SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agent_btz (Back to overview)

Agent.BTZ

aka: ComRAT, Minit, Sun rootkit

Actor(s): Turla Group


There is no description at this point.

References
2021-09-27Medium ryancorRyan Cornateanu
@online{cornateanu:20210927:deobfuscating:bfa117a, author = {Ryan Cornateanu}, title = {{Deobfuscating PowerShell Malware Droppers}}, date = {2021-09-27}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d}, language = {English}, urldate = {2021-11-25} } Deobfuscating PowerShell Malware Droppers
Agent.BTZ
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ TurlaRPC
2021-02-16US Department of DefenseUS Department of Defense
@techreport{defense:20210216:creation:d20a363, author = {US Department of Defense}, title = {{The creation of the 2020 ComRATv4 illustration}}, date = {2021-02-16}, institution = {US Department of Defense}, url = {https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf}, language = {English}, urldate = {2021-03-25} } The creation of the 2020 ComRATv4 illustration
Agent.BTZ
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-29US-CERTUS-CERT
@online{uscert:20201029:malware:c4c177c, author = {US-CERT}, title = {{Malware Analysis Report (AR20-303A): PowerShell Script: ComRAT}}, date = {2020-10-29}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a}, language = {English}, urldate = {2020-11-02} } Malware Analysis Report (AR20-303A): PowerShell Script: ComRAT
Agent.BTZ
2020-09-01Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20200901:exhaustivelyanalyzed:0a5410d, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for ComRAT v4}}, date = {2020-09-01}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4}, language = {English}, urldate = {2020-09-01} } An Exhaustively-Analyzed IDB for ComRAT v4
Agent.BTZ
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-05-26ESET ResearchMatthieu Faou
@techreport{faou:20200526:from:89e2854, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)}}, date = {2020-05-26}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf}, language = {English}, urldate = {2020-05-27} } From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)
Agent.BTZ
2020-05-26ESET ResearchMatthieu Faou
@online{faou:20200526:from:804e2da, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey}}, date = {2020-05-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/}, language = {English}, urldate = {2020-05-27} } From Agent.BTZ to ComRAT v4: A ten‑year journey
Agent.BTZ
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-09-13IntezerOmri Ben Bassat
@online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2
Agent.BTZ
2017-08-07IntezerOmri Ben Bassat
@online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2
Agent.BTZ
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf}, language = {English}, urldate = {2020-04-21} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot Turla Group
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:51a4dbd, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf}, language = {English}, urldate = {2020-01-09} } The Waterbug attack group
Agent.BTZ Wipbot Turla Group
2015-01-15G DataG Data
@online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT
Agent.BTZ
2014-11-11G DataG Data
@online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } The Uroburos case: new sophisticated RAT identified
Agent.BTZ Uroburos
2014-03-12Kaspersky LabsAlexander Gostev
@online{gostev:20140312:agentbtz:8f1988f, author = {Alexander Gostev}, title = {{Agent.btz: a Source of Inspiration?}}, date = {2014-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/}, language = {English}, urldate = {2019-12-20} } Agent.btz: a Source of Inspiration?
Agent.BTZ
2008-11-30ThreatExpertSergei Shevchenko
@online{shevchenko:20081130:agentbtz:8c68643, author = {Sergei Shevchenko}, title = {{Agent.btz - A Threat That Hit Pentagon}}, date = {2008-11-30}, organization = {ThreatExpert}, url = {http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html}, language = {English}, urldate = {2020-01-08} } Agent.btz - A Threat That Hit Pentagon
Agent.BTZ
Yara Rules
[TLP:WHITE] win_agent_btz_auto (20211008 | Detects win.agent_btz.)
rule win_agent_btz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.agent_btz."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 ffd6 8d54240c 52 ffd7 }
            // n = 5, score = 2500
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8d54240c             | lea                 edx, dword ptr [esp + 0xc]
            //   52                   | push                edx
            //   ffd7                 | call                edi

        $sequence_1 = { c74608ffffffff f644240801 7409 56 e8???????? 83c404 }
            // n = 6, score = 2500
            //   c74608ffffffff       | mov                 dword ptr [esi + 8], 0xffffffff
            //   f644240801           | test                byte ptr [esp + 8], 1
            //   7409                 | je                  0xb
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_2 = { 50 ffd3 85c0 75d8 }
            // n = 4, score = 2500
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   75d8                 | jne                 0xffffffda

        $sequence_3 = { c706???????? c7460c00000000 895e08 895e04 c7461000000000 895e14 }
            // n = 6, score = 2400
            //   c706????????         |                     
            //   c7460c00000000       | mov                 dword ptr [esi + 0xc], 0
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   895e14               | mov                 dword ptr [esi + 0x14], ebx

        $sequence_4 = { ff15???????? b800000f00 8b4df4 64890d00000000 5f 5e }
            // n = 6, score = 2400
            //   ff15????????         |                     
            //   b800000f00           | mov                 eax, 0xf0000
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_5 = { 56 6a00 68???????? 8935???????? e8???????? }
            // n = 5, score = 2300
            //   56                   | push                esi
            //   6a00                 | push                0
            //   68????????           |                     
            //   8935????????         |                     
            //   e8????????           |                     

        $sequence_6 = { 50 ff15???????? 894614 33c0 33db }
            // n = 5, score = 2300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   33c0                 | xor                 eax, eax
            //   33db                 | xor                 ebx, ebx

        $sequence_7 = { 8d542408 52 c744240c30000000 c744241003000000 }
            // n = 4, score = 2200
            //   8d542408             | lea                 ecx, dword ptr [esp + 0xc]
            //   52                   | push                ecx
            //   c744240c30000000     | call                esi
            //   c744241003000000     | lea                 edx, dword ptr [esp + 0xc]

        $sequence_8 = { 50 ff15???????? c74608ffffffff f644240801 }
            // n = 4, score = 2200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   c74608ffffffff       | mov                 dword ptr [esi + 8], 0xffffffff
            //   f644240801           | test                byte ptr [esp + 8], 1

        $sequence_9 = { 56 8bf1 8b4608 c706???????? 85c0 7413 83f8ff }
            // n = 7, score = 2200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   c706????????         |                     
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   83f8ff               | cmp                 eax, -1

        $sequence_10 = { 6801010000 ff15???????? 85c0 7415 }
            // n = 4, score = 1900
            //   6801010000           | push                esi
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esi + 8], 0xffffffff
            //   7415                 | test                byte ptr [esp + 8], 1

        $sequence_11 = { 6a0a 68???????? 6a01 6a00 68???????? }
            // n = 5, score = 1400
            //   6a0a                 | push                0xa
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_12 = { 51 6a00 6819000200 6a00 68???????? }
            // n = 5, score = 1400
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6819000200           | push                0x20019
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_13 = { 50 68???????? 6a01 68???????? e8???????? 83c410 }
            // n = 6, score = 1200
            //   50                   | push                esi
            //   68????????           |                     
            //   6a01                 | mov                 dword ptr [esi + 8], 0xffffffff
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | test                byte ptr [esp + 8], 1

        $sequence_14 = { 6a01 6a04 6a01 68???????? }
            // n = 4, score = 1100
            //   6a01                 | push                1
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   68????????           |                     

        $sequence_15 = { 6a01 68???????? e8???????? 83c414 5f 5e }
            // n = 6, score = 1000
            //   6a01                 | mov                 ecx, dword ptr [esi]
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | dec                 eax
            //   5f                   | mov                 dword ptr [esi + 0x28], eax
            //   5e                   | dec                 eax

        $sequence_16 = { 6a01 e8???????? 50 e8???????? 83c414 }
            // n = 5, score = 1000
            //   6a01                 | push                1
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14

        $sequence_17 = { 89461c 3dea000000 740b 3de5030000 }
            // n = 4, score = 1000
            //   89461c               | cmp                 eax, -1
            //   3dea000000           | je                  0x17
            //   740b                 | mov                 esi, ecx
            //   3de5030000           | mov                 eax, dword ptr [esi + 8]

        $sequence_18 = { 0fb605???????? 66890d???????? 0fb60d???????? 660fafca 6603c8 }
            // n = 5, score = 1000
            //   0fb605????????       |                     
            //   66890d????????       |                     
            //   0fb60d????????       |                     
            //   660fafca             | imul                cx, dx
            //   6603c8               | add                 cx, ax

        $sequence_19 = { 50 e8???????? 83c408 6800010000 e8???????? }
            // n = 5, score = 1000
            //   50                   | test                eax, eax
            //   e8????????           |                     
            //   83c408               | je                  0x1a
            //   6800010000           | cmp                 eax, -1
            //   e8????????           |                     

        $sequence_20 = { 7511 e8???????? 83c020 50 e8???????? }
            // n = 5, score = 1000
            //   7511                 | jne                 0x13
            //   e8????????           |                     
            //   83c020               | add                 eax, 0x20
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_21 = { 5b c9 c3 53 8d8df4feffff 51 }
            // n = 6, score = 900
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8d8df4feffff         | lea                 ecx, dword ptr [ebp - 0x10c]
            //   51                   | push                ecx

        $sequence_22 = { 53 8d8df4feffff 51 8d8df8feffff 51 6805000020 }
            // n = 6, score = 900
            //   53                   | push                ebx
            //   8d8df4feffff         | lea                 ecx, dword ptr [ebp - 0x10c]
            //   51                   | push                ecx
            //   8d8df8feffff         | lea                 ecx, dword ptr [ebp - 0x108]
            //   51                   | push                ecx
            //   6805000020           | push                0x20000005

        $sequence_23 = { 668945fa 8d85d8fdffff 50 66894dee }
            // n = 4, score = 900
            //   668945fa             | mov                 word ptr [ebp - 6], ax
            //   8d85d8fdffff         | lea                 eax, dword ptr [ebp - 0x228]
            //   50                   | push                eax
            //   66894dee             | mov                 word ptr [ebp - 0x12], cx

        $sequence_24 = { 50 8d45a8 50 8d8588feffff }
            // n = 4, score = 900
            //   50                   | push                eax
            //   8d45a8               | lea                 eax, dword ptr [ebp - 0x58]
            //   50                   | push                eax
            //   8d8588feffff         | lea                 eax, dword ptr [ebp - 0x178]

        $sequence_25 = { 51 03c7 6a06 ff75f8 }
            // n = 4, score = 900
            //   51                   | push                ecx
            //   03c7                 | add                 eax, edi
            //   6a06                 | push                6
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_26 = { 51 51 8365fc00 53 56 8bd8 8d4304 }
            // n = 7, score = 900
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bd8                 | mov                 ebx, eax
            //   8d4304               | lea                 eax, dword ptr [ebx + 4]

        $sequence_27 = { 53 53 8d4dd8 51 ff750c }
            // n = 5, score = 900
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8d4dd8               | lea                 ecx, dword ptr [ebp - 0x28]
            //   51                   | push                ecx
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_28 = { 6a00 6a27 6a02 6a00 6a01 }
            // n = 5, score = 800
            //   6a00                 | push                0
            //   6a27                 | push                0x27
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_29 = { 8d8505feffff 50 e8???????? 83c40c }
            // n = 4, score = 700
            //   8d8505feffff         | mov                 ecx, dword ptr [esi]
            //   50                   | dec                 eax
            //   e8????????           |                     
            //   83c40c               | mov                 dword ptr [esi + 0x28], eax

        $sequence_30 = { e8???????? e8???????? 8bc8 e8???????? c745fcffffffff }
            // n = 5, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff

        $sequence_31 = { c645d43a c645d53b c645d63b c645d730 c645d836 }
            // n = 5, score = 700
            //   c645d43a             | mov                 byte ptr [ebp - 0x2c], 0x3a
            //   c645d53b             | mov                 byte ptr [ebp - 0x2b], 0x3b
            //   c645d63b             | mov                 byte ptr [ebp - 0x2a], 0x3b
            //   c645d730             | mov                 byte ptr [ebp - 0x29], 0x30
            //   c645d836             | mov                 byte ptr [ebp - 0x28], 0x36

        $sequence_32 = { 488b4338 33d2 488bce 448d4220 }
            // n = 4, score = 600
            //   488b4338             | dec                 eax
            //   33d2                 | mov                 eax, dword ptr [ebx + 0x38]
            //   488bce               | xor                 edx, edx
            //   448d4220             | dec                 eax

        $sequence_33 = { 488b0f 48894108 488b0f 488b4108 48894128 }
            // n = 5, score = 500
            //   488b0f               | dec                 eax
            //   48894108             | mov                 eax, dword ptr [edi]
            //   488b0f               | mov                 dword ptr [eax + 0x30], ebp
            //   488b4108             | xor                 eax, eax
            //   48894128             | dec                 eax

        $sequence_34 = { 488b5738 488bce 8bd8 ff92e8010000 488b6c2458 }
            // n = 5, score = 500
            //   488b5738             | mov                 eax, dword ptr [esi + 8]
            //   488bce               | test                eax, eax
            //   8bd8                 | je                  0x17
            //   ff92e8010000         | mov                 eax, dword ptr [esi + 8]
            //   488b6c2458           | test                eax, eax

        $sequence_35 = { 4889742420 57 4883ec40 33ed 488bf9 498bf0 }
            // n = 6, score = 500
            //   4889742420           | mov                 dword ptr [eax + 0x30], ebp
            //   57                   | xor                 eax, eax
            //   4883ec40             | dec                 eax
            //   33ed                 | mov                 ebx, dword ptr [esp + 0x58]
            //   488bf9               | dec                 eax
            //   498bf0               | mov                 ecx, dword ptr [edi]

        $sequence_36 = { 488b4608 488b0e 48894628 488b4638 4c8d4c2450 448bc3 }
            // n = 6, score = 500
            //   488b4608             | add                 esp, 4
            //   488b0e               | test                eax, eax
            //   48894628             | je                  0x48
            //   488b4638             | cmp                 eax, -1
            //   4c8d4c2450           | je                  0x48
            //   448bc3               | push                eax

        $sequence_37 = { 488b0f 488901 488b07 488338ff }
            // n = 4, score = 500
            //   488b0f               | xor                 eax, eax
            //   488901               | dec                 eax
            //   488b07               | mov                 dword ptr [esp + 0x20], esi
            //   488338ff             | push                edi

        $sequence_38 = { 4155 4156 4157 4883ec40 488b4138 }
            // n = 5, score = 500
            //   4155                 | mov                 dword ptr [ecx + 0x30], eax
            //   4156                 | jmp                 0xb
            //   4157                 | dec                 eax
            //   4883ec40             | mov                 eax, dword ptr [edi]
            //   488b4138             | mov                 dword ptr [eax + 0x30], ebp

        $sequence_39 = { 488b4108 48894128 488b0f 48396928 }
            // n = 4, score = 500
            //   488b4108             | mov                 ecx, esi
            //   48894128             | inc                 esp
            //   488b0f               | lea                 eax, dword ptr [edx + 0x20]
            //   48396928             | dec                 eax

        $sequence_40 = { e8???????? 488b5638 488bcf 8bd8 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   488b5638             | dec                 eax
            //   488bcf               | mov                 ecx, dword ptr [edi]
            //   8bd8                 | dec                 eax

        $sequence_41 = { 488b4638 ff5060 894630 3de5030000 }
            // n = 4, score = 500
            //   488b4638             | je                  0x17
            //   ff5060               | cmp                 eax, -1
            //   894630               | je                  0x17
            //   3de5030000           | mov                 eax, dword ptr [esi + 8]

        $sequence_42 = { 83c904 c1e803 448bc9 440fafc8 }
            // n = 4, score = 500
            //   83c904               | je                  0xdf
            //   c1e803               | push                eax
            //   448bc9               | mov                 dword ptr [esi + 8], 0xffffffff
            //   440fafc8             | test                byte ptr [esp + 8], 1

        $sequence_43 = { 488bcf c744242088130000 e8???????? 488b5738 }
            // n = 4, score = 500
            //   488bcf               | je                  0xee
            //   c744242088130000     | je                  0x15
            //   e8????????           |                     
            //   488b5738             | cmp                 eax, -1

        $sequence_44 = { 488b4638 488b0e 4c8d442450 4533c9 }
            // n = 4, score = 500
            //   488b4638             | cmp                 eax, -1
            //   488b0e               | je                  0x8b
            //   4c8d442450           | push                eax
            //   4533c9               | mov                 dword ptr [esi + 8], 0xffffffff

        $sequence_45 = { 488bf0 c70005000000 85db 7415 }
            // n = 4, score = 500
            //   488bf0               | je                  0x17
            //   c70005000000         | cmp                 eax, -1
            //   85db                 | mov                 eax, dword ptr [esi + 8]
            //   7415                 | test                eax, eax

        $sequence_46 = { 488b0f 894130 eb06 488b07 896830 33c0 488b5c2458 }
            // n = 7, score = 500
            //   488b0f               | mov                 eax, dword ptr [ecx + 8]
            //   894130               | dec                 eax
            //   eb06                 | mov                 dword ptr [ecx + 0x28], eax
            //   488b07               | dec                 eax
            //   896830               | mov                 ecx, dword ptr [edi]
            //   33c0                 | dec                 eax
            //   488b5c2458           | cmp                 dword ptr [ecx + 0x28], ebp

        $sequence_47 = { 8d8594faffff 50 68???????? ff15???????? }
            // n = 4, score = 200
            //   8d8594faffff         | pop                 esi
            //   50                   | pop                 ebx
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_48 = { 030c85100b4200 eb02 8bcb f6412480 }
            // n = 4, score = 100
            //   030c85100b4200       | test                byte ptr [esp + 8], 1
            //   eb02                 | je                  0x18
            //   8bcb                 | cmp                 eax, -1
            //   f6412480             | je                  0x10

        $sequence_49 = { 013d???????? 8b04b5100b4200 0500080000 3bc8 }
            // n = 4, score = 100
            //   013d????????         |                     
            //   8b04b5100b4200       | pop                 esi
            //   0500080000           | pop                 ebx
            //   3bc8                 | mov                 esp, ebp

        $sequence_50 = { 0304b5100b4200 beffff0000 59 59 }
            // n = 4, score = 100
            //   0304b5100b4200       | cmp                 eax, -1
            //   beffff0000           | je                  0x15
            //   59                   | mov                 eax, dword ptr [esi + 8]
            //   59                   | test                eax, eax

        $sequence_51 = { 0304b5100b4200 59 5e eb05 }
            // n = 4, score = 100
            //   0304b5100b4200       | mov                 eax, 0xf0003
            //   59                   | mov                 ecx, dword ptr [ebp - 0xc]
            //   5e                   | mov                 dword ptr fs:[0], ecx
            //   eb05                 | pop                 edi

        $sequence_52 = { 0304b5100b4200 59 eb02 8bc3 }
            // n = 4, score = 100
            //   0304b5100b4200       | mov                 dword ptr [esi + 0x14], eax
            //   59                   | xor                 eax, eax
            //   eb02                 | xor                 ebx, ebx
            //   8bc3                 | mov                 dword ptr [esi + 0x14], eax

        $sequence_53 = { 0304b5100b4200 59 eb05 b8???????? }
            // n = 4, score = 100
            //   0304b5100b4200       | mov                 eax, dword ptr [esi + 8]
            //   59                   | test                eax, eax
            //   eb05                 | je                  0x17
            //   b8????????           |                     

        $sequence_54 = { 001cbe 40 0023 d18a0688078a 46 }
            // n = 5, score = 100
            //   001cbe               | mov                 eax, 0xf0004
            //   40                   | mov                 ecx, dword ptr [ebp - 0xc]
            //   0023                 | mov                 dword ptr fs:[0], ecx
            //   d18a0688078a         | mov                 eax, 0xf0003
            //   46                   | mov                 ecx, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 5577728
}
[TLP:WHITE] win_agent_btz_w0   (20171113 | No description)
rule win_agent_btz_w0 {
    meta:
        author = "Symantec"
        source = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
        contribution = "pnx - removed FPs"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz"
        malpedia_version = "20171113"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b = {C645????}
        $c = {C685??FEFFFF??}
        $d = {FFA0??0?0000}
        $e = {89A8??00000068??00000056FFD78B}
        $f = {00004889????030000488B}
        $tmp_fn = "FA.tmp"
    condition:
        ((#c > 200 and #b > 200 ) or (#d > 40) and (#e > 15 or #f > 30)) and $tmp_fn
}
Download all Yara Rules