SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alureon (Back to overview)

Alureon

aka: Olmarik, Pihar, TDL, TDSS, wowlik
URLhaus    

There is no description at this point.

References
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2016-01-10Johannes Bader
@online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } The DGA in Alureon/DNSChanger
Alureon DNSChanger
2016-01-01Virus BulletinPeter Kálnai, Jaromír Hořejší
@online{klnai:20160101:notes:100f4d8, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Notes on click fraud: American story}}, date = {2016-01-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/}, language = {English}, urldate = {2020-03-04} } Notes on click fraud: American story
Alureon ZeroAccess
2014-04-18Trend MicroAlvin John Nieto
@online{nieto:20140418:troj64wowlikvt:a785d3a, author = {Alvin John Nieto}, title = {{TROJ64_WOWLIK.VT}}, date = {2014-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt}, language = {English}, urldate = {2020-01-13} } TROJ64_WOWLIK.VT
Alureon
2012-02-01Contagio DumpMila Parkour
@online{parkour:20120201:tdl4:e13618a, author = {Mila Parkour}, title = {{TDL4 - Purple Haze (Pihar) Variant - sample and analysis}}, date = {2012-02-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html}, language = {English}, urldate = {2019-12-20} } TDL4 - Purple Haze (Pihar) Variant - sample and analysis
Alureon
2011-07-07Contagio DumpMila Parkour
@online{parkour:20110707:rootkit:501fe3d, author = {Mila Parkour}, title = {{Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7}}, date = {2011-07-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html}, language = {English}, urldate = {2019-12-18} } Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7
Alureon
2010-06-28F-Secure LabsAce Portuguez
@techreport{portuguez:20100628:case:d50ed65, author = {Ace Portuguez}, title = {{The Case of Trojan DownLoader "TDL3"}}, date = {2010-06-28}, institution = {F-Secure Labs}, url = {https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf}, language = {English}, urldate = {2022-01-25} } The Case of Trojan DownLoader "TDL3"
Alureon
2010-02-08Contagio DumpMila Parkour
@online{parkour:20100208:list:95ec809, author = {Mila Parkour}, title = {{List of Aurora / Hydraq / Roarur files}}, date = {2010-02-08}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html}, language = {English}, urldate = {2019-11-17} } List of Aurora / Hydraq / Roarur files
Alureon
Yara Rules
[TLP:WHITE] win_alureon_auto (20221125 | Detects win.alureon.)
rule win_alureon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.alureon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 884c243c 8b4d1c 8bd1 c1ea18 8854243e 6689442420 }
            // n = 6, score = 200
            //   884c243c             | mov                 byte ptr [esp + 0x3c], cl
            //   8b4d1c               | mov                 ecx, dword ptr [ebp + 0x1c]
            //   8bd1                 | mov                 edx, ecx
            //   c1ea18               | shr                 edx, 0x18
            //   8854243e             | mov                 byte ptr [esp + 0x3e], dl
            //   6689442420           | mov                 word ptr [esp + 0x20], ax

        $sequence_1 = { 83c410 8d8598f9ffff 50 8d45f0 50 ffd6 6a20 }
            // n = 7, score = 200
            //   83c410               | add                 esp, 0x10
            //   8d8598f9ffff         | lea                 eax, [ebp - 0x668]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   6a20                 | push                0x20

        $sequence_2 = { 8b5824 56 8b7020 57 8b781c 8b4018 03f2 }
            // n = 7, score = 200
            //   8b5824               | mov                 ebx, dword ptr [eax + 0x24]
            //   56                   | push                esi
            //   8b7020               | mov                 esi, dword ptr [eax + 0x20]
            //   57                   | push                edi
            //   8b781c               | mov                 edi, dword ptr [eax + 0x1c]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   03f2                 | add                 esi, edx

        $sequence_3 = { fe45ff 0fb645ff 8d8405fcfeffff 8a10 }
            // n = 4, score = 200
            //   fe45ff               | inc                 byte ptr [ebp - 1]
            //   0fb645ff             | movzx               eax, byte ptr [ebp - 1]
            //   8d8405fcfeffff       | lea                 eax, [ebp + eax - 0x104]
            //   8a10                 | mov                 dl, byte ptr [eax]

        $sequence_4 = { 48 83e5e0 33c0 4c 8bd1 }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   83e5e0               | and                 ebp, 0xffffffe0
            //   33c0                 | xor                 eax, eax
            //   4c                   | dec                 esp
            //   8bd1                 | mov                 edx, ecx

        $sequence_5 = { 6804010000 8d85a0fbffff 50 ff15???????? }
            // n = 4, score = 200
            //   6804010000           | push                0x104
            //   8d85a0fbffff         | lea                 eax, [ebp - 0x460]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 33c9 49 03d8 49 8be8 8b7350 44 }
            // n = 7, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   49                   | dec                 ecx
            //   03d8                 | add                 ebx, eax
            //   49                   | dec                 ecx
            //   8be8                 | mov                 ebp, eax
            //   8b7350               | mov                 esi, dword ptr [ebx + 0x50]
            //   44                   | inc                 esp

        $sequence_7 = { 50 ff75f0 e8???????? ff4514 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   ff4514               | inc                 dword ptr [ebp + 0x14]

        $sequence_8 = { 740d e8???????? 3c01 7404 32c0 }
            // n = 5, score = 100
            //   740d                 | je                  0xf
            //   e8????????           |                     
            //   3c01                 | cmp                 al, 1
            //   7404                 | je                  6
            //   32c0                 | xor                 al, al

        $sequence_9 = { 8d85e5fbffff 53 50 889de4fbffff e8???????? 68ff000000 }
            // n = 6, score = 100
            //   8d85e5fbffff         | lea                 eax, [ebp - 0x41b]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   889de4fbffff         | mov                 byte ptr [ebp - 0x41c], bl
            //   e8????????           |                     
            //   68ff000000           | push                0xff

        $sequence_10 = { 6a04 58 8945b0 8945b8 }
            // n = 4, score = 100
            //   6a04                 | push                4
            //   58                   | pop                 eax
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax

        $sequence_11 = { 8a08 40 84c9 75f9 ff75b4 8d4dbc 2bc6 }
            // n = 7, score = 100
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   ff75b4               | push                dword ptr [ebp - 0x4c]
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   2bc6                 | sub                 eax, esi

        $sequence_12 = { 6804010000 8d842404070000 50 6aff 8d842404040000 50 }
            // n = 6, score = 100
            //   6804010000           | push                0x104
            //   8d842404070000       | lea                 eax, [esp + 0x704]
            //   50                   | push                eax
            //   6aff                 | push                -1
            //   8d842404040000       | lea                 eax, [esp + 0x404]
            //   50                   | push                eax

        $sequence_13 = { 50 8d45b0 50 8d45f0 50 8d45c0 50 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   50                   | push                eax

        $sequence_14 = { e8???????? 83c40c 8d45ec 50 8d85e4fbffff 50 8d45e4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   8d85e4fbffff         | lea                 eax, [ebp - 0x41c]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_15 = { 8d44243c 6800000001 6a02 898424a0000000 53 }
            // n = 5, score = 100
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   6800000001           | push                0x1000000
            //   6a02                 | push                2
            //   898424a0000000       | mov                 dword ptr [esp + 0xa0], eax
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 278528
}
Download all Yara Rules