SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bredolab (Back to overview)

Bredolab

There is no description at this point.

References
2010-12-20Kaspersky LabsAlexei Kadiev
@online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } End of the Line for the Bredolab Botnet?
Bredolab
2010-10-27FireEyeAtif Mushtaq
@online{mushtaq:20101027:bredolab:a2bb79f, author = {Atif Mushtaq}, title = {{Bredolab - It's not the size of the dog in the fight..}}, date = {2010-10-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html}, language = {English}, urldate = {2019-12-20} } Bredolab - It's not the size of the dog in the fight..
Bredolab
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus
Yara Rules
[TLP:WHITE] win_bredolab_auto (20230407 | Detects win.bredolab.)
rule win_bredolab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.bredolab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31d2 f775e4 890424 ffd1 }
            // n = 4, score = 200
            //   31d2                 | xor                 edx, edx
            //   f775e4               | div                 dword ptr [ebp - 0x1c]
            //   890424               | mov                 dword ptr [esp], eax
            //   ffd1                 | call                ecx

        $sequence_1 = { 29955cffffff 8b5d10 43 899d68ffffff }
            // n = 4, score = 200
            //   29955cffffff         | sub                 dword ptr [ebp - 0xa4], edx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   43                   | inc                 ebx
            //   899d68ffffff         | mov                 dword ptr [ebp - 0x98], ebx

        $sequence_2 = { e8???????? 89742404 c704241e000000 89853cfcffff e8???????? 8b4d08 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   c704241e000000       | mov                 dword ptr [esp], 0x1e
            //   89853cfcffff         | mov                 dword ptr [ebp - 0x3c4], eax
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_3 = { 89542410 c744240c03000000 c744240800000000 895c2404 890424 e8???????? 83c430 }
            // n = 7, score = 200
            //   89542410             | mov                 dword ptr [esp + 0x10], edx
            //   c744240c03000000     | mov                 dword ptr [esp + 0xc], 3
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30

        $sequence_4 = { 75f6 894d14 8b5d14 c60300 }
            // n = 4, score = 200
            //   75f6                 | jne                 0xfffffff8
            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]
            //   c60300               | mov                 byte ptr [ebx], 0

        $sequence_5 = { 8b15???????? d3e2 8d0c0a 880b 43 8a08 84c9 }
            // n = 7, score = 200
            //   8b15????????         |                     
            //   d3e2                 | shl                 edx, cl
            //   8d0c0a               | lea                 ecx, [edx + ecx]
            //   880b                 | mov                 byte ptr [ebx], cl
            //   43                   | inc                 ebx
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   84c9                 | test                cl, cl

        $sequence_6 = { 807c3da800 7412 83c308 8b03 }
            // n = 4, score = 200
            //   807c3da800           | cmp                 byte ptr [ebp + edi - 0x58], 0
            //   7412                 | je                  0x14
            //   83c308               | add                 ebx, 8
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_7 = { 89442410 8b4514 8944240c c744240800000000 89742404 }
            // n = 5, score = 200
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   89742404             | mov                 dword ptr [esp + 4], esi

        $sequence_8 = { 83ec08 8903 83c304 8b955cffffff 83c204 46 8b8560ffffff }
            // n = 7, score = 200
            //   83ec08               | sub                 esp, 8
            //   8903                 | mov                 dword ptr [ebx], eax
            //   83c304               | add                 ebx, 4
            //   8b955cffffff         | mov                 edx, dword ptr [ebp - 0xa4]
            //   83c204               | add                 edx, 4
            //   46                   | inc                 esi
            //   8b8560ffffff         | mov                 eax, dword ptr [ebp - 0xa0]

        $sequence_9 = { e8???????? 8b4508 89442404 891c24 e8???????? 84c0 7424 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7424                 | je                  0x26

    condition:
        7 of them and filesize < 90112
}
Download all Yara Rules