SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bangat (Back to overview)

bangat

Actor(s): Comment Crew

There is no description at this point.

References
2013-02-20FireEyeMandiant
@online{mandiant:20130220:1:7fa9646, author = {Mandiant}, title = {{APT 1 Malware Arsenal Technical Annex}}, date = {2013-02-20}, organization = {FireEye}, url = {https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal}, language = {Mandiant}, urldate = {2020-01-08} } APT 1 Malware Arsenal Technical Annex
bangat
Yara Rules
[TLP:WHITE] win_bangat_auto (20230407 | Detects win.bangat.)
rule win_bangat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.bangat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b6c2454 23cd 33d0 8b44241c 33d9 8b4c2418 03fa }
            // n = 7, score = 100
            //   8b6c2454             | mov                 ebp, dword ptr [esp + 0x54]
            //   23cd                 | and                 ecx, ebp
            //   33d0                 | xor                 edx, eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   33d9                 | xor                 ebx, ecx
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   03fa                 | add                 edi, edx

        $sequence_1 = { 8a5e01 8a4e03 83c602 8be9 8bc5 83c602 25ffff0000 }
            // n = 7, score = 100
            //   8a5e01               | mov                 bl, byte ptr [esi + 1]
            //   8a4e03               | mov                 cl, byte ptr [esi + 3]
            //   83c602               | add                 esi, 2
            //   8be9                 | mov                 ebp, ecx
            //   8bc5                 | mov                 eax, ebp
            //   83c602               | add                 esi, 2
            //   25ffff0000           | and                 eax, 0xffff

        $sequence_2 = { 6a08 8b4658 0574010000 50 e8???????? 8b8ed8000000 8b4658 }
            // n = 7, score = 100
            //   6a08                 | push                8
            //   8b4658               | mov                 eax, dword ptr [esi + 0x58]
            //   0574010000           | add                 eax, 0x174
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b8ed8000000         | mov                 ecx, dword ptr [esi + 0xd8]
            //   8b4658               | mov                 eax, dword ptr [esi + 0x58]

        $sequence_3 = { 0be8 8b442440 0bda 8bd0 33f5 33fb f7d2 }
            // n = 7, score = 100
            //   0be8                 | or                  ebp, eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   0bda                 | or                  ebx, edx
            //   8bd0                 | mov                 edx, eax
            //   33f5                 | xor                 esi, ebp
            //   33fb                 | xor                 edi, ebx
            //   f7d2                 | not                 edx

        $sequence_4 = { 8b6818 13f1 8b4c2420 03d1 8b7820 895010 }
            // n = 6, score = 100
            //   8b6818               | mov                 ebp, dword ptr [eax + 0x18]
            //   13f1                 | adc                 esi, ecx
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   03d1                 | add                 edx, ecx
            //   8b7820               | mov                 edi, dword ptr [eax + 0x20]
            //   895010               | mov                 dword ptr [eax + 0x10], edx

        $sequence_5 = { 50 56 57 ffd1 8b542438 83c418 eb05 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   ffd1                 | call                ecx
            //   8b542438             | mov                 edx, dword ptr [esp + 0x38]
            //   83c418               | add                 esp, 0x18
            //   eb05                 | jmp                 7

        $sequence_6 = { 8b7510 57 8d5e04 53 ff15???????? }
            // n = 5, score = 100
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   57                   | push                edi
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_7 = { 8d0431 f7f3 8bd0 6bd23c 2bca 03ce 51 }
            // n = 7, score = 100
            //   8d0431               | lea                 eax, [ecx + esi]
            //   f7f3                 | div                 ebx
            //   8bd0                 | mov                 edx, eax
            //   6bd23c               | imul                edx, edx, 0x3c
            //   2bca                 | sub                 ecx, edx
            //   03ce                 | add                 ecx, esi
            //   51                   | push                ecx

        $sequence_8 = { 8b8c24a0000000 0bf8 8b84249c000000 0bda 8b54244c 33ef 8b7c2448 }
            // n = 7, score = 100
            //   8b8c24a0000000       | mov                 ecx, dword ptr [esp + 0xa0]
            //   0bf8                 | or                  edi, eax
            //   8b84249c000000       | mov                 eax, dword ptr [esp + 0x9c]
            //   0bda                 | or                  ebx, edx
            //   8b54244c             | mov                 edx, dword ptr [esp + 0x4c]
            //   33ef                 | xor                 ebp, edi
            //   8b7c2448             | mov                 edi, dword ptr [esp + 0x48]

        $sequence_9 = { 33db 85c0 7411 8bc8 51 e8???????? }
            // n = 6, score = 100
            //   33db                 | xor                 ebx, ebx
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   8bc8                 | mov                 ecx, eax
            //   51                   | push                ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1228800
}
Download all Yara Rules