SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alureon (Back to overview)

Alureon

aka: Olmarik, Pihar, TDL, TDSS, wowlik
VTCollection     URLhaus    

There is no description at this point.

References
2023-02-24Twitter (@Sebdraven)Sébastien Larinier
Tweet on IOCTL manipulation in TDL4 and HermeticWiper
Alureon HermeticWiper
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2016-01-10Johannes Bader
The DGA in Alureon/DNSChanger
Alureon DNSChanger
2016-01-01Virus BulletinJaromír Hořejší, Peter Kálnai
Notes on click fraud: American story
Alureon ZeroAccess
2014-04-18Trend MicroAlvin John Nieto
TROJ64_WOWLIK.VT
Alureon
2012-02-01Contagio DumpMila Parkour
TDL4 - Purple Haze (Pihar) Variant - sample and analysis
Alureon
2011-07-07Contagio DumpMila Parkour
Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7
Alureon
2010-06-28F-Secure LabsAce Portuguez
The Case of Trojan DownLoader "TDL3"
Alureon
2010-02-08Contagio DumpMila Parkour
List of Aurora / Hydraq / Roarur files
Alureon
Yara Rules
[TLP:WHITE] win_alureon_auto (20230808 | Detects win.alureon.)
rule win_alureon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.alureon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 59 32c0 8d7c2420 f3aa 8b4d14 }
            // n = 5, score = 200
            //   59                   | pop                 ecx
            //   32c0                 | xor                 al, al
            //   8d7c2420             | lea                 edi, [esp + 0x20]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]

        $sequence_1 = { 3b442410 75cf 33c0 5f 5e 5b c20800 }
            // n = 7, score = 200
            //   3b442410             | cmp                 eax, dword ptr [esp + 0x10]
            //   75cf                 | jne                 0xffffffd1
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8

        $sequence_2 = { 6800001000 8d45f8 50 c745d818000000 }
            // n = 4, score = 200
            //   6800001000           | push                0x100000
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   c745d818000000       | mov                 dword ptr [ebp - 0x28], 0x18

        $sequence_3 = { 68000010c0 8d45fc 50 c745d818000000 }
            // n = 4, score = 200
            //   68000010c0           | push                0xc0100000
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   c745d818000000       | mov                 dword ptr [ebp - 0x28], 0x18

        $sequence_4 = { 6800000080 6a03 56 6a01 }
            // n = 4, score = 200
            //   6800000080           | push                0x80000000
            //   6a03                 | push                3
            //   56                   | push                esi
            //   6a01                 | push                1

        $sequence_5 = { 41 8bca 49 ffc7 }
            // n = 4, score = 200
            //   41                   | inc                 ecx
            //   8bca                 | mov                 ecx, edx
            //   49                   | dec                 ecx
            //   ffc7                 | inc                 edi

        $sequence_6 = { 2bc8 03cf 8908 eb2f 837dfc05 751c }
            // n = 6, score = 200
            //   2bc8                 | sub                 ecx, eax
            //   03cf                 | add                 ecx, edi
            //   8908                 | mov                 dword ptr [eax], ecx
            //   eb2f                 | jmp                 0x31
            //   837dfc05             | cmp                 dword ptr [ebp - 4], 5
            //   751c                 | jne                 0x1e

        $sequence_7 = { 6800005600 8d45d0 50 53 }
            // n = 4, score = 200
            //   6800005600           | push                0x560000
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_8 = { 53 ff15???????? 8945f8 56 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   56                   | push                esi

        $sequence_9 = { c745f000010000 749d ff75e8 ff15???????? }
            // n = 4, score = 100
            //   c745f000010000       | mov                 dword ptr [ebp - 0x10], 0x100
            //   749d                 | je                  0xffffff9f
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     

        $sequence_10 = { 66a5 8d85a8feffff 50 68???????? a4 }
            // n = 5, score = 100
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]
            //   50                   | push                eax
            //   68????????           |                     
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]

        $sequence_11 = { 741c 8d85e4fbffff 50 8d85f8feffff 50 }
            // n = 5, score = 100
            //   741c                 | je                  0x1e
            //   8d85e4fbffff         | lea                 eax, [ebp - 0x41c]
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax

        $sequence_12 = { 837dfc0a 7cc0 eb32 8bc3 }
            // n = 4, score = 100
            //   837dfc0a             | cmp                 dword ptr [ebp - 4], 0xa
            //   7cc0                 | jl                  0xffffffc2
            //   eb32                 | jmp                 0x34
            //   8bc3                 | mov                 eax, ebx

        $sequence_13 = { 50 33f6 46 56 8d8424cc000000 50 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   56                   | push                esi
            //   8d8424cc000000       | lea                 eax, [esp + 0xcc]
            //   50                   | push                eax

        $sequence_14 = { 8d8424ec010000 50 68???????? ff15???????? 85c0 0f84f2020000 }
            // n = 6, score = 100
            //   8d8424ec010000       | lea                 eax, [esp + 0x1ec]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84f2020000         | je                  0x2f8

        $sequence_15 = { ff15???????? 85c0 7409 39b424c8000000 75cf 53 53 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   39b424c8000000       | cmp                 dword ptr [esp + 0xc8], esi
            //   75cf                 | jne                 0xffffffd1
            //   53                   | push                ebx
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 278528
}
Download all Yara Rules