SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bredolab (Back to overview)

Bredolab

There is no description at this point.

References
2010-12-20Kaspersky LabsAlexei Kadiev
@online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } End of the Line for the Bredolab Botnet?
Bredolab
2010-10-27FireEyeAtif Mushtaq
@online{mushtaq:20101027:bredolab:a2bb79f, author = {Atif Mushtaq}, title = {{Bredolab - It's not the size of the dog in the fight..}}, date = {2010-10-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html}, language = {English}, urldate = {2019-12-20} } Bredolab - It's not the size of the dog in the fight..
Bredolab
Yara Rules
[TLP:WHITE] win_bredolab_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_bredolab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31db ff15???????? 88d8 8d65f4 }
            // n = 4, score = 200
            //   31db                 | xor                 ebx, ebx
            //   ff15????????         |                     
            //   88d8                 | mov                 al, bl
            //   8d65f4               | lea                 esp, [ebp - 0xc]

        $sequence_1 = { e8???????? 8d45e0 89442420 8d45e4 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_2 = { 741f 3b5510 7310 89d6 8b4510 }
            // n = 5, score = 200
            //   741f                 | je                  0x21
            //   3b5510               | cmp                 edx, dword ptr [ebp + 0x10]
            //   7310                 | jae                 0x12
            //   89d6                 | mov                 esi, edx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_3 = { 8b45c8 89442404 891c24 ff15???????? 83ec28 85c0 }
            // n = 6, score = 200
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   ff15????????         |                     
            //   83ec28               | sub                 esp, 0x28
            //   85c0                 | test                eax, eax

        $sequence_4 = { 890424 ff15???????? 83ec08 43 89d8 83fb50 75dc }
            // n = 7, score = 200
            //   890424               | mov                 dword ptr [esp], eax
            //   ff15????????         |                     
            //   83ec08               | sub                 esp, 8
            //   43                   | inc                 ebx
            //   89d8                 | mov                 eax, ebx
            //   83fb50               | cmp                 ebx, 0x50
            //   75dc                 | jne                 0xffffffde

        $sequence_5 = { 8b35???????? 897c2404 c704241b000000 e8???????? c744241404000000 8b955cfeffff }
            // n = 6, score = 200
            //   8b35????????         |                     
            //   897c2404             | mov                 dword ptr [esp + 4], edi
            //   c704241b000000       | mov                 dword ptr [esp], 0x1b
            //   e8????????           |                     
            //   c744241404000000     | mov                 dword ptr [esp + 0x14], 4
            //   8b955cfeffff         | mov                 edx, dword ptr [ebp - 0x1a4]

        $sequence_6 = { 8b0d???????? 8b8584fdffff d3e0 89442404 893c24 ff15???????? }
            // n = 6, score = 200
            //   8b0d????????         |                     
            //   8b8584fdffff         | mov                 eax, dword ptr [ebp - 0x27c]
            //   d3e0                 | shl                 eax, cl
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   893c24               | mov                 dword ptr [esp], edi
            //   ff15????????         |                     

        $sequence_7 = { 31d2 f7b544ffffff 8d0c08 884de4 8b15???????? 85d2 }
            // n = 6, score = 200
            //   31d2                 | xor                 edx, edx
            //   f7b544ffffff         | div                 dword ptr [ebp - 0xbc]
            //   8d0c08               | lea                 ecx, [eax + ecx]
            //   884de4               | mov                 byte ptr [ebp - 0x1c], cl
            //   8b15????????         |                     
            //   85d2                 | test                edx, edx

        $sequence_8 = { c744240c00000000 c744240801000000 c744240400000040 8b5514 891424 ff15???????? 83ec1c }
            // n = 7, score = 200
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1
            //   c744240400000040     | mov                 dword ptr [esp + 4], 0x40000000
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   891424               | mov                 dword ptr [esp], edx
            //   ff15????????         |                     
            //   83ec1c               | sub                 esp, 0x1c

        $sequence_9 = { 89442414 8b4518 89442410 8d4514 8944240c }
            // n = 5, score = 200
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax

    condition:
        7 of them and filesize < 90112
}
Download all Yara Rules