SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.gmera (Back to overview)

Gmera

aka: StockSteal, Kassi

There is no description at this point.

References
2020-07-16ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20200716:mac:405cc1d, author = {Marc-Etienne M.Léveillé}, title = {{Mac cryptocurrency trading application rebranded, bundled with malware}}, date = {2020-07-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/}, language = {English}, urldate = {2020-07-16} } Mac cryptocurrency trading application rebranded, bundled with malware
Gmera
2020-01-01Objective-SeePatrick Wardle
@online{wardle:20200101:mac:1d3cffc, author = {Patrick Wardle}, title = {{The Mac Malware of 2019}}, date = {2020-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x53.html}, language = {English}, urldate = {2020-07-20} } The Mac Malware of 2019
Gmera Mokes Yort
2019-09-20Trend MicroLuis Magisa
@online{magisa:20190920:mac:c83a228, author = {Luis Magisa}, title = {{Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website}}, date = {2019-09-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/}, language = {English}, urldate = {2020-05-19} } Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website
Gmera
Yara Rules
[TLP:WHITE] osx_gmera_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule osx_gmera_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d6de0 48 89df e8???????? 48 }
            // n = 5, score = 200
            //   8d6de0               | lea                 ebp, [ebp - 0x20]
            //   48                   | dec                 eax
            //   89df                 | mov                 edi, ebx
            //   e8????????           |                     
            //   48                   | dec                 eax

        $sequence_1 = { 84c0 7509 48 8d7b08 e8???????? 8a4338 84c0 }
            // n = 7, score = 200
            //   84c0                 | test                al, al
            //   7509                 | jne                 0xb
            //   48                   | dec                 eax
            //   8d7b08               | lea                 edi, [ebx + 8]
            //   e8????????           |                     
            //   8a4338               | mov                 al, byte ptr [ebx + 0x38]
            //   84c0                 | test                al, al

        $sequence_2 = { 83ec18 48 89fb 48 8b3d???????? 48 01df }
            // n = 7, score = 200
            //   83ec18               | sub                 esp, 0x18
            //   48                   | dec                 eax
            //   89fb                 | mov                 ebx, edi
            //   48                   | dec                 eax
            //   8b3d????????         |                     
            //   48                   | dec                 eax
            //   01df                 | add                 edi, ebx

        $sequence_3 = { 48 83ec10 48 8b3d???????? 4c 01ef 31f6 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   83ec10               | sub                 esp, 0x10
            //   48                   | dec                 eax
            //   8b3d????????         |                     
            //   4c                   | dec                 esp
            //   01ef                 | add                 edi, ebp
            //   31f6                 | xor                 esi, esi

        $sequence_4 = { 49 c744c73000000000 4c 8b75d0 }
            // n = 4, score = 200
            //   49                   | dec                 ecx
            //   c744c73000000000     | mov                 dword ptr [edi + eax*8 + 0x30], 0
            //   4c                   | dec                 esp
            //   8b75d0               | mov                 esi, dword ptr [ebp - 0x30]

        $sequence_5 = { 49 8b3c06 4c 8d6dd0 e8???????? 4c }
            // n = 6, score = 200
            //   49                   | dec                 ecx
            //   8b3c06               | mov                 edi, dword ptr [esi + eax]
            //   4c                   | dec                 esp
            //   8d6dd0               | lea                 ebp, [ebp - 0x30]
            //   e8????????           |                     
            //   4c                   | dec                 esp

        $sequence_6 = { 8b4730 0fb75734 48 83c007 48 bef8ffffff 0100 }
            // n = 7, score = 200
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   0fb75734             | movzx               edx, word ptr [edi + 0x34]
            //   48                   | dec                 eax
            //   83c007               | add                 eax, 7
            //   48                   | dec                 eax
            //   bef8ffffff           | mov                 esi, 0xfffffff8
            //   0100                 | add                 dword ptr [eax], eax

        $sequence_7 = { 0100 0000 48 21c1 48 8d045b }
            // n = 6, score = 200
            //   0100                 | add                 dword ptr [eax], eax
            //   0000                 | add                 byte ptr [eax], al
            //   48                   | dec                 eax
            //   21c1                 | and                 ecx, eax
            //   48                   | dec                 eax
            //   8d045b               | lea                 eax, [ebx + ebx*2]

        $sequence_8 = { 89de 4d 89f5 e8???????? 48 }
            // n = 5, score = 200
            //   89de                 | mov                 esi, ebx
            //   4d                   | dec                 ebp
            //   89f5                 | mov                 ebp, esi
            //   e8????????           |                     
            //   48                   | dec                 eax

        $sequence_9 = { 48 8d7de0 31d2 48 }
            // n = 4, score = 200
            //   48                   | dec                 eax
            //   8d7de0               | lea                 edi, [ebp - 0x20]
            //   31d2                 | xor                 edx, edx
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 97248
}
Download all Yara Rules