SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alreay (Back to overview)

Alreay

Actor(s): Lazarus Group

There is no description at this point.

References
2017-04-03Kaspersky LabsGReAT
@online{great:20170403:lazarus:689432c, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/}, language = {English}, urldate = {2019-12-20} } Lazarus under the Hood
Alreay DYEPACK
Yara Rules
[TLP:WHITE] win_alreay_auto (20230125 | Detects win.alreay.)
rule win_alreay_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.alreay."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5c2418 33ed 56 53 89aec8050000 c7460c11000000 e8???????? }
            // n = 7, score = 100
            //   8b5c2418             | mov                 ebx, dword ptr [esp + 0x18]
            //   33ed                 | xor                 ebp, ebp
            //   56                   | push                esi
            //   53                   | push                ebx
            //   89aec8050000         | mov                 dword ptr [esi + 0x5c8], ebp
            //   c7460c11000000       | mov                 dword ptr [esi + 0xc], 0x11
            //   e8????????           |                     

        $sequence_1 = { 894b10 e8???????? 8bf0 83c40c 85f6 0f85d8020000 8d431c }
            // n = 7, score = 100
            //   894b10               | mov                 dword ptr [ebx + 0x10], ecx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f85d8020000         | jne                 0x2de
            //   8d431c               | lea                 eax, [ebx + 0x1c]

        $sequence_2 = { e8???????? 8bd0 83c408 3bd3 7517 8b4c2420 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   83c408               | add                 esp, 8
            //   3bd3                 | cmp                 edx, ebx
            //   7517                 | jne                 0x19
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]

        $sequence_3 = { 8bd0 c1ea18 33cb 25ff000000 8b1c95a4954600 8b16 33cb }
            // n = 7, score = 100
            //   8bd0                 | mov                 edx, eax
            //   c1ea18               | shr                 edx, 0x18
            //   33cb                 | xor                 ecx, ebx
            //   25ff000000           | and                 eax, 0xff
            //   8b1c95a4954600       | mov                 ebx, dword ptr [edx*4 + 0x4695a4]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   33cb                 | xor                 ecx, ebx

        $sequence_4 = { 8b8658020000 83c404 83f804 89be78870000 751a 8b86f0010000 8b8ef4010000 }
            // n = 7, score = 100
            //   8b8658020000         | mov                 eax, dword ptr [esi + 0x258]
            //   83c404               | add                 esp, 4
            //   83f804               | cmp                 eax, 4
            //   89be78870000         | mov                 dword ptr [esi + 0x8778], edi
            //   751a                 | jne                 0x1c
            //   8b86f0010000         | mov                 eax, dword ptr [esi + 0x1f0]
            //   8b8ef4010000         | mov                 ecx, dword ptr [esi + 0x1f4]

        $sequence_5 = { 8a5703 c1e108 0bca 33d2 8a7704 8bf1 8a5705 }
            // n = 7, score = 100
            //   8a5703               | mov                 dl, byte ptr [edi + 3]
            //   c1e108               | shl                 ecx, 8
            //   0bca                 | or                  ecx, edx
            //   33d2                 | xor                 edx, edx
            //   8a7704               | mov                 dh, byte ptr [edi + 4]
            //   8bf1                 | mov                 esi, ecx
            //   8a5705               | mov                 dl, byte ptr [edi + 5]

        $sequence_6 = { 51 e8???????? 83c40c 3bc5 7523 f7de eb1b }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   3bc5                 | cmp                 eax, ebp
            //   7523                 | jne                 0x25
            //   f7de                 | neg                 esi
            //   eb1b                 | jmp                 0x1d

        $sequence_7 = { 8b74242c 83c007 c1e803 89442424 8b44241c 8b0e 8b5604 }
            // n = 7, score = 100
            //   8b74242c             | mov                 esi, dword ptr [esp + 0x2c]
            //   83c007               | add                 eax, 7
            //   c1e803               | shr                 eax, 3
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b5604               | mov                 edx, dword ptr [esi + 4]

        $sequence_8 = { 8be8 d1eb 81e588000000 0bdd 8be9 d1eb 81e500000008 }
            // n = 7, score = 100
            //   8be8                 | mov                 ebp, eax
            //   d1eb                 | shr                 ebx, 1
            //   81e588000000         | and                 ebp, 0x88
            //   0bdd                 | or                  ebx, ebp
            //   8be9                 | mov                 ebp, ecx
            //   d1eb                 | shr                 ebx, 1
            //   81e500000008         | and                 ebp, 0x8000000

        $sequence_9 = { 8b885c020000 8b9060020000 3bca 7702 8bca 8b10 41 }
            // n = 7, score = 100
            //   8b885c020000         | mov                 ecx, dword ptr [eax + 0x25c]
            //   8b9060020000         | mov                 edx, dword ptr [eax + 0x260]
            //   3bca                 | cmp                 ecx, edx
            //   7702                 | ja                  4
            //   8bca                 | mov                 ecx, edx
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   41                   | inc                 ecx

    condition:
        7 of them and filesize < 1867776
}
Download all Yara Rules