SYMBOLCOMMON_NAMEaka. SYNONYMS
win.boatlaunch (Back to overview)

BOATLAUNCH

Actor(s): FIN7

VTCollection    

FIN7 uses this malware as helper module during intrusion operations. BOATLAUNCH is continuously looking for PowerShell processes on infected systems and patches them to bypuss Windows AntiMalware Scan Interface (AMSI).

References
Yara Rules
[TLP:WHITE] win_boatlaunch_auto (20230808 | Detects win.boatlaunch.)
rule win_boatlaunch_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.boatlaunch."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883611000 4883612800 488d4dd8 48c7c2ffff1f00 4c8d45e0 4c8d4d10 }
            // n = 6, score = 100
            //   4883611000           | pop                 ecx
            //   4883612800           | inc                 ecx
            //   488d4dd8             | pop                 eax
            //   48c7c2ffff1f00       | cmp                 eax, dword ptr [ebp + 0x1160]
            //   4c8d45e0             | jne                 0x28
            //   4c8d4d10             | dec                 eax

        $sequence_1 = { e8???????? 8945e4 6a00 ff75e0 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8945e4               | and                 dword ptr [ecx + 0x28], 0
            //   6a00                 | dec                 eax
            //   ff75e0               | lea                 ecx, [ebp - 0x28]

        $sequence_2 = { 2b75ec 0375e4 8b4324 2b45ec 0345e4 }
            // n = 5, score = 100
            //   2b75ec               | cmp                 eax, 0xc000000b
            //   0375e4               | je                  0x3d
            //   8b4324               | dec                 eax
            //   2b45ec               | and                 dword ptr [ecx + 0x10], 0
            //   0345e4               | dec                 eax

        $sequence_3 = { 488d4df0 e8???????? 48c7c1ffffffff 488d55f0 448bc3 e8???????? 3b8558110000 }
            // n = 7, score = 100
            //   488d4df0             | mov                 dword ptr [esp + 0x10], edx
            //   e8????????           |                     
            //   48c7c1ffffffff       | inc                 esp
            //   488d55f0             | mov                 dword ptr [esp + 0x18], eax
            //   448bc3               | dec                 eax
            //   e8????????           |                     
            //   3b8558110000         | push                ebp

        $sequence_4 = { 480375c8 8b4324 2b45c0 480345c8 488945d0 8b5b18 ad }
            // n = 7, score = 100
            //   480375c8             | dec                 eax
            //   8b4324               | lea                 edx, [ebp - 0x10]
            //   2b45c0               | inc                 esp
            //   480345c8             | mov                 eax, ebx
            //   488945d0             | dec                 eax
            //   8b5b18               | mov                 eax, dword ptr [ebp - 0x28]
            //   ad                   | dec                 eax

        $sequence_5 = { 85f6 7599 488b0d???????? 33d2 4c8b4500 }
            // n = 5, score = 100
            //   85f6                 | test                esi, esi
            //   7599                 | jne                 0xffffff9b
            //   488b0d????????       |                     
            //   33d2                 | xor                 edx, edx
            //   4c8b4500             | dec                 esp

        $sequence_6 = { 3b8560110000 7526 488b45d0 0fb730 }
            // n = 4, score = 100
            //   3b8560110000         | dec                 eax
            //   7526                 | lea                 ecx, [ebp - 0x10]
            //   488b45d0             | dec                 eax
            //   0fb730               | mov                 ecx, 0xffffffff

        $sequence_7 = { 488d4dd0 48c7c200001000 4c8d45e0 4c8d4d10 e8???????? 3d0b0000c0 7427 }
            // n = 7, score = 100
            //   488d4dd0             | lea                 esp, [ebp + 0x28]
            //   48c7c200001000       | inc                 ecx
            //   4c8d45e0             | pop                 ebx
            //   4c8d4d10             | inc                 ecx
            //   e8????????           |                     
            //   3d0b0000c0           | pop                 edx
            //   7427                 | inc                 ecx

        $sequence_8 = { 50 68ff0f1f00 8d45fc 50 }
            // n = 4, score = 100
            //   50                   | pop                 eax
            //   68ff0f1f00           | pop                 edi
            //   8d45fc               | dec                 eax
            //   50                   | mov                 eax, dword ptr [ebp - 0x30]

        $sequence_9 = { 8bfe 49 85c9 75ee }
            // n = 4, score = 100
            //   8bfe                 | dec                 esp
            //   49                   | lea                 eax, [ebp - 0x20]
            //   85c9                 | dec                 esp
            //   75ee                 | lea                 ecx, [ebp + 0x10]

        $sequence_10 = { e8???????? 8bd8 85db 7452 53 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8bd8                 | dec                 eax
            //   85db                 | lea                 ecx, [ebp - 0x30]
            //   7452                 | dec                 eax
            //   53                   | mov                 edx, 0x100000

        $sequence_11 = { eb09 8345e802 4b 85db 75af }
            // n = 5, score = 100
            //   eb09                 | inc                 ecx
            //   8345e802             | pop                 edx
            //   4b                   | inc                 ecx
            //   85db                 | pop                 ecx
            //   75af                 | inc                 ecx

        $sequence_12 = { 50 e8???????? 3d0b0000c0 7423 6a00 ff75f8 e8???????? }
            // n = 7, score = 100
            //   50                   | dec                 eax
            //   e8????????           |                     
            //   3d0b0000c0           | mov                 edx, 0x1fffff
            //   7423                 | dec                 esp
            //   6a00                 | lea                 eax, [ebp - 0x20]
            //   ff75f8               | dec                 esp
            //   e8????????           |                     

        $sequence_13 = { 5b 5d c3 48894c2408 89542410 4489442418 }
            // n = 6, score = 100
            //   5b                   | mov                 eax, dword ptr [ebp]
            //   5d                   | pop                 ebx
            //   c3                   | pop                 ebp
            //   48894c2408           | ret                 
            //   89542410             | dec                 eax
            //   4489442418           | mov                 dword ptr [esp + 8], ecx

        $sequence_14 = { 488b45d8 488d6528 415b 415a 4159 4158 }
            // n = 6, score = 100
            //   488b45d8             | mov                 ecx, 0xffffffff
            //   488d6528             | dec                 eax
            //   415b                 | lea                 edx, [ebp - 0x10]
            //   415a                 | inc                 esp
            //   4159                 | mov                 eax, ebx
            //   4158                 | cmp                 eax, dword ptr [ebp + 0x1158]

        $sequence_15 = { 8d5ddc c70318000000 c7430400000000 c7430800000000 c7430c00000000 }
            // n = 5, score = 100
            //   8d5ddc               | lea                 ecx, [ebp + 0x10]
            //   c70318000000         | dec                 eax
            //   c7430400000000       | lea                 esp, [ebp + 0x28]
            //   c7430800000000       | inc                 ecx
            //   c7430c00000000       | pop                 ebx

    condition:
        7 of them and filesize < 33792
}
Download all Yara Rules