SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bredolab (Back to overview)

Bredolab


There is no description at this point.

References
2010-12-20Kaspersky LabsAlexei Kadiev
@online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } End of the Line for the Bredolab Botnet?
Bredolab
2010-10-27FireEyeAtif Mushtaq
@online{mushtaq:20101027:bredolab:a2bb79f, author = {Atif Mushtaq}, title = {{Bredolab - It's not the size of the dog in the fight..}}, date = {2010-10-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html}, language = {English}, urldate = {2019-12-20} } Bredolab - It's not the size of the dog in the fight..
Bredolab
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus
Yara Rules
[TLP:WHITE] win_bredolab_auto (20230125 | Detects win.bredolab.)
rule win_bredolab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.bredolab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 89c6 8b7de4 c7042412000000 e8???????? 897c2414 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   89c6                 | mov                 esi, eax
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   c7042412000000       | mov                 dword ptr [esp], 0x12
            //   e8????????           |                     
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi

        $sequence_1 = { 8d4a30 884c1de4 8d7b01 b8cdcccccc f7e6 }
            // n = 5, score = 200
            //   8d4a30               | lea                 ecx, [edx + 0x30]
            //   884c1de4             | mov                 byte ptr [ebp + ebx - 0x1c], cl
            //   8d7b01               | lea                 edi, [ebx + 1]
            //   b8cdcccccc           | mov                 eax, 0xcccccccd
            //   f7e6                 | mul                 esi

        $sequence_2 = { c6850cfeffff00 e9???????? 55 89e5 57 56 53 }
            // n = 7, score = 200
            //   c6850cfeffff00       | mov                 byte ptr [ebp - 0x1f4], 0
            //   e9????????           |                     
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_3 = { 8b85bcebffff e9???????? 895c2404 8d8db4ebffff }
            // n = 4, score = 200
            //   8b85bcebffff         | mov                 eax, dword ptr [ebp - 0x1444]
            //   e9????????           |                     
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   8d8db4ebffff         | lea                 ecx, [ebp - 0x144c]

        $sequence_4 = { d3e8 21c2 2855f3 8b45ec 88d9 }
            // n = 5, score = 200
            //   d3e8                 | shr                 eax, cl
            //   21c2                 | and                 edx, eax
            //   2855f3               | sub                 byte ptr [ebp - 0xd], dl
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   88d9                 | mov                 cl, bl

        $sequence_5 = { 3c5c 743a 3c2f 7436 84c0 74ca }
            // n = 6, score = 200
            //   3c5c                 | cmp                 al, 0x5c
            //   743a                 | je                  0x3c
            //   3c2f                 | cmp                 al, 0x2f
            //   7436                 | je                  0x38
            //   84c0                 | test                al, al
            //   74ca                 | je                  0xffffffcc

        $sequence_6 = { ff15???????? 50 803b00 7413 a1???????? 40 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   50                   | push                eax
            //   803b00               | cmp                 byte ptr [ebx], 0
            //   7413                 | je                  0x15
            //   a1????????           |                     
            //   40                   | inc                 eax

        $sequence_7 = { 42 b801000000 89d3 31d2 f7f3 39c1 75da }
            // n = 7, score = 200
            //   42                   | inc                 edx
            //   b801000000           | mov                 eax, 1
            //   89d3                 | mov                 ebx, edx
            //   31d2                 | xor                 edx, edx
            //   f7f3                 | div                 ebx
            //   39c1                 | cmp                 ecx, eax
            //   75da                 | jne                 0xffffffdc

        $sequence_8 = { c745e400000000 8db560ffffff 89742404 8b4508 }
            // n = 4, score = 200
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   8db560ffffff         | lea                 esi, [ebp - 0xa0]
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { 8b4dec c744ce1000000000 ff864c090000 83c418 }
            // n = 4, score = 200
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   c744ce1000000000     | mov                 dword ptr [esi + ecx*8 + 0x10], 0
            //   ff864c090000         | inc                 dword ptr [esi + 0x94c]
            //   83c418               | add                 esp, 0x18

    condition:
        7 of them and filesize < 90112
}
Download all Yara Rules