 685b020000 | dec esp // 6a00 | mov eax, dword ptr [ecx + 0x20] $sequence_72 = { 42 42 8b01 83c202 33c3 890439 } // n = 6, score = 100 // 42 | dec eax // 42 | mov ecx, dword ptr [ecx + 0x10] // 8b01 | dec eax // 83c202 | mov dword ptr [esp + 0x20], eax // 33c3 | inc ecx // 890439 | call edx $sequence_73 = { 8945e4 3bc6 7305 8b750c } // n = 4, score = 100 // 8945e4 | je 0x2b // 3bc6 | test eax, 0x40000000 // 7305 | je 0x1a // 8b750c | and eax, 0x80000000 $sequence_74 = { 9c 000f 9c 000f 9c f7a053f7a053 } // n = 6, score = 100 // 9c | je 0x1a // 000f | sbb eax, eax // 9c | and eax, 2 // 000f | add eax, 2 // 9c | jmp 0x15 // f7a053f7a053 | and eax, 0x80000000 $sequence_75 = { 8bec e8???????? 8b4d08 e8???????? 5d c20400 } // n = 6, score = 100 // 8bec | and eax, 0x70 // e8???????? | // 8b4d08 | add eax, 0x10 // e8???????? | // 5d | jmp 0x27 // c20400 | test eax, 0x40000000 $sequence_76 = { c705????????ad380001 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } // n = 7, score = 100 // c705????????ad380001 | // 8935???????? | // a3???????? | // ff15???????? | // a3???????? | // 83f8ff | and eax, 0x70 // 0f84c1000000 | add eax, 0x10 condition: 7 of them and filesize < 712704 } , rule win_trickbot_w0 { meta: author = \ Marc Salinas @Bondey_m\ description = \ Detects mailsearcher module from Trickbot Trojan\ reference = \ https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot\ malpedia_version = \ 20170613\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $str_mails_01 = \ mailsearcher\ $str_mails_02 = \ handler\ $str_mails_03 = \ conf\ $str_mails_04 = \ ctl\ $str_mails_05 = \ SetConf\ $str_mails_06 = \ file\ $str_mails_07 = \ needinfo\ $str_mails_08 = \ mailconf\ condition: all of ($str_mails_*) } , rule win_trickbot_w1 { meta: description = \ Trickbot Socks5 bckconnect module\ author = \ @VK_Intel\ reference = \ Detects the unpacked Trickbot backconnect in memory\ date = \ 2017-11-19\ hash = \ f2428d5ff8c93500da92f90154eebdf0\ source = \ http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot\ malpedia_version = \ 20171214\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $s0 = \ socks5dll.dll\ fullword ascii $s1 = \ auth_login\ fullword ascii $s2 = \ auth_ip\ fullword ascii $s3 = \ connect\ fullword ascii $s4 = \ auth_ip\ fullword ascii $s5 = \ auth_pass\ fullword ascii $s6 = \ thread.entry_event\ fullword ascii $s7 = \ thread.exit_event\ fullword ascii $s8 = \ \ fullword ascii $s9 = \ \ fullword ascii $s10 = \ yes\ fullword ascii condition: all of them } ] }, { Malware : Tunna , Description : WebShell. WebShell. There is no Yara-Signature yet. , YARA : [] }, { Malware : Unidentified JS 006 (Winter Wyvern) , Description : A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests. A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests. There is no Yara-Signature yet. , YARA : [] }, { Malware : VBREVSHELL , Description : According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls. According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls. There is no Yara-Signature yet. , YARA : [] }, { Malware : WellMess , Description : WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example \ gost\ . Command and Control traffic is handled via HTTP using the Set-Cookie field and message body. WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example \ gost\ . Command and Control traffic is handled via HTTP using the Set-Cookie field and message body. , YARA : [ rule win_wellmess_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2020-10-14\ version = \ 1\ description = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.5.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess\ malpedia_rule_date = \ 20201014\ malpedia_hash = \ a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9\ malpedia_version = \ 20201014\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eba1 48 89f0 48 89ce eb8a 48 } // n = 7, score = 100 // eba1 | jmp 0xffffffa3 // 48 | dec eax // 89f0 | mov eax, esi // 48 | dec eax // 89ce | mov esi, ecx // eb8a | jmp 0xffffff8c // 48 | dec eax $sequence_1 = { c744247806000000 48 8b05???????? 48 89442440 48 8d0dfb481a00 } // n = 7, score = 100 // c744247806000000 | mov dword ptr [esp + 0x78], 6 // 48 | dec eax // 8b05???????? | // 48 | dec eax // 89442440 | mov dword ptr [esp + 0x40], eax // 48 | dec eax // 8d0dfb481a00 | lea ecx, [0x1a48fb] $sequence_2 = { e8???????? 48 8b842490000000 48 8b4c2450 e9???????? 48 } // n = 7, score = 100 // e8???????? | // 48 | dec eax // 8b842490000000 | mov eax, dword ptr [esp + 0x90] // 48 | dec eax // 8b4c2450 | mov ecx, dword ptr [esp + 0x50] // e9???????? | // 48 | dec eax $sequence_3 = { c3 48 89842458010000 48 898c2460010000 48 8bac2428010000 } // n = 7, score = 100 // c3 | ret // 48 | dec eax // 89842458010000 | mov dword ptr [esp + 0x158], eax // 48 | dec eax // 898c2460010000 | mov dword ptr [esp + 0x160], ecx // 48 | dec eax // 8bac2428010000 | mov ebp, dword ptr [esp + 0x128] $sequence_4 = { c3 48 8d05ce6e2200 48 890424 48 c744240804000000 } // n = 7, score = 100 // c3 | ret // 48 | dec eax // 8d05ce6e2200 | lea eax, [0x226ece] // 48 | dec eax // 890424 | mov dword ptr [esp], eax // 48 | dec eax // c744240804000000 | mov dword ptr [esp + 8], 4 $sequence_5 = { c744246400000000 48 c744246800000000 48 c744247000000000 48 c7c214000000 } // n = 7, score = 100 // c744246400000000 | mov dword ptr [esp + 0x64], 0 // 48 | dec eax // c744246800000000 | mov dword ptr [esp + 0x68], 0 // 48 | dec eax // c744247000000000 | mov dword ptr [esp + 0x70], 0 // 48 | dec eax // c7c214000000 | mov edx, 0x14 $sequence_6 = { 89ce 7460 81fbe263de7a 750e 48 8d0d8a270a00 48 } // n = 7, score = 100 // 89ce | mov esi, ecx // 7460 | je 0x62 // 81fbe263de7a | cmp ebx, 0x7ade63e2 // 750e | jne 0x10 // 48 | dec eax // 8d0d8a270a00 | lea ecx, [0xa278a] // 48 | dec eax $sequence_7 = { c3 48 891c24 48 89742408 48 8d054d350b00 } // n = 7, score = 100 // c3 | ret // 48 | dec eax // 891c24 | mov dword ptr [esp], ebx // 48 | dec eax // 89742408 | mov dword ptr [esp + 8], esi // 48 | dec eax // 8d054d350b00 | lea eax, [0xb354d] $sequence_8 = { f248 0f2cd1 48 8d5a30 885c0c1c 48 ffc1 } // n = 7, score = 100 // f248 | dec eax // 0f2cd1 | cvttps2pi mm2, xmm1 // 48 | dec eax // 8d5a30 | lea ebx, [edx + 0x30] // 885c0c1c | mov byte ptr [esp + ecx + 0x1c], bl // 48 | dec eax // ffc1 | inc ecx $sequence_9 = { c744245014000000 48 8d0549251e00 48 890424 48 8b4c2438 } // n = 7, score = 100 // c744245014000000 | mov dword ptr [esp + 0x50], 0x14 // 48 | dec eax // 8d0549251e00 | lea eax, [0x1e2549] // 48 | dec eax // 890424 | mov dword ptr [esp], eax // 48 | dec eax // 8b4c2438 | mov ecx, dword ptr [esp + 0x38] condition: 7 of them and filesize < 12279808 } ] }, { Malware : AppleJeus , Description : According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro. According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro. , YARA : [ rule osx_applejeus_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2020-10-14\ version = \ 1\ description = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.5.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus\ malpedia_rule_date = \ 20201014\ malpedia_hash = \ a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9\ malpedia_version = \ 20201014\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d9d90f1ffff 0f294370 0f294360 0f294350 0f294340 } // n = 5, score = 100 // 8d9d90f1ffff | lea ebx, [ebp - 0xe70] // 0f294370 | movaps xmmword ptr [ebx + 0x70], xmm0 // 0f294360 | movaps xmmword ptr [ebx + 0x60], xmm0 // 0f294350 | movaps xmmword ptr [ebx + 0x50], xmm0 // 0f294340 | movaps xmmword ptr [ebx + 0x40], xmm0 $sequence_1 = { e8???????? 49 89c7 bf00000300 e8???????? 49 89c6 } // n = 7, score = 100 // e8???????? | // 49 | dec ecx // 89c7 | mov edi, eax // bf00000300 | mov edi, 0x30000 // e8???????? | // 49 | dec ecx // 89c6 | mov esi, eax $sequence_2 = { 0f294310 0f2903 48 8d3586120000 48 } // n = 5, score = 100 // 0f294310 | movaps xmmword ptr [ebx + 0x10], xmm0 // 0f2903 | movaps xmmword ptr [ebx], xmm0 // 48 | dec eax // 8d3586120000 | lea esi, [0x1286] // 48 | dec eax $sequence_3 = { 0f294730 41 0f294720 41 } // n = 4, score = 100 // 0f294730 | movaps xmmword ptr [edi + 0x30], xmm0 // 41 | inc ecx // 0f294720 | movaps xmmword ptr [edi + 0x20], xmm0 // 41 | inc ecx $sequence_4 = { 89f7 e8???????? 48 8d35cb140000 48 8d9590f3ffff } // n = 6, score = 100 // 89f7 | mov edi, esi // e8???????? | // 48 | dec eax // 8d35cb140000 | lea esi, [0x14cb] // 48 | dec eax // 8d9590f3ffff | lea edx, [ebp - 0xc70] $sequence_5 = { 03bdc0fbfcff 41 81fe00000300 0f8380000000 49 } // n = 5, score = 100 // 03bdc0fbfcff | add edi, dword ptr [ebp - 0x30440] // 41 | inc ecx // 81fe00000300 | cmp esi, 0x30000 // 0f8380000000 | jae 0x86 // 49 | dec ecx $sequence_6 = { 89e7 ff15???????? 48 8bbd48f1ffff 48 } // n = 5, score = 100 // 89e7 | mov edi, esp // ff15???????? | // 48 | dec eax // 8bbd48f1ffff | mov edi, dword ptr [ebp - 0xeb8] // 48 | dec eax $sequence_7 = { 89f7 e8???????? 48 89c6 31c0 } // n = 5, score = 100 // 89f7 | mov edi, esi // e8???????? | // 48 | dec eax // 89c6 | mov esi, eax // 31c0 | xor eax, eax $sequence_8 = { 4c 89e7 48 8d35c6090000 e8???????? 84c0 } // n = 6, score = 100 // 4c | dec esp // 89e7 | mov edi, esp // 48 | dec eax // 8d35c6090000 | lea esi, [0x9c6] // e8???????? | // 84c0 | test al, al $sequence_9 = { 83c706 e8???????? 89c3 4c 8dbdccfbffff } // n = 5, score = 100 // 83c706 | add edi, 6 // e8???????? | // 89c3 | mov ebx, eax // 4c | dec esp // 8dbdccfbffff | lea edi, [ebp - 0x434] condition: 7 of them and filesize < 78336 } ] }, { Malware : AppleJeus , Description : There is no description at this point. , YARA : [ rule win_applejeus_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.applejeus.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8902 8b4608 8b08 8b4604 810044f3ffff 8100bc0c0000 } // n = 6, score = 100 // 8902 | mov dword ptr [edx], eax // 8b4608 | mov eax, dword ptr [esi + 8] // 8b08 | mov ecx, dword ptr [eax] // 8b4604 | mov eax, dword ptr [esi + 4] // 810044f3ffff | add dword ptr [eax], 0xfffff344 // 8100bc0c0000 | add dword ptr [eax], 0xcbc $sequence_1 = { 8b4604 8b00 33c2 0f8583000000 c745f45b000000 8b45f4 83f032 } // n = 7, score = 100 // 8b4604 | mov eax, dword ptr [esi + 4] // 8b00 | mov eax, dword ptr [eax] // 33c2 | xor eax, edx // 0f8583000000 | jne 0x89 // c745f45b000000 | mov dword ptr [ebp - 0xc], 0x5b // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 83f032 | xor eax, 0x32 $sequence_2 = { 8945dc 8d45d0 c745d0a08e4200 897dd4 8975d8 0f1145b0 } // n = 6, score = 100 // 8945dc | mov dword ptr [ebp - 0x24], eax // 8d45d0 | lea eax, [ebp - 0x30] // c745d0a08e4200 | mov dword ptr [ebp - 0x30], 0x428ea0 // 897dd4 | mov dword ptr [ebp - 0x2c], edi // 8975d8 | mov dword ptr [ebp - 0x28], esi // 0f1145b0 | movups xmmword ptr [ebp - 0x50], xmm0 $sequence_3 = { 8b4a04 50 0f1145c8 c745a8e0294200 0f1145d8 897dac 8975b0 } // n = 7, score = 100 // 8b4a04 | mov ecx, dword ptr [edx + 4] // 50 | push eax // 0f1145c8 | movups xmmword ptr [ebp - 0x38], xmm0 // c745a8e0294200 | mov dword ptr [ebp - 0x58], 0x4229e0 // 0f1145d8 | movups xmmword ptr [ebp - 0x28], xmm0 // 897dac | mov dword ptr [ebp - 0x54], edi // 8975b0 | mov dword ptr [ebp - 0x50], esi $sequence_4 = { e8???????? 8b4dc8 83c414 8945cc 89851cffffff c700???????? 897004 } // n = 7, score = 100 // e8???????? | // 8b4dc8 | mov ecx, dword ptr [ebp - 0x38] // 83c414 | add esp, 0x14 // 8945cc | mov dword ptr [ebp - 0x34], eax // 89851cffffff | mov dword ptr [ebp - 0xe4], eax // c700???????? | // 897004 | mov dword ptr [eax + 4], esi $sequence_5 = { c745e400000000 8b410c 50 6a00 51 8b04851cfb4600 ffd0 } // n = 7, score = 100 // c745e400000000 | mov dword ptr [ebp - 0x1c], 0 // 8b410c | mov eax, dword ptr [ecx + 0xc] // 50 | push eax // 6a00 | push 0 // 51 | push ecx // 8b04851cfb4600 | mov eax, dword ptr [eax*4 + 0x46fb1c] // ffd0 | call eax $sequence_6 = { c68589f5ffff7d c6858af5ffff85 c6858bf5ffff72 c6858cf5ffff83 c6858df5ffff59 c6858ef5ffff3a c6858ff5ffff77 } // n = 7, score = 100 // c68589f5ffff7d | mov byte ptr [ebp - 0xa77], 0x7d // c6858af5ffff85 | mov byte ptr [ebp - 0xa76], 0x85 // c6858bf5ffff72 | mov byte ptr [ebp - 0xa75], 0x72 // c6858cf5ffff83 | mov byte ptr [ebp - 0xa74], 0x83 // c6858df5ffff59 | mov byte ptr [ebp - 0xa73], 0x59 // c6858ef5ffff3a | mov byte ptr [ebp - 0xa72], 0x3a // c6858ff5ffff77 | mov byte ptr [ebp - 0xa71], 0x77 $sequence_7 = { 8d4db0 e9???????? 8d4db4 e9???????? 8d4dac e9???????? 8b542408 } // n = 7, score = 100 // 8d4db0 | lea ecx, [ebp - 0x50] // e9???????? | // 8d4db4 | lea ecx, [ebp - 0x4c] // e9???????? | // 8d4dac | lea ecx, [ebp - 0x54] // e9???????? | // 8b542408 | mov edx, dword ptr [esp + 8] $sequence_8 = { e8???????? 8b7588 8d4d94 83c418 e8???????? c78568ffffffd5030000 8b8568ffffff } // n = 7, score = 100 // e8???????? | // 8b7588 | mov esi, dword ptr [ebp - 0x78] // 8d4d94 | lea ecx, [ebp - 0x6c] // 83c418 | add esp, 0x18 // e8???????? | // c78568ffffffd5030000 | mov dword ptr [ebp - 0x98], 0x3d5 // 8b8568ffffff | mov eax, dword ptr [ebp - 0x98] $sequence_9 = { 8d85d42e0000 50 ff15???????? 57 ff15???????? e9???????? ff15???????? } // n = 7, score = 100 // 8d85d42e0000 | lea eax, [ebp + 0x2ed4] // 50 | push eax // ff15???????? | // 57 | push edi // ff15???????? | // e9???????? | // ff15???????? | condition: 7 of them and filesize < 1245184 } ] }, { Malware : RisePro , Description : RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data. RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data. , YARA : [ rule win_risepro_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.risepro.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0fb645ff 50 8b4de8 e8???????? 8b4dec 83c901 894dec } // n = 7, score = 100 // 0fb645ff | movzx eax, byte ptr [ebp - 1] // 50 | push eax // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // e8???????? | // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 83c901 | or ecx, 1 // 894dec | mov dword ptr [ebp - 0x14], ecx $sequence_1 = { e8???????? 8945c8 8d4d0c e8???????? 8945cc 8d45d7 50 } // n = 7, score = 100 // e8???????? | // 8945c8 | mov dword ptr [ebp - 0x38], eax // 8d4d0c | lea ecx, [ebp + 0xc] // e8???????? | // 8945cc | mov dword ptr [ebp - 0x34], eax // 8d45d7 | lea eax, [ebp - 0x29] // 50 | push eax $sequence_2 = { 8bec 83ec0c 8955f8 894dfc 8b4dfc e8???????? 8bc8 } // n = 7, score = 100 // 8bec | mov ebp, esp // 83ec0c | sub esp, 0xc // 8955f8 | mov dword ptr [ebp - 8], edx // 894dfc | mov dword ptr [ebp - 4], ecx // 8b4dfc | mov ecx, dword ptr [ebp - 4] // e8???????? | // 8bc8 | mov ecx, eax $sequence_3 = { 894214 8b4df8 e8???????? 8945d4 837de010 } // n = 5, score = 100 // 894214 | mov dword ptr [edx + 0x14], eax // 8b4df8 | mov ecx, dword ptr [ebp - 8] // e8???????? | // 8945d4 | mov dword ptr [ebp - 0x2c], eax // 837de010 | cmp dword ptr [ebp - 0x20], 0x10 $sequence_4 = { 8bcc 8965bc 8d552c 52 e8???????? 8945b8 c645fc04 } // n = 7, score = 100 // 8bcc | mov ecx, esp // 8965bc | mov dword ptr [ebp - 0x44], esp // 8d552c | lea edx, [ebp + 0x2c] // 52 | push edx // e8???????? | // 8945b8 | mov dword ptr [ebp - 0x48], eax // c645fc04 | mov byte ptr [ebp - 4], 4 $sequence_5 = { 33c0 8885eafeffff 33c9 888de9feffff } // n = 4, score = 100 // 33c0 | xor eax, eax // 8885eafeffff | mov byte ptr [ebp - 0x116], al // 33c9 | xor ecx, ecx // 888de9feffff | mov byte ptr [ebp - 0x117], cl $sequence_6 = { 6800000080 680000cf00 68???????? 68???????? 6800020000 ff15???????? 89859cfeffff } // n = 7, score = 100 // 6800000080 | push 0x80000000 // 680000cf00 | push 0xcf0000 // 68???????? | // 68???????? | // 6800020000 | push 0x200 // ff15???????? | // 89859cfeffff | mov dword ptr [ebp - 0x164], eax $sequence_7 = { 6886e4fa74 6829895415 e8???????? 8b4dfc 894108 89510c } // n = 6, score = 100 // 6886e4fa74 | push 0x74fae486 // 6829895415 | push 0x15548929 // e8???????? | // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 894108 | mov dword ptr [ecx + 8], eax // 89510c | mov dword ptr [ecx + 0xc], edx $sequence_8 = { 33c5 8945ec 56 50 8d45f4 64a300000000 894da8 } // n = 7, score = 100 // 33c5 | xor eax, ebp // 8945ec | mov dword ptr [ebp - 0x14], eax // 56 | push esi // 50 | push eax // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 894da8 | mov dword ptr [ebp - 0x58], ecx $sequence_9 = { 85ff 780f 3b3d???????? 7307 } // n = 4, score = 100 // 85ff | test edi, edi // 780f | js 0x11 // 3b3d???????? | // 7307 | jae 9 condition: 7 of them and filesize < 280576 } ] }, { Malware : Serpent , Description : According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries. According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries. There is no Yara-Signature yet. , YARA : [] }, { Malware : GSpy , Description : A malware family with a DGA. A malware family with a DGA. , YARA : [ rule win_gspy_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.gspy.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.gspy\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 52 c70600000000 ff15???????? 8b4608 8b1d???????? 85c0 } // n = 7, score = 100 // 57 | push edi // 52 | push edx // c70600000000 | mov dword ptr [esi], 0 // ff15???????? | // 8b4608 | mov eax, dword ptr [esi + 8] // 8b1d???????? | // 85c0 | test eax, eax $sequence_1 = { 50 8d4c242c 51 e8???????? c744240812000000 eb2f 6a1c } // n = 7, score = 100 // 50 | push eax // 8d4c242c | lea ecx, [esp + 0x2c] // 51 | push ecx // e8???????? | // c744240812000000 | mov dword ptr [esp + 8], 0x12 // eb2f | jmp 0x31 // 6a1c | push 0x1c $sequence_2 = { 8d4c2404 51 6a00 50 ff15???????? a3???????? 85c0 } // n = 7, score = 100 // 8d4c2404 | lea ecx, [esp + 4] // 51 | push ecx // 6a00 | push 0 // 50 | push eax // ff15???????? | // a3???????? | // 85c0 | test eax, eax $sequence_3 = { 8b542420 51 57 6800000220 52 e8???????? } // n = 6, score = 100 // 8b542420 | mov edx, dword ptr [esp + 0x20] // 51 | push ecx // 57 | push edi // 6800000220 | push 0x20020000 // 52 | push edx // e8???????? | $sequence_4 = { ff15???????? 85c0 0f8408010000 56 57 50 e8???????? } // n = 7, score = 100 // ff15???????? | // 85c0 | test eax, eax // 0f8408010000 | je 0x10e // 56 | push esi // 57 | push edi // 50 | push eax // e8???????? | $sequence_5 = { 85f6 0f8434ffffff 83f8ff 750d 33c0 3806 } // n = 6, score = 100 // 85f6 | test esi, esi // 0f8434ffffff | je 0xffffff3a // 83f8ff | cmp eax, -1 // 750d | jne 0xf // 33c0 | xor eax, eax // 3806 | cmp byte ptr [esi], al $sequence_6 = { 0f87b0000000 833e00 89742410 76b3 8b4604 a900000c00 } // n = 6, score = 100 // 0f87b0000000 | ja 0xb6 // 833e00 | cmp dword ptr [esi], 0 // 89742410 | mov dword ptr [esp + 0x10], esi // 76b3 | jbe 0xffffffb5 // 8b4604 | mov eax, dword ptr [esi + 4] // a900000c00 | test eax, 0xc0000 $sequence_7 = { 0f83ed000000 6a10 6a00 8d442440 50 e8???????? c744241468be4200 } // n = 7, score = 100 // 0f83ed000000 | jae 0xf3 // 6a10 | push 0x10 // 6a00 | push 0 // 8d442440 | lea eax, [esp + 0x40] // 50 | push eax // e8???????? | // c744241468be4200 | mov dword ptr [esp + 0x14], 0x42be68 $sequence_8 = { 03cb 51 03d6 52 e8???????? 013e eb08 } // n = 7, score = 100 // 03cb | add ecx, ebx // 51 | push ecx // 03d6 | add edx, esi // 52 | push edx // e8???????? | // 013e | add dword ptr [esi], edi // eb08 | jmp 0xa $sequence_9 = { 6801000080 c744242000000000 c744241c04000000 c744241801000080 83ceff ff15???????? 85c0 } // n = 7, score = 100 // 6801000080 | push 0x80000001 // c744242000000000 | mov dword ptr [esp + 0x20], 0 // c744241c04000000 | mov dword ptr [esp + 0x1c], 4 // c744241801000080 | mov dword ptr [esp + 0x18], 0x80000001 // 83ceff | or esi, 0xffffffff // ff15???????? | // 85c0 | test eax, eax condition: 7 of them and filesize < 421888 } ] }, { Malware : Tiger RAT , Description : This is third stage backdoor mentioned in the Kaspersky blog, \ Andariel evolves to target South Korea with ransomware\ . The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA. This is third stage backdoor mentioned in the Kaspersky blog, \ Andariel evolves to target South Korea with ransomware\ . The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA. , YARA : [ rule win_tiger_rat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.tiger_rat.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4883c128 4889742448 48897c2450 ff15???????? } // n = 4, score = 200 // 4883c128 | mov eax, dword ptr [esi + 0x18] // 4889742448 | inc ecx // 48897c2450 | mov ecx, 1 // ff15???????? | $sequence_1 = { 0f11400c 488b4e28 488b5618 488b01 ff5010 } // n = 5, score = 200 // 0f11400c | mov ecx, dword ptr [edi + 0x28] // 488b4e28 | dec eax // 488b5618 | mov edx, dword ptr [edi + 0x18] // 488b01 | dec eax // ff5010 | mov eax, dword ptr [ecx] $sequence_2 = { 4883c108 e8???????? 4d8b4618 41b901000000 } // n = 4, score = 200 // 4883c108 | cmp eax, eax // e8???????? | // 4d8b4618 | jl 0xfffffff4 // 41b901000000 | jmp 0xd $sequence_3 = { 33d2 41b80c000100 488bd8 e8???????? 4c63442430 488b4f08 } // n = 6, score = 200 // 33d2 | dec ecx // 41b80c000100 | mov dword ptr [ecx + eax*8], edx // 488bd8 | dec eax // e8???????? | // 4c63442430 | add ecx, 8 // 488b4f08 | inc ecx $sequence_4 = { 4883c108 413bc0 7cef eb06 4898 } // n = 5, score = 200 // 4883c108 | cmp eax, 0x1770 // 413bc0 | jl 0xfffffffd // 7cef | dec eax // eb06 | mov ecx, eax // 4898 | mov edx, 0xa $sequence_5 = { 4883c110 e8???????? 896e30 381f } // n = 4, score = 200 // 4883c110 | mov eax, dword ptr [esi + 0x18] // e8???????? | // 896e30 | inc ecx // 381f | mov ecx, 1 $sequence_6 = { 4883c10c e8???????? 488b4f28 488b5718 } // n = 4, score = 200 // 4883c10c | mov dword ptr [ecx + eax*8], edx // e8???????? | // 488b4f28 | mov ecx, 0x50 // 488b5718 | dec eax $sequence_7 = { 4883c110 48c741180f000000 33ed 48896910 408829 48c746500f000000 } // n = 6, score = 200 // 4883c110 | dec esp // 48c741180f000000 | arpl word ptr [esp + 0x30], ax // 33ed | dec eax // 48896910 | mov ecx, dword ptr [edi + 8] // 408829 | dec eax // 48c746500f000000 | add ecx, 8 $sequence_8 = { 7ce0 488bce ff15???????? 8b0d???????? } // n = 4, score = 100 // 7ce0 | mov esi, esp // 488bce | dec esp // ff15???????? | // 8b0d???????? | $sequence_9 = { ff15???????? 488bc8 ff15???????? ba0a000000 } // n = 4, score = 100 // ff15???????? | // 488bc8 | jae 0xd4 // ff15???????? | // ba0a000000 | dec eax $sequence_10 = { 0b05???????? 8905???????? ff15???????? ff15???????? b9e8030000 8bd8 } // n = 6, score = 100 // 0b05???????? | // 8905???????? | // ff15???????? | // ff15???????? | // b9e8030000 | mov dword ptr [esp + 0x78], ebp // 8bd8 | dec esp $sequence_11 = { 4c2bf3 8905???????? 493bf7 0f83c8000000 48896c2478 4c896c2430 41bd00f00000 } // n = 7, score = 100 // 4c2bf3 | add edi, esi // 8905???????? | // 493bf7 | dec esp // 0f83c8000000 | sub esi, ebx // 48896c2478 | jl 0xffffffe2 // 4c896c2430 | dec eax // 41bd00f00000 | mov ecx, esi $sequence_12 = { c705????????02000000 488905???????? 488d0556eb0100 48891d???????? 488905???????? 33c0 488905???????? } // n = 7, score = 100 // c705????????02000000 | // 488905???????? | // 488d0556eb0100 | mov dword ptr [esp + 0x30], ebp // 48891d???????? | // 488905???????? | // 33c0 | inc ecx // 488905???????? | $sequence_13 = { 8b05???????? 4d8bf4 2305???????? 4c03fe 4c2bf3 8905???????? } // n = 6, score = 100 // 8b05???????? | // 4d8bf4 | mov eax, 1 // 2305???????? | // 4c03fe | jmp 0x60 // 4c2bf3 | dec ebp // 8905???????? | $sequence_14 = { 4c8d35046c0100 49833cde00 7407 b801000000 eb5e } // n = 5, score = 100 // 4c8d35046c0100 | dec esp // 49833cde00 | lea esi, [0x16c04] // 7407 | dec ecx // b801000000 | cmp dword ptr [esi + ebx*8], 0 // eb5e | je 9 $sequence_15 = { 8bd8 e8???????? 2bc3 3d70170000 7cf2 e8???????? } // n = 6, score = 100 // 8bd8 | dec esp // e8???????? | // 2bc3 | sub esi, ebx // 3d70170000 | dec ecx // 7cf2 | cmp esi, edi // e8???????? | condition: 7 of them and filesize < 557056 } ] }, { Malware : 8.t Dropper , Description : 8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798. 8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798. , YARA : [ rule win_8t_dropper_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.8t_dropper.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 741b 56 6800700000 6a01 68???????? } // n = 5, score = 200 // 741b | je 0x1d // 56 | push esi // 6800700000 | push 0x7000 // 6a01 | push 1 // 68???????? | $sequence_1 = { ff74240c e8???????? 83c40c c3 8b442408 83f801 } // n = 6, score = 200 // ff74240c | push dword ptr [esp + 0xc] // e8???????? | // 83c40c | add esp, 0xc // c3 | ret // 8b442408 | mov eax, dword ptr [esp + 8] // 83f801 | cmp eax, 1 $sequence_2 = { c6440c0e6e 8d4c2408 51 683f000f00 50 } // n = 5, score = 200 // c6440c0e6e | mov byte ptr [esp + ecx + 0xe], 0x6e // 8d4c2408 | lea ecx, [esp + 8] // 51 | push ecx // 683f000f00 | push 0xf003f // 50 | push eax $sequence_3 = { 68???????? 50 ff15???????? 85c0 7559 8b4c2408 51 } // n = 7, score = 200 // 68???????? | // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 7559 | jne 0x5b // 8b4c2408 | mov ecx, dword ptr [esp + 8] // 51 | push ecx $sequence_4 = { 50 ff15???????? 85c0 7559 8b4c2408 } // n = 5, score = 200 // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 7559 | jne 0x5b // 8b4c2408 | mov ecx, dword ptr [esp + 8] $sequence_5 = { 49 c6440c0c52 c6440c0d75 c6440c0e6e } // n = 4, score = 200 // 49 | dec ecx // c6440c0c52 | mov byte ptr [esp + ecx + 0xc], 0x52 // c6440c0d75 | mov byte ptr [esp + ecx + 0xd], 0x75 // c6440c0e6e | mov byte ptr [esp + ecx + 0xe], 0x6e $sequence_6 = { 68???????? 6a02 50 8b442418 } // n = 4, score = 200 // 68???????? | // 6a02 | push 2 // 50 | push eax // 8b442418 | mov eax, dword ptr [esp + 0x18] $sequence_7 = { 7559 8b4c2408 51 ff15???????? } // n = 4, score = 200 // 7559 | jne 0x5b // 8b4c2408 | mov ecx, dword ptr [esp + 8] // 51 | push ecx // ff15???????? | $sequence_8 = { 6800700000 6a01 68???????? e8???????? 56 e8???????? } // n = 6, score = 200 // 6800700000 | push 0x7000 // 6a01 | push 1 // 68???????? | // e8???????? | // 56 | push esi // e8???????? | $sequence_9 = { ff15???????? 8d942410010000 6804010000 52 68???????? } // n = 5, score = 200 // ff15???????? | // 8d942410010000 | lea edx, [esp + 0x110] // 6804010000 | push 0x104 // 52 | push edx // 68???????? | condition: 7 of them and filesize < 147456 } ] }, { Malware : BianLian , Description : BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. There is no Yara-Signature yet. , YARA : [] }, { Malware : FudModule , Description : FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools. FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools. , YARA : [ rule win_fudmodule_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.fudmodule.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f99c4 660fc8 f6d4 58 e9???????? e9???????? 660fbae405 } // n = 7, score = 100 // 0f99c4 | rcl bx, cl // 660fc8 | neg ebx // f6d4 | not bl // 58 | dec eax // e9???????? | // e9???????? | // 660fbae405 | add esp, 0x20 $sequence_1 = { 66d3d3 f7db f6d3 4883c420 } // n = 4, score = 100 // 66d3d3 | mov ecx, dword ptr [esp + 0x70] // f7db | inc esp // f6d3 | mov eax, dword ptr [esi + 0xcb4] // 4883c420 | dec eax $sequence_2 = { e9???????? 0fb78120010000 b9b01d0000 663bc1 76e3 b97d4f0000 } // n = 6, score = 100 // e9???????? | // 0fb78120010000 | cmp ebx, esp // b9b01d0000 | dec ecx // 663bc1 | mov ecx, dword ptr [esp + 0x9d8] // 76e3 | dec ecx // b97d4f0000 | mov ecx, dword ptr [esp + 0x9e0] $sequence_3 = { d3d8 31d2 0c5b 89d0 } // n = 4, score = 100 // d3d8 | add ecx, 1 // 31d2 | test al, al // 0c5b | bt ax, 5 // 89d0 | sar bl, cl $sequence_4 = { 498b8c24d8090000 e8???????? 498b8c24e0090000 e8???????? 4983bc24d809000000 488bb42480000000 488b5c2478 } // n = 7, score = 100 // 498b8c24d8090000 | mov ecx, eax // e8???????? | // 498b8c24e0090000 | dec eax // e8???????? | // 4983bc24d809000000 | lea eax, [ebp - 0x49] // 488bb42480000000 | inc ecx // 488b5c2478 | mov ecx, 8 $sequence_5 = { 488d45af 41b908000000 4d8bc5 4889442420 ff96d00d0000 } // n = 5, score = 100 // 488d45af | dec eax // 41b908000000 | mov ebx, dword ptr [esp + 0x78] // 4d8bc5 | dec eax // 4889442420 | mov dword ptr [esp + 0x10], esi // ff96d00d0000 | push ebp $sequence_6 = { 0f855b73ffff 66d3fe 80fbfc 09e6 89f9 6681c69719 } // n = 6, score = 100 // 0f855b73ffff | mov eax, ebp // 66d3fe | dec eax // 80fbfc | mov dword ptr [esp + 0x20], eax // 09e6 | call dword ptr [esi + 0xdd0] // 89f9 | inc ecx // 6681c69719 | inc ecx $sequence_7 = { 41ffc1 453bc8 7e27 b818000000 8bc8 } // n = 5, score = 100 // 41ffc1 | push edi // 453bc8 | inc ecx // 7e27 | push esp // b818000000 | dec eax // 8bc8 | mov ebp, esp $sequence_8 = { 55 57 4154 488dac2400feffff 4881ec00030000 488b05???????? 4833c4 } // n = 7, score = 100 // 55 | push ebp // 57 | push edi // 4154 | inc ecx // 488dac2400feffff | push esp // 4881ec00030000 | dec eax // 488b05???????? | // 4833c4 | lea ebp, [esp - 0x200] $sequence_9 = { 210a dd63c2 58 5f } // n = 4, score = 100 // 210a | lea eax, [ebp - 0x51] // dd63c2 | inc ecx // 58 | mov ecx, 8 // 5f | dec ebp $sequence_10 = { 85c0 755f 488b4c2470 e8???????? 448b86b40c0000 } // n = 5, score = 100 // 85c0 | dec ecx // 755f | cmp dword ptr [esp + 0x9d8], 0 // 488b4c2470 | dec eax // e8???????? | // 448b86b40c0000 | mov esi, dword ptr [esp + 0x80] $sequence_11 = { 0facea1a 56 660fbdf4 0fc1ca 488b5510 d2e5 } // n = 6, score = 100 // 0facea1a | dec eax // 56 | add ebx, 8 // 660fbdf4 | cmp edi, 3 // 0fc1ca | jl 0xffffffe5 // 488b5510 | stc // d2e5 | cmp ebp, 0x61298b65 $sequence_12 = { f9 81fd658b2961 83c101 84c0 660fbae005 d2fb } // n = 6, score = 100 // f9 | cmp ax, cx // 81fd658b2961 | jbe 0xfffffff4 // 83c101 | mov ecx, 0x4f7d // 84c0 | test eax, eax // 660fbae005 | jne 0x63 // d2fb | dec eax $sequence_13 = { 66d3f3 0fcf 8b3e 6681feaa7e 00ef 18cb } // n = 6, score = 100 // 66d3f3 | inc ebp // 0fcf | cmp ecx, eax // 8b3e | jle 0x2c // 6681feaa7e | mov eax, 0x18 // 00ef | mov ecx, eax // 18cb | inc edi $sequence_14 = { 48ff25???????? 4889742410 55 57 4154 488bec 4883ec60 } // n = 7, score = 100 // 48ff25???????? | // 4889742410 | dec eax // 55 | mov dword ptr [esp + 0x20], eax // 57 | call dword ptr [esi + 0xdd0] // 4154 | dec esp // 488bec | mov ebx, dword ptr [ebp - 0x69] // 4883ec60 | dec ebp $sequence_15 = { ff96d00d0000 4c8b5d97 4d3bdc 75c8 } // n = 4, score = 100 // ff96d00d0000 | dec eax // 4c8b5d97 | sub esp, 0x300 // 4d3bdc | dec eax // 75c8 | xor eax, esp condition: 7 of them and filesize < 795648 } ] }, { Malware : Gozi , Description : 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula. In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. , YARA : [ rule win_gozi_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.gozi.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4dfc f3a4 b0e9 aa } // n = 4, score = 100 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // b0e9 | mov al, 0xe9 // aa | stosb byte ptr es:[edi], al $sequence_1 = { ee 7f7b 36110b 33745571 de7e75 cd18 4a } // n = 7, score = 100 // ee | out dx, al // 7f7b | jg 0x7d // 36110b | adc dword ptr ss:[ebx], ecx // 33745571 | xor esi, dword ptr [ebp + edx*2 + 0x71] // de7e75 | fidivr word ptr [esi + 0x75] // cd18 | int 0x18 // 4a | dec edx $sequence_2 = { 3327 72e7 3ebb4a68d947 d93e 257296bc4a 1b6b61 9f } // n = 7, score = 100 // 3327 | xor esp, dword ptr [edi] // 72e7 | jb 0xffffffe9 // 3ebb4a68d947 | mov ebx, 0x47d9684a // d93e | fnstcw word ptr [esi] // 257296bc4a | and eax, 0x4abc9672 // 1b6b61 | sbb ebp, dword ptr [ebx + 0x61] // 9f | lahf $sequence_3 = { e8???????? 0bc0 7522 6a01 6a00 } // n = 5, score = 100 // e8???????? | // 0bc0 | or eax, eax // 7522 | jne 0x24 // 6a01 | push 1 // 6a00 | push 0 $sequence_4 = { 2bfb 8b5518 8b12 6a00 } // n = 4, score = 100 // 2bfb | sub edi, ebx // 8b5518 | mov edx, dword ptr [ebp + 0x18] // 8b12 | mov edx, dword ptr [edx] // 6a00 | push 0 $sequence_5 = { 4e b64e 0fc0d6 69d5920d9cef } // n = 4, score = 100 // 4e | dec esi // b64e | mov dh, 0x4e // 0fc0d6 | xadd dh, dl // 69d5920d9cef | imul edx, ebp, 0xef9c0d92 $sequence_6 = { 0fadce 80eede c0ca12 2af4 8af4 } // n = 5, score = 100 // 0fadce | shrd esi, ecx, cl // 80eede | sub dh, 0xde // c0ca12 | ror dl, 0x12 // 2af4 | sub dh, ah // 8af4 | mov dh, ah $sequence_7 = { 894598 50 e8???????? 8b4650 8b7c0704 } // n = 5, score = 100 // 894598 | mov dword ptr [ebp - 0x68], eax // 50 | push eax // e8???????? | // 8b4650 | mov eax, dword ptr [esi + 0x50] // 8b7c0704 | mov edi, dword ptr [edi + eax + 4] $sequence_8 = { 83c101 894df4 8b55ec 83ea02 3955f4 0f8d45040000 } // n = 6, score = 100 // 83c101 | add ecx, 1 // 894df4 | mov dword ptr [ebp - 0xc], ecx // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 83ea02 | sub edx, 2 // 3955f4 | cmp dword ptr [ebp - 0xc], edx // 0f8d45040000 | jge 0x44b $sequence_9 = { 94 6e 8ee1 54 } // n = 4, score = 100 // 94 | xchg eax, esp // 6e | outsb dx, byte ptr [esi] // 8ee1 | mov fs, ecx // 54 | push esp $sequence_10 = { 7516 c78554ffffff06000000 c78558ffffff00000000 eb14 } // n = 4, score = 100 // 7516 | jne 0x18 // c78554ffffff06000000 | mov dword ptr [ebp - 0xac], 6 // c78558ffffff00000000 | mov dword ptr [ebp - 0xa8], 0 // eb14 | jmp 0x16 $sequence_11 = { bf???????? 8bdf c70747494638 66c747043761 83c706 8b450c } // n = 6, score = 100 // bf???????? | // 8bdf | mov ebx, edi // c70747494638 | mov dword ptr [edi], 0x38464947 // 66c747043761 | mov word ptr [edi + 4], 0x6137 // 83c706 | add edi, 6 // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_12 = { c9 50 0c73 0e 96 3b5375 } // n = 6, score = 100 // c9 | leave // 50 | push eax // 0c73 | or al, 0x73 // 0e | push cs // 96 | xchg eax, esi // 3b5375 | cmp edx, dword ptr [ebx + 0x75] $sequence_13 = { ffd7 03f0 56 53 33f6 56 } // n = 6, score = 100 // ffd7 | call edi // 03f0 | add esi, eax // 56 | push esi // 53 | push ebx // 33f6 | xor esi, esi // 56 | push esi $sequence_14 = { ad b710 2dc7ce5bbb d6 b6c6 } // n = 5, score = 100 // ad | lodsd eax, dword ptr [esi] // b710 | mov bh, 0x10 // 2dc7ce5bbb | sub eax, 0xbb5bcec7 // d6 | salc // b6c6 | mov dh, 0xc6 $sequence_15 = { ff75e4 ffd0 c3 6a68 68???????? e8???????? } // n = 6, score = 100 // ff75e4 | push dword ptr [ebp - 0x1c] // ffd0 | call eax // c3 | ret // 6a68 | push 0x68 // 68???????? | // e8???????? | $sequence_16 = { 0f8229feffff 5f 5e 5b c9 c21000 } // n = 6, score = 100 // 0f8229feffff | jb 0xfffffe2f // 5f | pop edi // 5e | pop esi // 5b | pop ebx // c9 | leave // c21000 | ret 0x10 $sequence_17 = { c9 c20800 6a00 8d87950c0000 } // n = 4, score = 100 // c9 | leave // c20800 | ret 8 // 6a00 | push 0 // 8d87950c0000 | lea eax, [edi + 0xc95] $sequence_18 = { 84c1 0fb3ea f6c1ba 0fce } // n = 4, score = 100 // 84c1 | test cl, al // 0fb3ea | btr edx, ebp // f6c1ba | test cl, 0xba // 0fce | bswap esi $sequence_19 = { 96 3b5375 60 d3e0 90 48 } // n = 6, score = 100 // 96 | xchg eax, esi // 3b5375 | cmp edx, dword ptr [ebx + 0x75] // 60 | pushal // d3e0 | shl eax, cl // 90 | nop // 48 | dec eax $sequence_20 = { 69d5ca659407 f6de c645ff61 a1???????? 8b0d???????? 6a00 } // n = 6, score = 100 // 69d5ca659407 | imul edx, ebp, 0x79465ca // f6de | neg dh // c645ff61 | mov byte ptr [ebp - 1], 0x61 // a1???????? | // 8b0d???????? | // 6a00 | push 0 $sequence_21 = { 83c101 894d90 0fb755e4 52 8b4590 } // n = 5, score = 100 // 83c101 | add ecx, 1 // 894d90 | mov dword ptr [ebp - 0x70], ecx // 0fb755e4 | movzx edx, word ptr [ebp - 0x1c] // 52 | push edx // 8b4590 | mov eax, dword ptr [ebp - 0x70] $sequence_22 = { b87e8da638 e022 3a56b9 036890 2b02 9a102a6715fb53 } // n = 6, score = 100 // b87e8da638 | mov eax, 0x38a68d7e // e022 | loopne 0x24 // 3a56b9 | cmp dl, byte ptr [esi - 0x47] // 036890 | add ebp, dword ptr [eax - 0x70] // 2b02 | sub eax, dword ptr [edx] // 9a102a6715fb53 | lcall 0x53fb:0x15672a10 $sequence_23 = { dc6f1b 95 bf633629a8 02738f } // n = 4, score = 100 // dc6f1b | fsubr qword ptr [edi + 0x1b] // 95 | xchg eax, ebp // bf633629a8 | mov edi, 0xa8293663 // 02738f | add dh, byte ptr [ebx - 0x71] $sequence_24 = { 83bd54ffffff03 7c0a c78554ffffff00000000 eb95 33c0 8b55f4 } // n = 6, score = 100 // 83bd54ffffff03 | cmp dword ptr [ebp - 0xac], 3 // 7c0a | jl 0xc // c78554ffffff00000000 | mov dword ptr [ebp - 0xac], 0 // eb95 | jmp 0xffffff97 // 33c0 | xor eax, eax // 8b55f4 | mov edx, dword ptr [ebp - 0xc] $sequence_25 = { 0fbe4415ec 8b8d4cffffff 038d58ffffff 0fbe11 33d0 8b854cffffff } // n = 6, score = 100 // 0fbe4415ec | movsx eax, byte ptr [ebp + edx - 0x14] // 8b8d4cffffff | mov ecx, dword ptr [ebp - 0xb4] // 038d58ffffff | add ecx, dword ptr [ebp - 0xa8] // 0fbe11 | movsx edx, byte ptr [ecx] // 33d0 | xor edx, eax // 8b854cffffff | mov eax, dword ptr [ebp - 0xb4] $sequence_26 = { 41 4e 75ea 5e } // n = 4, score = 100 // 41 | inc ecx // 4e | dec esi // 75ea | jne 0xffffffec // 5e | pop esi $sequence_27 = { 0f8447010000 83f8ff 0f843e010000 682000cc00 56 } // n = 5, score = 100 // 0f8447010000 | je 0x14d // 83f8ff | cmp eax, -1 // 0f843e010000 | je 0x144 // 682000cc00 | push 0xcc0020 // 56 | push esi $sequence_28 = { 837df800 75c7 ff75fc e8???????? c9 } // n = 5, score = 100 // 837df800 | cmp dword ptr [ebp - 8], 0 // 75c7 | jne 0xffffffc9 // ff75fc | push dword ptr [ebp - 4] // e8???????? | // c9 | leave $sequence_29 = { 0fb3ce 86d6 2af4 b252 b0ca c745fc00000000 } // n = 6, score = 100 // 0fb3ce | btr esi, ecx // 86d6 | xchg dh, dl // 2af4 | sub dh, ah // b252 | mov dl, 0x52 // b0ca | mov al, 0xca // c745fc00000000 | mov dword ptr [ebp - 4], 0 $sequence_30 = { e8???????? 59 8bf0 89b5e0f2ffff } // n = 4, score = 100 // e8???????? | // 59 | pop ecx // 8bf0 | mov esi, eax // 89b5e0f2ffff | mov dword ptr [ebp - 0xd20], esi $sequence_31 = { 85c0 7404 8365f800 85f6 7407 8b06 } // n = 6, score = 100 // 85c0 | test eax, eax // 7404 | je 6 // 8365f800 | and dword ptr [ebp - 8], 0 // 85f6 | test esi, esi // 7407 | je 9 // 8b06 | mov eax, dword ptr [esi] condition: 7 of them and filesize < 568320 } ] }, { Malware : HTTP(S) uploader , Description : The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols. It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port , YARA : [ rule win_httpsuploader_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.httpsuploader.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 33ff 33d2 41b806020000 6689bc2470020000 e8???????? 488d4c2451 33d2 } // n = 7, score = 100 // 33ff | test eax, eax // 33d2 | jne 0xa95 // 41b806020000 | dec eax // 6689bc2470020000 | lea eax, [0xb51f] // e8???????? | // 488d4c2451 | dec eax // 33d2 | sub esp, 0x20 $sequence_1 = { 33d2 33c9 897c2428 48895c2420 ff15???????? eb3b 488d0dc3bd0000 } // n = 7, score = 100 // 33d2 | je 0x96a // 33c9 | dec eax // 897c2428 | add esp, 0x40 // 48895c2420 | inc ecx // ff15???????? | // eb3b | pop esp // 488d0dc3bd0000 | ret $sequence_2 = { 4883ec20 488bfa 488bd9 488d0501700000 488981a0000000 83611000 } // n = 6, score = 100 // 4883ec20 | mov ecx, 0x40 // 488bfa | dec esp // 488bd9 | mov dword ptr [esp + 0x498], ebp // 488d0501700000 | mov dword ptr [esp + 0x20], 3 // 488981a0000000 | dec esp // 83611000 | mov ebp, eax $sequence_3 = { 4c8bc0 418bd4 e8???????? 488d8dd0000000 ff15???????? } // n = 5, score = 100 // 4c8bc0 | dec eax // 418bd4 | mov ecx, dword ptr [ebp + 0x2e0] // e8???????? | // 488d8dd0000000 | dec eax // ff15???????? | $sequence_4 = { 488d0d6c280000 4533c9 ba00000040 4489442420 ff15???????? } // n = 5, score = 100 // 488d0d6c280000 | movzx eax, byte ptr [eax + ebp] // 4533c9 | inc ecx // ba00000040 | mov byte ptr [edx], al // 4489442420 | mov eax, ecx // ff15???????? | $sequence_5 = { 4c8d25cf7d0000 f0ff09 7511 488b8eb8000000 493bcc } // n = 5, score = 100 // 4c8d25cf7d0000 | mov eax, 0x3fe // f0ff09 | mov word ptr [ebp + 0x4f0], di // 7511 | dec eax // 488b8eb8000000 | lea ecx, [ebp + 0x8f2] // 493bcc | xor edx, edx $sequence_6 = { 488d0543b50000 eb04 4883c014 4883c428 c3 4053 } // n = 6, score = 100 // 488d0543b50000 | lea ebx, [0x8db3] // eb04 | dec eax // 4883c014 | lea edi, [0x8db4] // 4883c428 | jne 0x10e // c3 | dec eax // 4053 | lea ecx, [esp + 0x270] $sequence_7 = { 488d158e380000 488bc8 ff15???????? 4885c0 0f847a010000 } // n = 5, score = 100 // 488d158e380000 | lea eax, [0xde96] // 488bc8 | xor eax, eax // ff15???????? | // 4885c0 | mov ebp, eax // 0f847a010000 | inc ebp $sequence_8 = { 81fa01010000 7d13 4863ca 8a44191c 4288840170fa0000 } // n = 5, score = 100 // 81fa01010000 | dec eax // 7d13 | arpl si, cx // 4863ca | dec eax // 8a44191c | lea edx, [ebp + ecx + 0x620] // 4288840170fa0000 | inc ebp $sequence_9 = { 745e 6666660f1f840000000000 488b0d???????? 488d542440 4533c9 4533c0 ff15???????? } // n = 7, score = 100 // 745e | mov word ptr [ebp + 0x8f0], di // 6666660f1f840000000000 | mov dword ptr [esp + 0x44], edi // 488b0d???????? | // 488d542440 | mov dword ptr [esp + 0x40], edi // 4533c9 | xor edx, edx // 4533c0 | inc ecx // ff15???????? | condition: 7 of them and filesize < 190464 } ] }, { Malware : LPEClient , Description : LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload. It sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it. LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload. It sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource. LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it. , YARA : [ rule win_lpeclient_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.lpeclient.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f0ff03 8bce e8???????? eb2b 83f8ff 7526 4c8d2567f60000 } // n = 7, score = 100 // f0ff03 | dec eax // 8bce | inc edx // e8???????? | // eb2b | movzx eax, byte ptr [edx] // 83f8ff | dec eax // 7526 | inc edx // 4c8d2567f60000 | mov byte ptr [ecx + edx - 1], al $sequence_1 = { 33c0 80f90a 0f94c0 8944244c 488d054a1b0100 } // n = 5, score = 100 // 33c0 | dec eax // 80f90a | sub esp, 0x50 // 0f94c0 | cmp dword ptr [ecx + 0x1c], 0 // 8944244c | dec eax // 488d054a1b0100 | mov ebx, ecx $sequence_2 = { 33c0 488bfe 66f2af 48f7d1 48ffc9 0f8456010000 } // n = 6, score = 100 // 33c0 | mov dword ptr [ecx], eax // 488bfe | dec eax // 66f2af | lea eax, [0x11bab] // 48f7d1 | cmp dword ptr [ecx + 0x14], ebx // 48ffc9 | dec edx // 0f8456010000 | mov ecx, dword ptr [eax] $sequence_3 = { e8???????? c1eb03 85db 0f8e52130000 8b4c2450 8b542450 4c8d5e02 } // n = 7, score = 100 // e8???????? | // c1eb03 | lea ecx, [ebp - 0x80] // 85db | inc esp // 0f8e52130000 | mov eax, eax // 8b4c2450 | je 0x561 // 8b542450 | dec esp // 4c8d5e02 | lea ecx, [esp + 0x48] $sequence_4 = { 498be3 5f c3 48895c2410 4889742418 57 4881ec30020000 } // n = 7, score = 100 // 498be3 | jmp 0x2a // 5f | jne 0x3b // c3 | mov ecx, dword ptr [ebx + 0x10] // 48895c2410 | inc ecx // 4889742418 | movzx eax, bp // 57 | cmp eax, ecx // 4881ec30020000 | jb 0x72 $sequence_5 = { 7406 81f1783bf682 48ffc7 48ffca 75e6 443bc1 410f94c5 } // n = 7, score = 100 // 7406 | mov dword ptr [esp + 0x40], edi // 81f1783bf682 | mov word ptr [ebp - 0x26], ax // 48ffc7 | mov eax, 0x53 // 48ffca | mov dword ptr [ebp - 0x22], 0x54 // 75e6 | mov word ptr [ebp - 0x24], ax // 443bc1 | mov eax, 0x4b // 410f94c5 | mov dword ptr [esp + 0x40], edi $sequence_6 = { 0fb64c38ff 4132c8 880a 4183c10b 41ffc2 } // n = 5, score = 100 // 0fb64c38ff | dec eax // 4132c8 | lea edx, [esp + 0xe0] // 880a | dec eax // 4183c10b | lea ecx, [esp + 0x50] // 41ffc2 | dec esp $sequence_7 = { 0bd8 418b0424 8d0c03 8bfb 448bc1 48c1e918 83e10f } // n = 7, score = 100 // 0bd8 | inc esp // 418b0424 | movzx eax, word ptr [ebp - 0x4c] // 8d0c03 | dec eax // 8bfb | mov edx, dword ptr [ebp - 0x58] // 448bc1 | dec eax // 48c1e918 | mov dword ptr [esp + 0x38], esi // 83e10f | mov dword ptr [esp + 0x30], esi $sequence_8 = { 488d0d0f570100 ff15???????? 4c8b4308 488d1546e90000 488d0df74e0100 ff15???????? 488d0d9a480100 } // n = 7, score = 100 // 488d0d0f570100 | dec esp // ff15???????? | // 4c8b4308 | arpl bx, bx // 488d1546e90000 | xor eax, eax // 488d0df74e0100 | dec esp // ff15???????? | // 488d0d9a480100 | arpl bx, bx $sequence_9 = { 33db c74424646b000000 ff15???????? 448d4b01 448d4307 488d95a00b0000 } // n = 6, score = 100 // 33db | je 0x1f5f // c74424646b000000 | mov edx, 1 // ff15???????? | // 448d4b01 | dec eax // 448d4307 | lea ecx, [0xffffcddf] // 488d95a00b0000 | and eax, 0xf condition: 7 of them and filesize < 289792 } ] }, { Malware : MACAMAX , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : MysterySnail , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : NedDnLoader , Description : NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.It sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like \ .?AVCWininet_Protocol@@\ or \ .?AVCMFC_DLLApp@@\ . NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption. It sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma. The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like \ .?AVCWininet_Protocol@@\ or \ .?AVCMFC_DLLApp@@\ . , YARA : [ rule win_neddnloader_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.neddnloader.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c204 3bcf 72f0 8d43ff } // n = 4, score = 400 // 83c204 | add edx, 4 // 3bcf | cmp ecx, edi // 72f0 | jb 0xfffffff2 // 8d43ff | lea eax, [ebx - 1] $sequence_1 = { 69c0b179379e c1e813 03c9 0fb73411 } // n = 4, score = 400 // 69c0b179379e | imul eax, eax, 0x9e3779b1 // c1e813 | shr eax, 0x13 // 03c9 | add ecx, ecx // 0fb73411 | movzx esi, word ptr [ecx + edx] $sequence_2 = { 8b5508 69c0b179379e c1e813 33c9 66890c42 } // n = 5, score = 400 // 8b5508 | mov edx, dword ptr [ebp + 8] // 69c0b179379e | imul eax, eax, 0x9e3779b1 // c1e813 | shr eax, 0x13 // 33c9 | xor ecx, ecx // 66890c42 | mov word ptr [edx + eax*2], cx $sequence_3 = { 8d43ff 3bc8 7311 0fb702 } // n = 4, score = 400 // 8d43ff | lea eax, [ebx - 1] // 3bc8 | cmp ecx, eax // 7311 | jae 0x13 // 0fb702 | movzx eax, word ptr [edx] $sequence_4 = { 8bc1 2b45fc 5f 5e } // n = 4, score = 400 // 8bc1 | mov eax, ecx // 2b45fc | sub eax, dword ptr [ebp - 4] // 5f | pop edi // 5e | pop esi $sequence_5 = { eb02 0008 8b45f8 83c0f4 897dfc } // n = 5, score = 400 // eb02 | jmp 4 // 0008 | add byte ptr [eax], cl // 8b45f8 | mov eax, dword ptr [ebp - 8] // 83c0f4 | add eax, -0xc // 897dfc | mov dword ptr [ebp - 4], edi $sequence_6 = { 663bc6 7506 83c102 83c202 3bcb 7307 } // n = 6, score = 400 // 663bc6 | cmp ax, si // 7506 | jne 8 // 83c102 | add ecx, 2 // 83c202 | add edx, 2 // 3bcb | cmp ecx, ebx // 7307 | jae 9 $sequence_7 = { 7311 0fb702 0fb731 663bc6 7506 83c102 } // n = 6, score = 400 // 7311 | jae 0x13 // 0fb702 | movzx eax, word ptr [edx] // 0fb731 | movzx esi, word ptr [ecx] // 663bc6 | cmp ax, si // 7506 | jne 8 // 83c102 | add ecx, 2 $sequence_8 = { 488bf2 41c1ed04 492bf0 41ffc5 488bd3 488bcf } // n = 6, score = 100 // 488bf2 | movzx edx, al // 41c1ed04 | dec eax // 492bf0 | lea ecx, [0x11014] // 41ffc5 | mov edx, 0xfa0 // 488bd3 | dec eax // 488bcf | mov eax, ebp $sequence_9 = { 410fb6c0 4133b48e803c0100 4133b48680480100 418bc0 41337530 c1e808 0fb6d0 } // n = 7, score = 100 // 410fb6c0 | inc ecx // 4133b48e803c0100 | mov eax, esi // 4133b48680480100 | inc ebp // 418bc0 | mov edx, dword ptr [esp + edx*4 + 0x14480] // 41337530 | shr eax, 0x10 // c1e808 | movzx ecx, al // 0fb6d0 | mov eax, ebp $sequence_10 = { 0fb6c8 410fb6c0 4133bc8e803c0100 4133bc8680480100 41337d60 418bc0 } // n = 6, score = 100 // 0fb6c8 | and ebp, 0x1f // 410fb6c0 | dec eax // 4133bc8e803c0100 | sar eax, 5 // 4133bc8680480100 | dec eax // 41337d60 | imul ebp, ebp, 0x58 // 418bc0 | dec eax $sequence_11 = { 448bce 448bc7 488bd0 498bce e8???????? 448bf0 } // n = 6, score = 100 // 448bce | inc esp // 448bc7 | mov ecx, esi // 488bd0 | inc esp // 498bce | mov eax, edi // e8???????? | // 448bf0 | dec eax $sequence_12 = { 488d3d24570000 eb0e 488b03 4885c0 7402 } // n = 5, score = 100 // 488d3d24570000 | inc ecx // eb0e | mov eax, eax // 488b03 | inc ecx // 4885c0 | xor esi, dword ptr [ebp + 0x30] // 7402 | shr eax, 8 $sequence_13 = { 0fb6d0 418bc6 458b949480440100 c1e810 0fb6c8 8bc5 } // n = 6, score = 100 // 0fb6d0 | mov edx, eax // 418bc6 | dec ecx // 458b949480440100 | mov ecx, esi // c1e810 | inc esp // 0fb6c8 | mov esi, eax // 8bc5 | movzx edx, al $sequence_14 = { 488d0d14100100 baa00f0000 488bc5 83e51f 48c1f805 486bed58 } // n = 6, score = 100 // 488d0d14100100 | inc ecx // baa00f0000 | movzx eax, al // 488bc5 | inc ecx // 83e51f | xor esi, dword ptr [esi + ecx*4 + 0x13c80] // 48c1f805 | inc ecx // 486bed58 | xor esi, dword ptr [esi + eax*4 + 0x14880] $sequence_15 = { ff5348 b97f000000 ff15???????? eb1e 488b5350 498bcd ff5348 } // n = 7, score = 100 // ff5348 | lea edi, [0x5724] // b97f000000 | jmp 0x17 // ff15???????? | // eb1e | dec eax // 488b5350 | mov eax, dword ptr [ebx] // 498bcd | dec eax // ff5348 | test eax, eax condition: 7 of them and filesize < 3438592 } ] }, { Malware : ParaSiteSnatcher , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : PrivateLoader , Description : According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. , YARA : [ rule win_privateloader_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.privateloader.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8965ec 8b55ec 8955e8 8d45f8 } // n = 4, score = 600 // 8965ec | mov dword ptr [ebp - 0x14], esp // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 8955e8 | mov dword ptr [ebp - 0x18], edx // 8d45f8 | lea eax, [ebp - 8] $sequence_1 = { 894df4 8b55fc 837a1410 7209 } // n = 4, score = 600 // 894df4 | mov dword ptr [ebp - 0xc], ecx // 8b55fc | mov edx, dword ptr [ebp - 4] // 837a1410 | cmp dword ptr [edx + 0x14], 0x10 // 7209 | jb 0xb $sequence_2 = { 0fb64dec 85c9 7408 8b55fc 8b02 8945e8 } // n = 6, score = 600 // 0fb64dec | movzx ecx, byte ptr [ebp - 0x14] // 85c9 | test ecx, ecx // 7408 | je 0xa // 8b55fc | mov edx, dword ptr [ebp - 4] // 8b02 | mov eax, dword ptr [edx] // 8945e8 | mov dword ptr [ebp - 0x18], eax $sequence_3 = { 8b4dec 8b5508 895110 8b4508 8945e4 8b4de8 034de4 } // n = 7, score = 600 // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 8b5508 | mov edx, dword ptr [ebp + 8] // 895110 | mov dword ptr [ecx + 0x10], edx // 8b4508 | mov eax, dword ptr [ebp + 8] // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 034de4 | add ecx, dword ptr [ebp - 0x1c] $sequence_4 = { 8b45d8 8b4ddc 8b55d0 8b75d4 } // n = 4, score = 600 // 8b45d8 | mov eax, dword ptr [ebp - 0x28] // 8b4ddc | mov ecx, dword ptr [ebp - 0x24] // 8b55d0 | mov edx, dword ptr [ebp - 0x30] // 8b75d4 | mov esi, dword ptr [ebp - 0x2c] $sequence_5 = { 8b4dec e8???????? 8b4df0 e8???????? 8845fc } // n = 5, score = 600 // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // e8???????? | // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] // e8???????? | // 8845fc | mov byte ptr [ebp - 4], al $sequence_6 = { 8975d4 8b45d0 8b55d4 5e } // n = 4, score = 600 // 8975d4 | mov dword ptr [ebp - 0x2c], esi // 8b45d0 | mov eax, dword ptr [ebp - 0x30] // 8b55d4 | mov edx, dword ptr [ebp - 0x2c] // 5e | pop esi $sequence_7 = { 8b4de8 8b75ec 2bc8 1bf2 894de0 8975e4 a1???????? } // n = 7, score = 600 // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 8b75ec | mov esi, dword ptr [ebp - 0x14] // 2bc8 | sub ecx, eax // 1bf2 | sbb esi, edx // 894de0 | mov dword ptr [ebp - 0x20], ecx // 8975e4 | mov dword ptr [ebp - 0x1c], esi // a1???????? | $sequence_8 = { e8???????? 33d2 b93f000000 f7f1 } // n = 4, score = 500 // e8???????? | // 33d2 | xor edx, edx // b93f000000 | mov ecx, 0x3f // f7f1 | div ecx $sequence_9 = { 8b4590 8b4d94 8b5588 8b758c } // n = 4, score = 400 // 8b4590 | mov eax, dword ptr [ebp - 0x70] // 8b4d94 | mov ecx, dword ptr [ebp - 0x6c] // 8b5588 | mov edx, dword ptr [ebp - 0x78] // 8b758c | mov esi, dword ptr [ebp - 0x74] $sequence_10 = { a3???????? 33c0 5e c3 3b0d???????? } // n = 5, score = 400 // a3???????? | // 33c0 | xor eax, eax // 5e | pop esi // c3 | ret // 3b0d???????? | $sequence_11 = { 896c2404 8bec 81ec68010000 a1???????? 33c5 8945fc 56 } // n = 7, score = 400 // 896c2404 | mov dword ptr [esp + 4], ebp // 8bec | mov ebp, esp // 81ec68010000 | sub esp, 0x168 // a1???????? | // 33c5 | xor eax, ebp // 8945fc | mov dword ptr [ebp - 4], eax // 56 | push esi $sequence_12 = { d81d???????? c9 b8ffffffff 99 c3 56 8b35???????? } // n = 7, score = 400 // d81d???????? | // c9 | leave // b8ffffffff | mov eax, 0xffffffff // 99 | cdq // c3 | ret // 56 | push esi // 8b35???????? | $sequence_13 = { 13f1 83c201 8955e0 83d600 } // n = 4, score = 300 // 13f1 | adc esi, ecx // 83c201 | add edx, 1 // 8955e0 | mov dword ptr [ebp - 0x20], edx // 83d600 | adc esi, 0 $sequence_14 = { 6a04 8d4310 50 6a06 } // n = 4, score = 300 // 6a04 | push 4 // 8d4310 | lea eax, [ebx + 0x10] // 50 | push eax // 6a06 | push 6 $sequence_15 = { 7507 6800008000 eb02 6a00 } // n = 4, score = 300 // 7507 | jne 9 // 6800008000 | push 0x800000 // eb02 | jmp 4 // 6a00 | push 0 $sequence_16 = { 8b45e4 50 51 52 } // n = 4, score = 300 // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 50 | push eax // 51 | push ecx // 52 | push edx $sequence_17 = { 0bc8 56 57 7529 } // n = 4, score = 300 // 0bc8 | or ecx, eax // 56 | push esi // 57 | push edi // 7529 | jne 0x2b $sequence_18 = { 03d0 8b4d9c 13f1 83c201 } // n = 4, score = 300 // 03d0 | add edx, eax // 8b4d9c | mov ecx, dword ptr [ebp - 0x64] // 13f1 | adc esi, ecx // 83c201 | add edx, 1 condition: 7 of them and filesize < 3670016 } , rule win_privateloader_w0 { meta: author = \ andretavare5\ org = \ BitSight\ date = \ 2022-06-06\ md5 = \ 8f70a0f45532261cb4df2800b141551d\ reference = \ https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service\ license = \ CC BY-NC-SA 4.0\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader\ malpedia_version = \ 20220824\ malpedia_license = \ CC BY-NC-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption $str = \ Content-Type: application/x-www-form-urlencoded\ wide ascii $ua1 = \ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\ wide ascii $ua2 = \ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\ wide ascii condition: uint16(0) == 0x5A4D and // MZ $str and any of ($ua*) and #code > 100 } ] }, { Malware : TOUCHMOVE , Description : There is no description at this point. , YARA : [ rule win_touchmove_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.touchmove.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 41b800040000 488d8c2452010000 e8???????? 4c8d442448 488d152df90000 } // n = 5, score = 100 // 41b800040000 | movdqa xmmword ptr [ebp + 0x2220], xmm5 // 488d8c2452010000 | mov byte ptr [ebp + 0x2232], 0 // e8???????? | // 4c8d442448 | dec eax // 488d152df90000 | lea ecx, [ebp + 0xa20] $sequence_1 = { 488d157af70000 488d8d90000000 e8???????? 4c8d8590000000 33d2 33c9 } // n = 6, score = 100 // 488d157af70000 | lea ecx, [esp + 0x152] // 488d8d90000000 | mov word ptr [ebp + 0x4d90], si // e8???????? | // 4c8d8590000000 | xor edx, edx // 33d2 | inc ecx // 33c9 | mov eax, 0x400 $sequence_2 = { 7528 48833d????????00 741e 488d0d499f0000 e8???????? 85c0 } // n = 6, score = 100 // 7528 | mov eax, 0xe7 // 48833d????????00 | // 741e | mov dword ptr [ebp + 0x1730], 0x70616e53 // 488d0d499f0000 | mov dword ptr [ebp + 0x1734], 0x746f6873 // e8???????? | // 85c0 | xor edx, edx $sequence_3 = { 41b8ee000000 488d8d92430000 e8???????? c6858044000000 33d2 41b8ff000000 488d8d81440000 } // n = 7, score = 100 // 41b8ee000000 | lea edx, [0xe497] // 488d8d92430000 | dec eax // e8???????? | // c6858044000000 | sar eax, 5 // 33d2 | and ecx, 0x1f // 41b8ff000000 | dec eax // 488d8d81440000 | mov eax, dword ptr [edx + eax*8] $sequence_4 = { ff15???????? 488d442450 4889442420 458bce 4533c0 488d9580410000 48c7c102000080 } // n = 7, score = 100 // ff15???????? | // 488d442450 | xor edx, edx // 4889442420 | movdqa xmmword ptr [ebp + 0x1520], xmm5 // 458bce | inc ecx // 4533c0 | mov eax, 0xe6 // 488d9580410000 | mov dword ptr [ebp + 0x1530], 0x72747441 // 48c7c102000080 | mov dword ptr [ebp + 0x1534], 0x74756269 $sequence_5 = { 0f8514010000 4c8d2d36cd0000 41b804010000 668935???????? 498bd5 ff15???????? 418d7c24e7 } // n = 7, score = 100 // 0f8514010000 | lea ecx, [ebp + 0x4680] // 4c8d2d36cd0000 | dec esp // 41b804010000 | lea eax, [ebp + 0x4880] // 668935???????? | // 498bd5 | dec eax // ff15???????? | // 418d7c24e7 | lea edx, [0xe178] $sequence_6 = { 48833d????????00 0f844d040000 48833d????????00 0f843f040000 } // n = 4, score = 100 // 48833d????????00 | // 0f844d040000 | inc ecx // 48833d????????00 | // 0f843f040000 | mov ecx, 4 $sequence_7 = { 833d????????00 7505 e8???????? 488d3d40e00000 41b804010000 } // n = 5, score = 100 // 833d????????00 | // 7505 | dec eax // e8???????? | // 488d3d40e00000 | and dword ptr [esp + 0x30], 0 // 41b804010000 | and dword ptr [esp + 0x28], 0 $sequence_8 = { 488bfb 488bf3 48c1fe05 4c8d25bebd0000 83e71f 486bff58 } // n = 6, score = 100 // 488bfb | inc ecx // 488bf3 | mov eax, 0x98 // 48c1fe05 | dec ecx // 4c8d25bebd0000 | mov esi, ecx // 83e71f | dec ebp // 486bff58 | mov ebp, esi $sequence_9 = { 8bc8 e8???????? ebc9 488bcb 488bc3 488d1597e40000 48c1f805 } // n = 7, score = 100 // 8bc8 | cmp dword ptr [edx], 0 // e8???????? | // ebc9 | jne 0x2c8 // 488bcb | dec eax // 488bc3 | lea eax, [0x100f4] // 488d1597e40000 | dec esp // 48c1f805 | cmp edx, eax condition: 7 of them and filesize < 224256 } , rule win_touchmove_w0 { meta: author = \ \ date = \ 2023-07-03\ version = \ 1\ description = \ Detects win.touchmove. Based on the yara-signator's win_touchmove_auto, manually adjusted.\ hash = \ 3D988AA9D79EF06BCEE5E4A4FED4EFDC1047A3456969E7DCE3C5B27631D651B9\ //SHA-1: 7F4371D557CD4EAB657EF8B62A1E21DB997AA594 hash = \ D21C5AD2A254EB6C7B0C656A317997D1C7FA7448927347ACB4687B69E70B8B5A\ //SHA-1: 83CF7D8EF1A241001C599B9BCC8940E089B613FB malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove\ malpedia_rule_date = \ 20230705\ malpedia_hash = \ \ malpedia_version = \ 20230705\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ strings: $sequence_1 = { 48 89 05 ?? ?? ?? ?? 0f 84 84 00 00 00 48 83 3d ?? ?? ?? ?? 00 74 7a 48 83 3d ?? ?? ?? ?? 00 74 70 } // n = 6, score = 100 // 488905???????? | // 0f8484000000 | dec eax // 48833d????????00 | // 747a | test eax, eax // 48833d????????00 | // 7470 | je 0xa44 $sequence_2 = { 72 a6 42 81 3c 21 50 45 00 00 48 89 74 24 78 4a 8d 34 21 75 12 b8 64 86 00 00 66 39 46 04 } // n = 7, score = 100 // 72a6 | mov word ptr [ebp + 0x4090], 0x7265 // 42813c2150450000 | mov byte ptr [ebp + 0x4092], 0 // 4889742478 | xor edx, edx // 4a8d3421 | movdqa xmmword ptr [ebp + 0x4280], xmm5 // 7512 | mov word ptr [ebp + 0x4290], 0x6e // b864860000 | xor edx, edx // 66394604 | inc ecx /* 0x1800024bd C78570020000DA48A314 mov dword ptr [rbp + 0x270], 0x14a348da 0x1800024c7 C785740200008DBFE2D2 mov dword ptr [rbp + 0x274], 0xd2e2bf8d 0x1800024d1 C78578020000EF911211 mov dword ptr [rbp + 0x278], 0x111291ef 0x1800024db C7857C020000FF7559A3 mov dword ptr [rbp + 0x27c], 0xa35975ff 0x1800024e5 C78580020000E16EA064 mov dword ptr [rbp + 0x280], 0x64a06ee1 0x1800024ef C78584020000B8788977 mov dword ptr [rbp + 0x284], 0x778978b8 0x1800024f9 C78588020000A0379158 mov dword ptr [rbp + 0x288], 0x589137a0 0x180002503 C7858C0200005AFFFF07 mov dword ptr [rbp + 0x28c], 0x7ffff5a */ $sequence_A = { C7 85 ?? ?? ?? ?? DA 48 A3 14 C7 85 ?? ?? ?? ?? 8D BF E2 D2 C7 85 ?? ?? ?? ?? EF 91 12 11 C7 85 ?? ?? ?? ?? FF 75 59 A3 C7 85 ?? ?? ?? ?? E1 6E A0 64 C7 85 ?? ?? ?? ?? B8 78 89 77 C7 85 ?? ?? ?? ?? A0 37 91 58 C7 85 ?? ?? ?? ?? 5A FF FF 07 } //256-bit key /* 0x180001070 8B41FC mov eax, dword ptr [rcx - 4] 0x180001073 4883C104 add rcx, 4 0x180001077 2D4786C861 sub eax, 0x61c88647 0x18000107c 8941FC mov dword ptr [rcx - 4], eax */ $sequence_B = { 8B 41 FC 48 83 C1 04 2D 47 86 C8 61 89 41 FC } //RC6 key schedule /* 0x18000225d 2BC8 sub ecx, eax 0x18000225f B8398EE338 mov eax, 0x38e38e39 0x180002264 83C148 add ecx, 0x48 0x180002267 F7E1 mul ecx 0x180002269 C1EA04 shr edx, 4 */ $sequence_C = { 2B C8 B8 39 8E E3 38 83 C1 48 F7 E1 C1 EA 04 } //CRC-32 $sequence_D = \ LLTMapperApi.dll\ wide fullword //version info condition: 5 of them and filesize < 224256 } ] }, { Malware : Volgmer , Description : There is no description at this point. , YARA : [ rule win_volgmer_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.volgmer.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 } // n = 7, score = 300 // 488b4d40 | pop edi // 4833cc | je 0x16 // e8???????? | // 4c8d9c2450010000 | sub edx, ecx // 498b5b18 | mov cx, word ptr [edx + eax] // 498b7b20 | test cx, cx // 498be3 | mov cl, byte ptr [esp + 0x28] $sequence_1 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 48894540 } // n = 7, score = 300 // 48897c2418 | jne 0x11 // 55 | cmp dword ptr [esp + 0x30], ebp // 488d6c24b0 | jne 0x11 // 4881ec50010000 | lea eax, [esp + 8] // 488b05???????? | // 4833c4 | push eax // 48894540 | test eax, eax $sequence_2 = { e8???????? 488b4dc3 41890424 e8???????? } // n = 4, score = 200 // e8???????? | // 488b4dc3 | inc ecx // 41890424 | mov eax, 0x206 // e8???????? | $sequence_3 = { d1c6 c1c105 03c6 89742404 03c3 } // n = 5, score = 200 // d1c6 | mov ecx, dword ptr [ebp - 0x3d] // c1c105 | inc ecx // 03c6 | mov dword ptr [esp], eax // 89742404 | dec eax // 03c3 | mov ecx, dword ptr [ebp - 0x4d] $sequence_4 = { ff15???????? 4885c0 740f 488b4018 488b08 8b01 8905???????? } // n = 7, score = 200 // ff15???????? | // 4885c0 | inc ecx // 740f | mov dword ptr [esp + 4], eax // 488b4018 | dec eax // 488b08 | mov ecx, dword ptr [ebp - 0x3d] // 8b01 | inc ecx // 8905???????? | $sequence_5 = { 8b45b0 488d8dc00f0000 4533c9 4889742430 89442428 ba00000080 c744242003000000 } // n = 7, score = 200 // 8b45b0 | test al, al // 488d8dc00f0000 | jne 0 // 4533c9 | push 0 // 4889742430 | sub ecx, edx // 89442428 | lea eax, [ebp - 0xa30] // ba00000080 | push eax // c744242003000000 | push dword ptr [edi + 8] $sequence_6 = { e8???????? 488bd8 eb03 488bdf 488d056efeffff } // n = 5, score = 200 // e8???????? | // 488bd8 | mov word ptr [ebp + 0x5d0], di // eb03 | dec eax // 488bdf | lea ecx, [ebp + 0x1b0] // 488d056efeffff | dec eax $sequence_7 = { 75e9 488d8d90140000 48ffc9 40387101 488d4901 75f6 4c8b45a0 } // n = 7, score = 200 // 75e9 | mov dword ptr [esi + 0x38], eax // 488d8d90140000 | jmp 0x13 // 48ffc9 | mov dword ptr [esi + 0x34], 0x737b04 // 40387101 | mov dword ptr [esi + 0x38], 6 // 488d4901 | mov al, byte ptr [edi + 0x73e1bc] // 75f6 | or byte ptr [esi + edx + 0x19], al // 4c8b45a0 | inc edx $sequence_8 = { c6843de011000000 488d8de0110000 e8???????? 488b4c2440 488d95e0110000 ff15???????? 0fb63d???????? } // n = 7, score = 200 // c6843de011000000 | movzx eax, byte ptr [ecx + 1] // 488d8de0110000 | cmp edx, eax // e8???????? | // 488b4c2440 | dec eax // 488d95e0110000 | mov dword ptr [esp + 0x18], edi // ff15???????? | // 0fb63d???????? | $sequence_9 = { 488d4d60 41b808040000 8bf8 e8???????? ba32d00200 b940000000 ff55e0 } // n = 7, score = 200 // 488d4d60 | dec eax // 41b808040000 | mov dword ptr [esp + 0x18], edi // 8bf8 | push ebp // e8???????? | // ba32d00200 | dec eax // b940000000 | lea ebp, [esp - 0x50] // ff55e0 | dec eax $sequence_10 = { e8???????? 488d8dd2050000 33d2 41b806020000 6689bdd0050000 e8???????? } // n = 6, score = 200 // e8???????? | // 488d8dd2050000 | dec eax // 33d2 | lea ecx, [ebp + 0x5d2] // 41b806020000 | xor edx, edx // 6689bdd0050000 | inc ecx // e8???????? | $sequence_11 = { ff15???????? 85c0 7507 b800000100 eb26 } // n = 5, score = 200 // ff15???????? | // 85c0 | mov ecx, dword ptr [ebp - 0x3d] // 7507 | inc ecx // b800000100 | mov dword ptr [esp], eax // eb26 | dec eax $sequence_12 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 } // n = 5, score = 200 // e8???????? | // e8???????? | // e8???????? | // e8???????? | // c705????????04000000 | $sequence_13 = { e8???????? 85c0 7466 33d2 488d8c24e4000000 41b804040000 e8???????? } // n = 7, score = 200 // e8???????? | // 85c0 | push ebp // 7466 | dec eax // 33d2 | lea ebp, [esp - 0x50] // 488d8c24e4000000 | dec eax // 41b804040000 | sub esp, 0x150 // e8???????? | $sequence_14 = { 8bd6 c68435000a000000 488d8d000a0000 e8???????? 488d95000a0000 498bce ff15???????? } // n = 7, score = 200 // 8bd6 | call dword ptr [ebp - 0xc1c] // c68435000a000000 | cmp dword ptr [edi + 0x14], 0x800000 // 488d8d000a0000 | mov dword ptr [edi + 0xc], eax // e8???????? | // 488d95000a0000 | jne 0x31 // 498bce | jmp 0x19 // ff15???????? | $sequence_15 = { eb17 894638 eb0e c74634047b7300 c7463806000000 } // n = 5, score = 100 // eb17 | mov dword ptr [esp + 0x18], edi // 894638 | push ebp // eb0e | dec eax // c74634047b7300 | lea ebp, [esp - 0x50] // c7463806000000 | dec eax $sequence_16 = { 8a07 8b0c9580f16e00 8844192e 8b049580f16e00 804c182d04 } // n = 5, score = 100 // 8a07 | dec eax // 8b0c9580f16e00 | mov dword ptr [esp + 0x18], edi // 8844192e | push ebp // 8b049580f16e00 | dec eax // 804c182d04 | lea ebp, [esp - 0x50] $sequence_17 = { 8b4504 8b4d0c 6a00 52 } // n = 4, score = 100 // 8b4504 | test eax, eax // 8b4d0c | jne 0x45 // 6a00 | dec eax // 52 | mov edi, dword ptr [esp + 0x40] $sequence_18 = { 8b048dd4926d00 ffe0 f7c703000000 7413 8a06 8807 } // n = 6, score = 100 // 8b048dd4926d00 | dec ecx // ffe0 | mov ebx, dword ptr [ebx + 0x18] // f7c703000000 | dec ecx // 7413 | mov edi, dword ptr [ebx + 0x20] // 8a06 | dec ecx // 8807 | mov esp, ebx $sequence_19 = { e9???????? c745dc02000000 c745e0e4ba7300 8b4508 8bcf } // n = 5, score = 100 // e9???????? | // c745dc02000000 | sub esp, 0x150 // c745e0e4ba7300 | dec eax // 8b4508 | mov dword ptr [esp + 0x18], edi // 8bcf | push ebp $sequence_20 = { 83c408 85f6 0f84b7010000 8bce 8d85d0fdffff } // n = 5, score = 100 // 83c408 | dec eax // 85f6 | lea ebp, [esp - 0x50] // 0f84b7010000 | dec eax // 8bce | sub esp, 0x150 // 8d85d0fdffff | dec eax $sequence_21 = { 03048d80f16e00 50 ff15???????? 5d c3 8bff } // n = 6, score = 100 // 03048d80f16e00 | dec eax // 50 | sub esp, 0x150 // ff15???????? | // 5d | dec eax // c3 | mov dword ptr [esp + 0x10], ebx // 8bff | dec eax $sequence_22 = { 50 68???????? ff7708 ff95e4f3ffff 817f1400008000 89470c 751c } // n = 7, score = 100 // 50 | lea ebp, [esp - 0x50] // 68???????? | // ff7708 | dec eax // ff95e4f3ffff | sub esp, 0x150 // 817f1400008000 | dec eax // 89470c | mov dword ptr [esp + 0x10], ebx // 751c | dec eax $sequence_23 = { 5f 5e c684101803000000 5b } // n = 4, score = 100 // 5f | dec eax // 5e | lea ebp, [esp - 0x50] // c684101803000000 | dec eax // 5b | sub esp, 0x150 $sequence_24 = { 8a4c2428 8d442428 3acb 741a } // n = 4, score = 100 // 8a4c2428 | mov eax, dword ptr [eax + 0x18] // 8d442428 | dec eax // 3acb | mov ecx, dword ptr [eax] // 741a | mov eax, dword ptr [ecx] $sequence_25 = { 40 c745ecb8996d00 894df8 8945fc 64a100000000 8945e8 8d45e8 } // n = 7, score = 100 // 40 | lea ebp, [esp - 0x50] // c745ecb8996d00 | dec eax // 894df8 | sub esp, 0x150 // 8945fc | dec eax // 64a100000000 | xor eax, esp // 8945e8 | dec eax // 8d45e8 | mov dword ptr [esp + 0x10], ebx $sequence_26 = { 50 52 56 6a00 68e9fd0000 ff95e8f3ffff ff7714 } // n = 7, score = 100 // 50 | dec ecx // 52 | mov edi, dword ptr [ebx + 0x20] // 56 | dec ecx // 6a00 | mov esp, ebx // 68e9fd0000 | dec eax // ff95e8f3ffff | mov dword ptr [esp + 0x18], edi // ff7714 | push ebp $sequence_27 = { 50 51 53 53 6800000008 } // n = 5, score = 100 // 50 | inc ecx // 51 | mov dword ptr [esp + 4], eax // 53 | rol esi, 1 // 53 | rol ecx, 5 // 6800000008 | add eax, esi $sequence_28 = { ff15???????? 8d442408 50 ff15???????? 85c0 5f 740c } // n = 7, score = 100 // ff15???????? | // 8d442408 | add eax, esi // 50 | mov dword ptr [esp + 4], esi // ff15???????? | // 85c0 | add eax, ebx // 5f | mov ebx, dword ptr [esp + 0xa8] // 740c | dec eax $sequence_29 = { ba???????? 2bd1 668b0c02 6685c9 } // n = 4, score = 100 // ba???????? | // 2bd1 | test eax, eax // 668b0c02 | je 0x11 // 6685c9 | dec eax $sequence_30 = { c745dc03000000 c745e0e0ba6e00 e9???????? 83e80f 7451 } // n = 5, score = 100 // c745dc03000000 | dec eax // c745e0e0ba6e00 | mov dword ptr [esp + 0x18], edi // e9???????? | // 83e80f | push ebp // 7451 | dec eax $sequence_31 = { 33d2 05d9e7ffff 56 83f815 0f8711010000 ff2485786b6d00 51 } // n = 7, score = 100 // 33d2 | dec eax // 05d9e7ffff | sub esp, 0x150 // 56 | dec eax // 83f815 | mov dword ptr [esp + 0x18], edi // 0f8711010000 | push ebp // ff2485786b6d00 | dec eax // 51 | lea ebp, [esp - 0x50] $sequence_32 = { 8a01 41 84c0 75f9 6a00 2bca 8d85d0f5ffff } // n = 7, score = 100 // 8a01 | xor eax, esp // 41 | dec eax // 84c0 | mov dword ptr [esp + 0x10], ebx // 75f9 | dec eax // 6a00 | mov dword ptr [esp + 0x18], edi // 2bca | push ebp // 8d85d0f5ffff | dec eax $sequence_33 = { 8d0d90b87300 ba1b000000 e9???????? a900000080 7517 ebd4 a9ffff0f00 } // n = 7, score = 100 // 8d0d90b87300 | dec eax // ba1b000000 | mov dword ptr [esp + 0x18], edi // e9???????? | // a900000080 | push ebp // 7517 | dec eax // ebd4 | lea ebp, [esp - 0x50] // a9ffff0f00 | dec eax $sequence_34 = { e9???????? 894ddc c745e0d8ba6e00 e9???????? c745e0d4ba6e00 eba2 894ddc } // n = 7, score = 100 // e9???????? | // 894ddc | mov dword ptr [esp + 0x18], edi // c745e0d8ba6e00 | push ebp // e9???????? | // c745e0d4ba6e00 | dec eax // eba2 | lea ebp, [esp - 0x50] // 894ddc | dec eax $sequence_35 = { 8b4de8 8b048580f16e00 f644082840 7409 } // n = 4, score = 100 // 8b4de8 | dec eax // 8b048580f16e00 | xor ecx, esp // f644082840 | dec esp // 7409 | lea ebx, [esp + 0x150] $sequence_36 = { 396c2434 750b 396c2430 7505 } // n = 4, score = 100 // 396c2434 | mov dword ptr [esp + 4], esi // 750b | add eax, ebx // 396c2430 | rol esi, 1 // 7505 | rol ecx, 5 condition: 7 of them and filesize < 393216 } ] }, { Malware : WikiLoader , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : BeaverTail , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Choziosi , Description : A loader delivering malicious Chrome and Safari extensions. A loader delivering malicious Chrome and Safari extensions. There is no Yara-Signature yet. , YARA : [] }, { Malware : Choziosi , Description : Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows.Its main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing. Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows. Its main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing. There is no Yara-Signature yet. , YARA : [] }, { Malware : InvisibleFerret , Description : There is no description at this point. There is no Yara-Signature yet. , YARA : [] }, { Malware : Action RAT , Description : There is no description at this point. , YARA : [ rule win_action_rat_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.action_rat.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d4d0c e8???????? 8b4508 8b4df4 64890d00000000 59 5b } // n = 7, score = 100 // 8d4d0c | lea ecx, [ebp + 0xc] // e8???????? | // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 64890d00000000 | mov dword ptr fs:[0], ecx // 59 | pop ecx // 5b | pop ebx $sequence_1 = { 8b55f8 52 8b4dfc 83c134 e8???????? 8b00 50 } // n = 7, score = 100 // 8b55f8 | mov edx, dword ptr [ebp - 8] // 52 | push edx // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 83c134 | add ecx, 0x34 // e8???????? | // 8b00 | mov eax, dword ptr [eax] // 50 | push eax $sequence_2 = { 83c270 52 8b4dfc 83c170 } // n = 4, score = 100 // 83c270 | add edx, 0x70 // 52 | push edx // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 83c170 | add ecx, 0x70 $sequence_3 = { e8???????? c745d400000000 eb09 8b4dd4 83c101 894dd4 8d4d0c } // n = 7, score = 100 // e8???????? | // c745d400000000 | mov dword ptr [ebp - 0x2c], 0 // eb09 | jmp 0xb // 8b4dd4 | mov ecx, dword ptr [ebp - 0x2c] // 83c101 | add ecx, 1 // 894dd4 | mov dword ptr [ebp - 0x2c], ecx // 8d4d0c | lea ecx, [ebp + 0xc] $sequence_4 = { 7420 0fb645fb 50 8b4df4 8b4918 e8???????? 0fb6d0 } // n = 7, score = 100 // 7420 | je 0x22 // 0fb645fb | movzx eax, byte ptr [ebp - 5] // 50 | push eax // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 8b4918 | mov ecx, dword ptr [ecx + 0x18] // e8???????? | // 0fb6d0 | movzx edx, al $sequence_5 = { 0fb74202 50 ff15???????? 0fb7c8 8b5514 890a } // n = 6, score = 100 // 0fb74202 | movzx eax, word ptr [edx + 2] // 50 | push eax // ff15???????? | // 0fb7c8 | movzx ecx, ax // 8b5514 | mov edx, dword ptr [ebp + 0x14] // 890a | mov dword ptr [edx], ecx $sequence_6 = { 6a00 8b45fc 50 8b4d08 51 e8???????? 83c418 } // n = 7, score = 100 // 6a00 | push 0 // 8b45fc | mov eax, dword ptr [ebp - 4] // 50 | push eax // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 51 | push ecx // e8???????? | // 83c418 | add esp, 0x18 $sequence_7 = { e8???????? 8d8ddcfbffff e8???????? c645fc0e 6a00 68e0930400 6a00 } // n = 7, score = 100 // e8???????? | // 8d8ddcfbffff | lea ecx, [ebp - 0x424] // e8???????? | // c645fc0e | mov byte ptr [ebp - 4], 0xe // 6a00 | push 0 // 68e0930400 | push 0x493e0 // 6a00 | push 0 $sequence_8 = { 0de0000000 b901000000 6bd100 8b4d0c 880411 8b5508 c1fa06 } // n = 7, score = 100 // 0de0000000 | or eax, 0xe0 // b901000000 | mov ecx, 1 // 6bd100 | imul edx, ecx, 0 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 880411 | mov byte ptr [ecx + edx], al // 8b5508 | mov edx, dword ptr [ebp + 8] // c1fa06 | sar edx, 6 $sequence_9 = { 8b4df4 3b4df8 750b 68???????? ff15???????? 8b55ec 833a22 } // n = 7, score = 100 // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 3b4df8 | cmp ecx, dword ptr [ebp - 8] // 750b | jne 0xd // 68???????? | // ff15???????? | // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 833a22 | cmp dword ptr [edx], 0x22 condition: 7 of them and filesize < 480256 } ] }, { Malware : AllaKore , Description : AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control. AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control. There is no Yara-Signature yet. , YARA : [] }, { Malware : Chaos , Description : In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a \ Ryuk .Net Ransomware Builder\ even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration. In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a \ Ryuk .Net Ransomware Builder\ even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration. , YARA : [ import \ pe\ rule win_chaos_w0 { meta: description = \ Detects Ransomware Built by Chaos Ransomware Builder\ author = \ BlackBerry Threat Research\ date = \ 2022-05-10\ source = \ https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree\ license = \ This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos\ malpedia_rule_date = \ 20221007\ malpedia_hash = \ \ malpedia_version = \ 20221007\ malpedia_sharing = \ TLP:WHITE\ strings: //Ransom References $x1 = \ Encrypt\ ascii wide $x2 = \ (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})\ ascii wide $x3 = \ read\ ascii wide //Ransom Hex $r1 = { 20 76 69 72 75 73 } $r2 = { 72 00 61 00 6e 00 73 00 6f 00 6d 00 77 00 61 00 72 00 65 } //Shadow Copy Delete $z0 = \ deleteShadowCopies\ ascii wide $z1 = \ shadowcopy\ ascii wide condition: //PE File uint16(0) == 0x5a4d and // Must be less than filesize < 35KB and // Must have exact import hash pe.imphash() == \ f34d5f2d4577ed6d9ceec516c1f5a744\ and //Number of sections pe.number_of_sections == 3 and //These Strings ((all of ($x*)) and (1 of ($r*)) and (1 of ($z*))) } , import \ pe\ rule win_chaos_w1 { meta: description = \ Detects Onyx Ransomware build off of Chaos Builder v4\ author = \ BlackBerry Threat Research\ date = \ 2022-05-10\ source = \ https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree\ license = \ This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos\ malpedia_rule_date = \ 20221007\ malpedia_hash = \ \ malpedia_version = \ 20221007\ malpedia_sharing = \ TLP:WHITE\ strings: $s1 = \ (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})\ wide $s2 = \ All of your files are currently encrypted by ONYX strain.\ wide $s3 = \ Inform your supervisors and stay calm!\ wide condition: //PE File uint16(0) == 0x5a4d and //Directories pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and //All strings all of ($s*) } , import \ pe\ rule win_chaos_w2 { meta: description = \ Detects Chaos Ransomware Builder\ author = \ BlackBerry Threat Research\ date = \ 2022-05-10\ source = \ https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree\ license = \ This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos\ malpedia_rule_date = \ 20221007\ malpedia_hash = \ \ malpedia_version = \ 20221007\ malpedia_sharing = \ TLP:WHITE\ strings: $s0 = \ 1qw0ll8p9m8uezhqhyd\ ascii wide $s1 = \ Chaos Ransomware Builder\ ascii wide $s2 = \ payloadFutureName\ ascii wide $s3 = \ read_it.txt\ ascii wide $s4 = \ encryptedFileExtension\ ascii wide $x0 = \ 1098576\ ascii wide $x1 = \ 2197152\ ascii wide condition: //PE File uint16(0) == 0x5a4d and //All strings ((all of ($s*)) and (1 of ($x*))) } ] }, { Malware : Chinotto , Description : There is no description at this point. , YARA : [ rule win_chinotto_auto { meta: author = \ Felix Bilstein - yara-signator at cocacoding dot com\ date = \ 2023-12-06\ version = \ 1\ description = \ Detects win.chinotto.\ info = \ autogenerated rule brought to you by yara-signator\ tool = \ yara-signator v0.6.0\ signator_config = \ callsandjumps;datarefs;binvalue\ malpedia_reference = \ https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto\ malpedia_rule_date = \ 20231130\ malpedia_hash = \ fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351\ malpedia_version = \ 20230808\ malpedia_license = \ CC BY-SA 4.0\ malpedia_sharing = \ TLP:WHITE\ /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 034d0c 53 56 57 8b7848 8b774c } // n = 6, score = 100 // 034d0c | add ecx, dword ptr [ebp + 0xc] // 53 | push ebx // 56 | push esi // 57 | push edi // 8b7848 | mov edi, dword ptr [eax + 0x48] // 8b774c | mov esi, dword ptr [edi + 0x4c] $sequence_1 = { 6a1a e8???????? 8bd8 b906000000 be???????? 8bfb f3a5 } // n = 7, score = 100 // 6a1a | push 0x1a // e8???????? | // 8bd8 | mov ebx, eax // b906000000 | mov ecx, 6 // be???????? | // 8bfb | mov edi, ebx // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] $sequence_2 = { c745f800000000 8955c8 85d2 7505 ba02000000 8b461c 8bf8 } // n = 7, score = 100 // c745f800000000 | mov dword ptr [ebp - 8], 0 // 8955c8 | mov dword ptr [ebp - 0x38], edx // 85d2 | test edx, edx // 7505 | jne 7 // ba02000000 | mov edx, 2 // 8b461c | mov eax, dword ptr [esi + 0x1c] // 8bf8 | mov edi, eax $sequence_3 = { 57 8945f0 8d5801 740e 8b4e1c 2b4e40 } // n = 6, score = 100 // 57 | push edi // 8945f0 | mov dword ptr [ebp - 0x10], eax // 8d5801 | lea ebx, [eax + 1] // 740e | je 0x10 // 8b4e1c | mov ecx, dword ptr [esi + 0x1c] // 2b4e40 | sub ecx, dword ptr [esi + 0x40] $sequence_4 = { 837dfc00 7514 837dd000 0f8421080000 837e2000 0f8417080000 } // n = 6, score = 100 // 837dfc00 | cmp dword ptr [ebp - 4], 0 // 7514 | jne 0x16 // 837dd000 | cmp dword ptr [ebp - 0x30], 0 // 0f8421080000 | je 0x827 // 837e2000 | cmp dword ptr [esi + 0x20], 0 // 0f8417080000 | je 0x81d $sequence_5 = { 8d8dd0fbffff 68???????? 51 ffd6 83c418 8d95a4f1ffff 52 } // n = 7, score = 100 // 8d8dd0fbffff | lea ecx, [ebp - 0x430] // 68???????? | // 51 | push ecx // ffd6 | call esi // 83c418 | add esp, 0x18 // 8d95a4f1ffff | lea edx, [ebp - 0xe5c] // 52 | push edx $sequence_6 = { 8b5620 57 8b7e24 8bc2 0bc7 7412 8bc2 } // n = 7, score = 100 // 8b5620 | mov edx, dword ptr [esi + 0x20] // 57 | push edi // 8b7e24 | mov edi, dword ptr [esi + 0x24] // 8bc2 | mov eax, edx // 0bc7 | or eax, edi // 7412 | je 0x14 // 8bc2 | mov eax, edx $sequence_7 = { 8a08 40 84c9 75f9 2bc7 8b7d18 } // n = 6, score = 100 // 8a08 | mov cl, byte ptr [eax] // 40 | inc eax // 84c9 | test cl, cl // 75f9 | jne 0xfffffffb // 2bc7 | sub eax, edi // 8b7d18 | mov edi, dword ptr [ebp + 0x18] $sequence_8 = { 83c434 5f 5e 33cd 8d85e0fdfcff 5b } // n = 6, score = 100 // 83c434 | add esp, 0x34 // 5f | pop edi // 5e | pop esi // 33cd | xor ecx, ebp // 8d85e0fdfcff | lea eax, [ebp - 0x30220] // 5b | pop ebx $sequence_9 = { 8b471c 50 0fafc1 034710 8d55f8 } // n = 5, score = 100 // 8b471c | mov eax, dword ptr [edi + 0x1c] // 50 | push eax // 0fafc1 | imul eax, ecx // 034710 | add eax, dword ptr [edi + 0x10] // 8d55f8 | lea edx, [ebp - 8] condition: 7 of them and filesize < 300032 } ] } ]