SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bangat (Back to overview)

bangat

Actor(s): Comment Crew


There is no description at this point.

References
2013-02-20FireEyeMandiant
@online{mandiant:20130220:1:7fa9646, author = {Mandiant}, title = {{APT 1 Malware Arsenal Technical Annex}}, date = {2013-02-20}, organization = {FireEye}, url = {https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal}, language = {Mandiant}, urldate = {2020-01-08} } APT 1 Malware Arsenal Technical Annex
bangat
Yara Rules
[TLP:WHITE] win_bangat_auto (20220411 | Detects win.bangat.)
rule win_bangat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.bangat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 39bd34ffffff 7506 898e10020000 399d34ffffff 750a c7861002000003000000 834dfcff }
            // n = 7, score = 100
            //   39bd34ffffff         | cmp                 dword ptr [ebp - 0xcc], edi
            //   7506                 | jne                 8
            //   898e10020000         | mov                 dword ptr [esi + 0x210], ecx
            //   399d34ffffff         | cmp                 dword ptr [ebp - 0xcc], ebx
            //   750a                 | jne                 0xc
            //   c7861002000003000000     | mov    dword ptr [esi + 0x210], 3
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff

        $sequence_1 = { 51 89442404 ff5208 83c404 85c0 7504 83c408 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   ff5208               | call                dword ptr [edx + 8]
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   83c408               | add                 esp, 8

        $sequence_2 = { 53 50 8d85b0fbffff 6820030000 50 ff75ec ffd6 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d85b0fbffff         | lea                 eax, dword ptr [ebp - 0x450]
            //   6820030000           | push                0x320
            //   50                   | push                eax
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ffd6                 | call                esi

        $sequence_3 = { e9???????? 8b4d3c 3d60100000 8b7104 0f85a4000000 8b4544 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   8b4d3c               | mov                 ecx, dword ptr [ebp + 0x3c]
            //   3d60100000           | cmp                 eax, 0x1060
            //   8b7104               | mov                 esi, dword ptr [ecx + 4]
            //   0f85a4000000         | jne                 0xaa
            //   8b4544               | mov                 eax, dword ptr [ebp + 0x44]

        $sequence_4 = { 8b8290000000 894840 e9???????? a806 0f8586050000 a880 0f845c020000 }
            // n = 7, score = 100
            //   8b8290000000         | mov                 eax, dword ptr [edx + 0x90]
            //   894840               | mov                 dword ptr [eax + 0x40], ecx
            //   e9????????           |                     
            //   a806                 | test                al, 6
            //   0f8586050000         | jne                 0x58c
            //   a880                 | test                al, 0x80
            //   0f845c020000         | je                  0x262

        $sequence_5 = { 57 7525 6875050000 68???????? 68c4000000 68a9000000 6a14 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   7525                 | jne                 0x27
            //   6875050000           | push                0x575
            //   68????????           |                     
            //   68c4000000           | push                0xc4
            //   68a9000000           | push                0xa9
            //   6a14                 | push                0x14

        $sequence_6 = { 56 57 e8???????? be04010000 bf???????? 56 6a00 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   be04010000           | mov                 esi, 0x104
            //   bf????????           |                     
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_7 = { 83c40c 85c0 7e1e 3bc7 7428 f685f800000001 751f }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7e1e                 | jle                 0x20
            //   3bc7                 | cmp                 eax, edi
            //   7428                 | je                  0x2a
            //   f685f800000001       | test                byte ptr [ebp + 0xf8], 1
            //   751f                 | jne                 0x21

        $sequence_8 = { 83c464 c3 8b842488000000 50 e8???????? 83c404 33c0 }
            // n = 7, score = 100
            //   83c464               | add                 esp, 0x64
            //   c3                   | ret                 
            //   8b842488000000       | mov                 eax, dword ptr [esp + 0x88]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 83c410 3bc5 750a c705????????90b74700 68da000000 68???????? }
            // n = 6, score = 100
            //   83c410               | add                 esp, 0x10
            //   3bc5                 | cmp                 eax, ebp
            //   750a                 | jne                 0xc
            //   c705????????90b74700     |     
            //   68da000000           | push                0xda
            //   68????????           |                     

    condition:
        7 of them and filesize < 1228800
}
Download all Yara Rules