SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agent_btz (Back to overview)

Agent.BTZ

aka: ComRAT, Minit, Sun rootkit

Actor(s): Turla Group

There is no description at this point.

References
2020-09-01Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20200901:exhaustivelyanalyzed:0a5410d, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for ComRAT v4}}, date = {2020-09-01}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4}, language = {English}, urldate = {2020-09-01} } An Exhaustively-Analyzed IDB for ComRAT v4
Agent.BTZ
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-05-26ESET ResearchMatthieu Faou
@techreport{faou:20200526:from:89e2854, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)}}, date = {2020-05-26}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf}, language = {English}, urldate = {2020-05-27} } From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)
Agent.BTZ
2020-05-26ESET ResearchMatthieu Faou
@online{faou:20200526:from:804e2da, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey}}, date = {2020-05-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/}, language = {English}, urldate = {2020-05-27} } From Agent.BTZ to ComRAT v4: A ten‑year journey
Agent.BTZ
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-09-13IntezerOmri Ben Bassat
@online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2
Agent.BTZ
2017-08-07IntezerOmri Ben Bassat
@online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2
Agent.BTZ
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf}, language = {English}, urldate = {2020-04-21} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot Turla Group
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:51a4dbd, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf}, language = {English}, urldate = {2020-01-09} } The Waterbug attack group
Agent.BTZ Wipbot Turla Group
2015-01-15G DataG Data
@online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT
Agent.BTZ
2014-11-11G DataG Data
@online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } The Uroburos case: new sophisticated RAT identified
Agent.BTZ Uroburos
2014-03-12Kaspersky LabsAlexander Gostev
@online{gostev:20140312:agentbtz:8f1988f, author = {Alexander Gostev}, title = {{Agent.btz: a Source of Inspiration?}}, date = {2014-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/}, language = {English}, urldate = {2019-12-20} } Agent.btz: a Source of Inspiration?
Agent.BTZ
2008-11-30ThreatExpertSergei Shevchenko
@online{shevchenko:20081130:agentbtz:8c68643, author = {Sergei Shevchenko}, title = {{Agent.btz - A Threat That Hit Pentagon}}, date = {2008-11-30}, organization = {ThreatExpert}, url = {http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html}, language = {English}, urldate = {2020-01-08} } Agent.btz - A Threat That Hit Pentagon
Agent.BTZ
Yara Rules
[TLP:WHITE] win_agent_btz_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_agent_btz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ffd3 85c0 75d8 }
            // n = 4, score = 2500
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   75d8                 | jne                 0xffffffda

        $sequence_1 = { c74608ffffffff f644240801 7409 56 e8???????? 83c404 8bc6 }
            // n = 7, score = 2500
            //   c74608ffffffff       | mov                 dword ptr [esi + 8], 0xffffffff
            //   f644240801           | test                byte ptr [esp + 8], 1
            //   7409                 | je                  0xb
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi

        $sequence_2 = { 51 ffd6 8d54240c 52 ffd7 }
            // n = 5, score = 2500
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   52                   | push                edx
            //   ffd7                 | call                edi

        $sequence_3 = { 895e08 895e04 c7461000000000 895e14 }
            // n = 4, score = 2400
            //   895e08               | mov                 ecx, dword ptr [ebp - 0xc]
            //   895e04               | mov                 dword ptr fs:[0], ecx
            //   c7461000000000       | pop                 edi
            //   895e14               | pop                 esi

        $sequence_4 = { ff15???????? b804000f00 8b4df4 64890d00000000 5f 5e 5b }
            // n = 7, score = 2400
            //   ff15????????         |                     
            //   b804000f00           | pop                 edi
            //   8b4df4               | pop                 esi
            //   64890d00000000       | push                eax
            //   5f                   | call                ebx
            //   5e                   | test                eax, eax
            //   5b                   | jne                 0xffffffde

        $sequence_5 = { c706???????? c7460c00000000 895e08 895e04 }
            // n = 4, score = 2400
            //   c706????????         |                     
            //   c7460c00000000       | mov                 dword ptr fs:[0], ecx
            //   895e08               | pop                 edi
            //   895e04               | mov                 eax, 0xf0000

        $sequence_6 = { 50 ff15???????? 894614 33c0 33db }
            // n = 5, score = 2300
            //   50                   | mov                 eax, 0xf0005
            //   ff15????????         |                     
            //   894614               | mov                 ecx, dword ptr [ebp - 0xc]
            //   33c0                 | mov                 dword ptr fs:[0], ecx
            //   33db                 | pop                 edi

        $sequence_7 = { 56 6a00 68???????? 8935???????? }
            // n = 4, score = 2300
            //   56                   | mov                 ecx, dword ptr [ebp - 0xc]
            //   6a00                 | mov                 dword ptr fs:[0], ecx
            //   68????????           |                     
            //   8935????????         |                     

        $sequence_8 = { 8bf1 8b4608 c706???????? 85c0 7413 83f8ff 740e }
            // n = 7, score = 2200
            //   8bf1                 | pop                 esi
            //   8b4608               | lea                 ecx, [esp + 0xc]
            //   c706????????         |                     
            //   85c0                 | push                ecx
            //   7413                 | call                esi
            //   83f8ff               | lea                 edx, [esp + 0xc]
            //   740e                 | push                edx

        $sequence_9 = { 740e 50 ff15???????? c74608ffffffff f644240801 7409 }
            // n = 6, score = 2200
            //   740e                 | push                eax
            //   50                   | mov                 dword ptr [esi + 8], 0xffffffff
            //   ff15????????         |                     
            //   c74608ffffffff       | test                byte ptr [esp + 8], 1
            //   f644240801           | je                  0x10
            //   7409                 | mov                 dword ptr [esi + 8], 0xffffffff

        $sequence_10 = { 51 6a00 6819000200 6a00 68???????? }
            // n = 5, score = 1400
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6819000200           | push                0x20019
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_11 = { 50 68???????? 6a01 68???????? e8???????? 83c410 }
            // n = 6, score = 1200
            //   50                   | je                  0xb
            //   68????????           |                     
            //   6a01                 | push                esi
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | mov                 esi, ecx

        $sequence_12 = { 6a01 6a04 6a01 68???????? }
            // n = 4, score = 1100
            //   6a01                 | push                1
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   68????????           |                     

        $sequence_13 = { 50 e8???????? 83c408 6800010000 e8???????? }
            // n = 5, score = 1000
            //   50                   | push                1
            //   e8????????           |                     
            //   83c408               | push                0
            //   6800010000           | push                0x20019
            //   e8????????           |                     

        $sequence_14 = { 51 68???????? 6a01 e8???????? 50 e8???????? 83c410 }
            // n = 7, score = 1000
            //   51                   | push                ecx
            //   68????????           |                     
            //   6a01                 | push                1
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_15 = { 7511 e8???????? 83c020 50 e8???????? 83c404 }
            // n = 6, score = 1000
            //   7511                 | jne                 0x13
            //   e8????????           |                     
            //   83c020               | add                 eax, 0x20
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_16 = { 6a01 68???????? e8???????? 83c414 5f 5e 5b }
            // n = 7, score = 1000
            //   6a01                 | push                0x20019
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | push                0
            //   5f                   | push                0
            //   5e                   | push                eax
            //   5b                   | add                 esp, 8

        $sequence_17 = { c684248800000043 c684248900000072 c684248a00000065 c684248b00000061 c684248c00000074 c684248d00000065 c684248e00000050 }
            // n = 7, score = 900
            //   c684248800000043     | mov                 byte ptr [esp + 0x88], 0x43
            //   c684248900000072     | mov                 byte ptr [esp + 0x89], 0x72
            //   c684248a00000065     | mov                 byte ptr [esp + 0x8a], 0x65
            //   c684248b00000061     | mov                 byte ptr [esp + 0x8b], 0x61
            //   c684248c00000074     | mov                 byte ptr [esp + 0x8c], 0x74
            //   c684248d00000065     | mov                 byte ptr [esp + 0x8d], 0x65
            //   c684248e00000050     | mov                 byte ptr [esp + 0x8e], 0x50

        $sequence_18 = { c684241101000065 c684241201000074 c68424130100004c c684241401000061 c684241501000073 }
            // n = 5, score = 900
            //   c684241101000065     | mov                 byte ptr [esp + 0x111], 0x65
            //   c684241201000074     | mov                 byte ptr [esp + 0x112], 0x74
            //   c68424130100004c     | mov                 byte ptr [esp + 0x113], 0x4c
            //   c684241401000061     | mov                 byte ptr [esp + 0x114], 0x61
            //   c684241501000073     | mov                 byte ptr [esp + 0x115], 0x73

        $sequence_19 = { c684241501000073 c684241601000074 c684241701000045 c684241801000072 c684241901000072 c684241a0100006f c684241b01000072 }
            // n = 7, score = 900
            //   c684241501000073     | mov                 byte ptr [esp + 0x115], 0x73
            //   c684241601000074     | mov                 byte ptr [esp + 0x116], 0x74
            //   c684241701000045     | mov                 byte ptr [esp + 0x117], 0x45
            //   c684241801000072     | mov                 byte ptr [esp + 0x118], 0x72
            //   c684241901000072     | mov                 byte ptr [esp + 0x119], 0x72
            //   c684241a0100006f     | mov                 byte ptr [esp + 0x11a], 0x6f
            //   c684241b01000072     | mov                 byte ptr [esp + 0x11b], 0x72

        $sequence_20 = { c68424900000006f c684249100000063 c684249200000065 c684249300000073 c684249400000073 }
            // n = 5, score = 900
            //   c68424900000006f     | mov                 byte ptr [esp + 0x90], 0x6f
            //   c684249100000063     | mov                 byte ptr [esp + 0x91], 0x63
            //   c684249200000065     | mov                 byte ptr [esp + 0x92], 0x65
            //   c684249300000073     | mov                 byte ptr [esp + 0x93], 0x73
            //   c684249400000073     | mov                 byte ptr [esp + 0x94], 0x73

        $sequence_21 = { ebd2 c78424a000000068000000 c78424dc00000001000000 33c0 66898424e0000000 }
            // n = 5, score = 900
            //   ebd2                 | jmp                 0xffffffd4
            //   c78424a000000068000000     | mov    dword ptr [esp + 0xa0], 0x68
            //   c78424dc00000001000000     | mov    dword ptr [esp + 0xdc], 1
            //   33c0                 | xor                 eax, eax
            //   66898424e0000000     | mov                 word ptr [esp + 0xe0], ax

        $sequence_22 = { c684249300000073 c684249400000073 c684249500000057 c684249600000000 c684241001000047 c684241101000065 }
            // n = 6, score = 900
            //   c684249300000073     | mov                 byte ptr [esp + 0x93], 0x73
            //   c684249400000073     | mov                 byte ptr [esp + 0x94], 0x73
            //   c684249500000057     | mov                 byte ptr [esp + 0x95], 0x57
            //   c684249600000000     | mov                 byte ptr [esp + 0x96], 0
            //   c684241001000047     | mov                 byte ptr [esp + 0x110], 0x47
            //   c684241101000065     | mov                 byte ptr [esp + 0x111], 0x65

        $sequence_23 = { c684248d00000065 c684248e00000050 c684248f00000072 c68424900000006f c684249100000063 }
            // n = 5, score = 900
            //   c684248d00000065     | mov                 byte ptr [esp + 0x8d], 0x65
            //   c684248e00000050     | mov                 byte ptr [esp + 0x8e], 0x50
            //   c684248f00000072     | mov                 byte ptr [esp + 0x8f], 0x72
            //   c68424900000006f     | mov                 byte ptr [esp + 0x90], 0x6f
            //   c684249100000063     | mov                 byte ptr [esp + 0x91], 0x63

        $sequence_24 = { 668945f2 58 6a38 668945f4 58 }
            // n = 5, score = 800
            //   668945f2             | mov                 word ptr [ebp - 0xe], ax
            //   58                   | pop                 eax
            //   6a38                 | push                0x38
            //   668945f4             | mov                 word ptr [ebp - 0xc], ax
            //   58                   | pop                 eax

        $sequence_25 = { 6a27 6a02 6a00 6a01 }
            // n = 4, score = 800
            //   6a27                 | push                0x27
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_26 = { e8???????? e8???????? 8bc8 e8???????? c745fcffffffff }
            // n = 5, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff

        $sequence_27 = { c645d43a c645d53b c645d63b c645d730 }
            // n = 4, score = 700
            //   c645d43a             | mov                 byte ptr [ebp - 0x2c], 0x3a
            //   c645d53b             | mov                 byte ptr [ebp - 0x2b], 0x3b
            //   c645d63b             | mov                 byte ptr [ebp - 0x2a], 0x3b
            //   c645d730             | mov                 byte ptr [ebp - 0x29], 0x30

        $sequence_28 = { c645cb30 c645cc27 c645cd3b c645ce30 }
            // n = 4, score = 700
            //   c645cb30             | mov                 byte ptr [ebp - 0x35], 0x30
            //   c645cc27             | mov                 byte ptr [ebp - 0x34], 0x27
            //   c645cd3b             | mov                 byte ptr [ebp - 0x33], 0x3b
            //   c645ce30             | mov                 byte ptr [ebp - 0x32], 0x30

        $sequence_29 = { 8d8505feffff 50 e8???????? 83c40c }
            // n = 4, score = 700
            //   8d8505feffff         | push                0
            //   50                   | push                0x27
            //   e8????????           |                     
            //   83c40c               | push                2

        $sequence_30 = { 6a10 68???????? 6a01 6a00 6a00 }
            // n = 5, score = 500
            //   6a10                 | add                 esp, 0x14
            //   68????????           |                     
            //   6a01                 | pop                 edi
            //   6a00                 | push                eax
            //   6a00                 | push                1

        $sequence_31 = { 488b4608 488b0e 48894628 488b4638 }
            // n = 4, score = 300
            //   488b4608             | mov                 ecx, ebx
            //   488b0e               | mov                 dword ptr [esp + 0x28], ebp
            //   48894628             | dec                 eax
            //   488b4638             | mov                 eax, dword ptr [esi + 8]

        $sequence_32 = { c68424b000000016 c68424b100000027 c68424b200000030 c68424b300000034 c68424b400000021 }
            // n = 5, score = 300
            //   c68424b000000016     | mov                 byte ptr [esp + 0xb0], 0x16
            //   c68424b100000027     | mov                 byte ptr [esp + 0xb1], 0x27
            //   c68424b200000030     | mov                 byte ptr [esp + 0xb2], 0x30
            //   c68424b300000034     | mov                 byte ptr [esp + 0xb3], 0x34
            //   c68424b400000021     | mov                 byte ptr [esp + 0xb4], 0x21

        $sequence_33 = { 4533c0 ba000000c0 488bcb 896c2428 }
            // n = 4, score = 300
            //   4533c0               | inc                 ebp
            //   ba000000c0           | xor                 eax, eax
            //   488bcb               | mov                 edx, 0xc0000000
            //   896c2428             | dec                 eax

        $sequence_34 = { c68424b600000005 c68424b700000027 c68424b80000003a c68424b900000036 c68424ba00000030 c68424bb00000026 c68424bc00000026 }
            // n = 7, score = 300
            //   c68424b600000005     | dec                 eax
            //   c68424b700000027     | mov                 ecx, dword ptr [esi]
            //   c68424b80000003a     | dec                 eax
            //   c68424b900000036     | mov                 dword ptr [esi + 0x28], eax
            //   c68424ba00000030     | dec                 eax
            //   c68424bb00000026     | mov                 eax, dword ptr [esi + 0x38]
            //   c68424bc00000026     | mov                 byte ptr [esp + 0xb6], 5

        $sequence_35 = { c644244d31 c644244e10 c644244f2d c644245055 }
            // n = 4, score = 300
            //   c644244d31           | mov                 byte ptr [esp + 0x4d], 0x31
            //   c644244e10           | mov                 byte ptr [esp + 0x4e], 0x10
            //   c644244f2d           | mov                 byte ptr [esp + 0x4f], 0x2d
            //   c644245055           | mov                 byte ptr [esp + 0x50], 0x55

        $sequence_36 = { 33ed 488bf9 498bf0 8d4d40 488bda }
            // n = 5, score = 300
            //   33ed                 | mov                 byte ptr [esp + 0xbb], 0x26
            //   488bf9               | mov                 byte ptr [esp + 0xbc], 0x26
            //   498bf0               | mov                 byte ptr [esp + 0xbd], 2
            //   8d4d40               | mov                 dword ptr [esp + 0x60], 0x11c
            //   488bda               | dec                 eax

        $sequence_37 = { 33d2 488b4c2460 ff15???????? 8bd8 }
            // n = 4, score = 300
            //   33d2                 | lea                 ecx, [esp + 0x60]
            //   488b4c2460           | cmp                 dword ptr [esp + 0x64], 6
            //   ff15????????         |                     
            //   8bd8                 | xor                 ebp, ebp

        $sequence_38 = { e8???????? c74424601c010000 488d4c2460 ff15???????? 837c246406 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   c74424601c010000     | mov                 byte ptr [esp + 0xbb], 0x26
            //   488d4c2460           | mov                 byte ptr [esp + 0xb9], 0x36
            //   ff15????????         |                     
            //   837c246406           | mov                 byte ptr [esp + 0xba], 0x30

        $sequence_39 = { 8d8594faffff 50 68???????? ff15???????? }
            // n = 4, score = 200
            //   8d8594faffff         | push                0
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_40 = { 8b07 2bc3 0f84e5000000 48 }
            // n = 4, score = 100
            //   8b07                 | mov                 dword ptr [esi + 0x14], eax
            //   2bc3                 | xor                 eax, eax
            //   0f84e5000000         | xor                 ebx, ebx
            //   48                   | je                  0x10

        $sequence_41 = { 8b0485100b4200 83c00c 03c7 50 ff15???????? 33c0 }
            // n = 6, score = 100
            //   8b0485100b4200       | mov                 dword ptr [esi + 0x14], eax
            //   83c00c               | mov                 dword ptr [esi + 0x14], eax
            //   03c7                 | xor                 eax, eax
            //   50                   | xor                 ebx, ebx
            //   ff15????????         |                     
            //   33c0                 | push                eax

        $sequence_42 = { e8???????? 59 59 68???????? e8???????? 59 8b0c9d10c04100 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | add                 ecx, dword ptr [eax*4 + 0x420b10]
            //   59                   | jmp                 0x16
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 eax
            //   8b0c9d10c04100       | imul                eax, eax, 0

        $sequence_43 = { 7414 8bc1 83e11f c1f805 c1e106 030c85100b4200 eb02 }
            // n = 7, score = 100
            //   7414                 | push                eax
            //   8bc1                 | mov                 dword ptr [esi + 8], 0xffffffff
            //   83e11f               | test                byte ptr [esp + 8], 1
            //   c1f805               | je                  0x18
            //   c1e106               | lea                 eax, [ebp - 0x56c]
            //   030c85100b4200       | push                eax
            //   eb02                 | mov                 eax, dword ptr [eax*4 + 0x420b10]

        $sequence_44 = { 8b442448 8908 85c9 0f84cd000000 ff7500 8d474c 46 }
            // n = 7, score = 100
            //   8b442448             | mov                 dword ptr [eax + 0x420f04], 2
            //   8908                 | push                4
            //   85c9                 | pop                 eax
            //   0f84cd000000         | imul                eax, eax, 0
            //   ff7500               | mov                 ebx, eax
            //   8d474c               | test                ebx, ebx
            //   46                   | je                  0x235

        $sequence_45 = { 8bd8 85db 0f842d020000 33c9 894c2414 394c242c 0f8616020000 }
            // n = 7, score = 100
            //   8bd8                 | je                  0xed
            //   85db                 | dec                 eax
            //   0f842d020000         | je                  0x16
            //   33c9                 | mov                 eax, ecx
            //   894c2414             | and                 ecx, 0x1f
            //   394c242c             | sar                 eax, 5
            //   0f8616020000         | shl                 ecx, 6

        $sequence_46 = { 58 6bc000 c780040f420002000000 6a04 58 6bc000 8b0d???????? }
            // n = 7, score = 100
            //   58                   | add                 eax, 0xc
            //   6bc000               | add                 eax, edi
            //   c780040f420002000000     | push    eax
            //   6a04                 | xor                 eax, eax
            //   58                   | mov                 eax, dword ptr [edi]
            //   6bc000               | sub                 eax, ebx
            //   8b0d????????         |                     

    condition:
        7 of them and filesize < 3522560
}
[TLP:WHITE] win_agent_btz_w0   (20171113 | No description)
rule win_agent_btz_w0 {
    meta:
        source = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
        contribution = "pnx - removed FPs"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz"
        malpedia_version = "20171113"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $b = {C645????}
        $c = {C685??FEFFFF??}
        $d = {FFA0??0?0000}
        $e = {89A8??00000068??00000056FFD78B}
        $f = {00004889????030000488B}
        $tmp_fn = "FA.tmp"
    condition:
        ((#c > 200 and #b > 200 ) or (#d > 40) and (#e > 15 or #f > 30)) and $tmp_fn
}
Download all Yara Rules