AbSent Loader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.absentloader (Back to overview)
AbSent Loader

There is no description at this point.
References

2020-05-12 ⋅ Twitter (@cocaman) ⋅ Corsin Camichel
Tweet on AbSent Loader
AbSent Loader
2019-05-09 ⋅ Github (Tlgyt) ⋅ Yattaze
Github Repository of AbSent-Loader
AbSent Loader
Yara Rules

[TLP:WHITE] win_absentloader_auto (20230808 | Detects win.absentloader.)
rule win_absentloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.absentloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fe81b89406fd 89148d909406fd 8d4dfc e8???????? 5e c9 c3 }
            // n = 7, score = 200
            //   fe81b89406fd         | inc                 byte ptr [ecx - 0x2f96b48]
            //   89148d909406fd       | mov                 dword ptr [ecx*4 - 0x2f96b70], edx
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_1 = { eb16 66c704375c6e eb0e 66c704375c74 eb06 66c704375c62 83c602 }
            // n = 7, score = 200
            //   eb16                 | jmp                 0x18
            //   66c704375c6e         | mov                 word ptr [edi + esi], 0x6e5c
            //   eb0e                 | jmp                 0x10
            //   66c704375c74         | mov                 word ptr [edi + esi], 0x745c
            //   eb06                 | jmp                 8
            //   66c704375c62         | mov                 word ptr [edi + esi], 0x625c
            //   83c602               | add                 esi, 2

        $sequence_2 = { e8???????? c645fc12 8bcb 0f2805???????? 0f1145b4 6a7f }
            // n = 6, score = 200
            //   e8????????           |                     
            //   c645fc12             | mov                 byte ptr [ebp - 4], 0x12
            //   8bcb                 | mov                 ecx, ebx
            //   0f2805????????       |                     
            //   0f1145b4             | movups              xmmword ptr [ebp - 0x4c], xmm0
            //   6a7f                 | push                0x7f

        $sequence_3 = { 740f 33c0 80b034a606fd2e 40 83f814 72f3 8b0d???????? }
            // n = 7, score = 200
            //   740f                 | je                  0x11
            //   33c0                 | xor                 eax, eax
            //   80b034a606fd2e       | xor                 byte ptr [eax - 0x2f959cc], 0x2e
            //   40                   | inc                 eax
            //   83f814               | cmp                 eax, 0x14
            //   72f3                 | jb                  0xfffffff5
            //   8b0d????????         |                     

        $sequence_4 = { 8bec 56 ff7508 8bf1 e8???????? c706841e05fd }
            // n = 6, score = 200
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   c706841e05fd         | mov                 dword ptr [esi], 0xfd051e84

        $sequence_5 = { 7408 3a8ac05d05fd 755a 8b06 8a08 40 42 }
            // n = 7, score = 200
            //   7408                 | je                  0xa
            //   3a8ac05d05fd         | cmp                 cl, byte ptr [edx - 0x2faa240]
            //   755a                 | jne                 0x5c
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   42                   | inc                 edx

        $sequence_6 = { 7e37 68f8aa06fd e8???????? 833d????????ff 59 7523 bffcaa06fd }
            // n = 7, score = 200
            //   7e37                 | jle                 0x39
            //   68f8aa06fd           | push                0xfd06aaf8
            //   e8????????           |                     
            //   833d????????ff       |                     
            //   59                   | pop                 ecx
            //   7523                 | jne                 0x25
            //   bffcaa06fd           | mov                 edi, 0xfd06aafc

        $sequence_7 = { 7417 6827130000 6830f405fd 68341606fd e8???????? 83c40c 837f2c00 }
            // n = 7, score = 200
            //   7417                 | je                  0x19
            //   6827130000           | push                0x1327
            //   6830f405fd           | push                0xfd05f430
            //   68341606fd           | push                0xfd061634
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   837f2c00             | cmp                 dword ptr [edi + 0x2c], 0

        $sequence_8 = { c9 c3 6a08 b8a30305fd e8???????? 8bf1 8975ec }
            // n = 7, score = 200
            //   c9                   | leave               
            //   c3                   | ret                 
            //   6a08                 | push                8
            //   b8a30305fd           | mov                 eax, 0xfd0503a3
            //   e8????????           |                     
            //   8bf1                 | mov                 esi, ecx
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi

        $sequence_9 = { 84db 743b 8b4608 8378fc00 7432 83ec10 8d4668 }
            // n = 7, score = 200
            //   84db                 | test                bl, bl
            //   743b                 | je                  0x3d
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8378fc00             | cmp                 dword ptr [eax - 4], 0
            //   7432                 | je                  0x34
            //   83ec10               | sub                 esp, 0x10
            //   8d4668               | lea                 eax, [esi + 0x68]

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules
AbSent Loader Propose Change

References

Yara Rules

AbSent Loader
