Banjori (Malware Family)

Banjori

aka: MultiBanker 2, BankPatch, BackPatcher
VTCollection
There is no description at this point.
References

2016-05-02 ⋅ John Bambenek ⋅ John Bambenek
OSINT Feed
Mirai Banjori
2015-02-10 ⋅ Johannes Bader's Blog ⋅ Johannes Bader
The DGA of Banjori
Banjori
2013-05-21 ⋅ Kleissner & Associates ⋅ Peter Kleissner
News on MultiBanker, features now a jabber p2p functionality
Banjori
2013-03-26 ⋅ Kleissner & Associates ⋅ Peter Kleissner
Behind MultiBanker, what the security industry doesn’t tell you and its money mule network
Banjori
Yara Rules

[TLP:WHITE] win_banjori_auto (20260504 | Detects win.banjori.)
rule win_banjori_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.banjori."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75f4 ff15???????? ff75f8 ff15???????? 8b45fc c9 c3 }
            // n = 7, score = 100
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_1 = { 03c2 8945e8 03c2 8945d8 03c2 8945fc ff7508 }
            // n = 7, score = 100
            //   03c2                 | add                 eax, edx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   03c2                 | add                 eax, edx
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   03c2                 | add                 eax, edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_2 = { e8???????? 85c0 0f8495020000 8945f8 8bf8 8b07 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8495020000         | je                  0x29b
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8bf8                 | mov                 edi, eax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   85c0                 | test                eax, eax

        $sequence_3 = { c745e008000000 8d45e0 50 8d45d0 50 53 53 }
            // n = 7, score = 100
            //   c745e008000000       | mov                 dword ptr [ebp - 0x20], 8
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_4 = { ff15???????? ff35???????? ff75a8 ff15???????? 68???????? 50 ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   ff75a8               | push                dword ptr [ebp - 0x58]
            //   ff15????????         |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 53 53 ffb5b4feffff ff15???????? ffb59cfeffff ff15???????? 8bc8 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ffb5b4feffff         | push                dword ptr [ebp - 0x14c]
            //   ff15????????         |                     
            //   ffb59cfeffff         | push                dword ptr [ebp - 0x164]
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_6 = { ff15???????? 83c410 ffb598feffff ffb59cfeffff e8???????? 85c0 0f8588000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   ffb598feffff         | push                dword ptr [ebp - 0x168]
            //   ffb59cfeffff         | push                dword ptr [ebp - 0x164]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8588000000         | jne                 0x8e

        $sequence_7 = { 53 53 6a01 53 68???????? ff75fc ff15???????? }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_8 = { 7512 8d05d4e79500 50 ff35???????? e8???????? 68???????? 57 }
            // n = 7, score = 100
            //   7512                 | jne                 0x14
            //   8d05d4e79500         | lea                 eax, [0x95e7d4]
            //   50                   | push                eax
            //   ff35????????         |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   57                   | push                edi

        $sequence_9 = { 885fff 56 ff75f4 ff15???????? ff75f4 ff15???????? }
            // n = 6, score = 100
            //   885fff               | mov                 byte ptr [edi - 1], bl
            //   56                   | push                esi
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules
Banjori Propose Change

References

Yara Rules

Banjori
