SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bredolab (Back to overview)

Bredolab

There is no description at this point.

References
2010-12-20Kaspersky LabsAlexei Kadiev
@online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } End of the Line for the Bredolab Botnet?
Bredolab
2010-10-27FireEyeAtif Mushtaq
@online{mushtaq:20101027:bredolab:a2bb79f, author = {Atif Mushtaq}, title = {{Bredolab - It's not the size of the dog in the fight..}}, date = {2010-10-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html}, language = {English}, urldate = {2019-12-20} } Bredolab - It's not the size of the dog in the fight..
Bredolab
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2021-05-11} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Kraken Poison Ivy Rustock Sinowal Szribi Zeus
Yara Rules
[TLP:WHITE] win_bredolab_auto (20211008 | Detects win.bredolab.)
rule win_bredolab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.bredolab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b801000000 29d0 8944240c c74424080d000000 }
            // n = 4, score = 200
            //   b801000000           | mov                 eax, 1
            //   29d0                 | sub                 eax, edx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c74424080d000000     | mov                 dword ptr [esp + 8], 0xd

        $sequence_1 = { 0fb7c9 894c2410 c744240c00000000 c7442408???????? 89542404 890424 ffd6 }
            // n = 7, score = 200
            //   0fb7c9               | movzx               ecx, cx
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c7442408????????     |                     
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   890424               | mov                 dword ptr [esp], eax
            //   ffd6                 | call                esi

        $sequence_2 = { 89442404 8b45e4 890424 ffd6 83ec18 85c0 }
            // n = 6, score = 200
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   890424               | mov                 dword ptr [esp], eax
            //   ffd6                 | call                esi
            //   83ec18               | sub                 esp, 0x18
            //   85c0                 | test                eax, eax

        $sequence_3 = { 8b5d08 8b750c 8b7d14 895c2404 c7042413000000 e8???????? 891c24 }
            // n = 7, score = 200
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8b7d14               | mov                 edi, dword ptr [ebp + 0x14]
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   c7042413000000       | mov                 dword ptr [esp], 0x13
            //   e8????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx

        $sequence_4 = { c744240800000000 c744240402000000 890424 ff15???????? }
            // n = 4, score = 200
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240402000000     | mov                 dword ptr [esp + 4], 2
            //   890424               | mov                 dword ptr [esp], eax
            //   ff15????????         |                     

        $sequence_5 = { 83ec18 85c0 0f848d000000 31db 8b955cfeffff 8b02 3b45d8 }
            // n = 7, score = 200
            //   83ec18               | sub                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   0f848d000000         | je                  0x93
            //   31db                 | xor                 ebx, ebx
            //   8b955cfeffff         | mov                 edx, dword ptr [ebp - 0x1a4]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   3b45d8               | cmp                 eax, dword ptr [ebp - 0x28]

        $sequence_6 = { c745e000000000 c745d800000000 c745dc00000000 c744242440000000 c744242000000000 c744241c01000000 }
            // n = 6, score = 200
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0
            //   c745dc00000000       | mov                 dword ptr [ebp - 0x24], 0
            //   c744242440000000     | mov                 dword ptr [esp + 0x24], 0x40
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   c744241c01000000     | mov                 dword ptr [esp + 0x1c], 1

        $sequence_7 = { 31d2 f7b544ffffff 8d0c08 884de4 8b15???????? 85d2 }
            // n = 6, score = 200
            //   31d2                 | xor                 edx, edx
            //   f7b544ffffff         | div                 dword ptr [ebp - 0xbc]
            //   8d0c08               | lea                 ecx, dword ptr [eax + ecx]
            //   884de4               | mov                 byte ptr [ebp - 0x1c], cl
            //   8b15????????         |                     
            //   85d2                 | test                edx, edx

        $sequence_8 = { 8d93f8110000 8954c304 8d84cb20120000 890424 e8???????? 89b31c120000 }
            // n = 6, score = 200
            //   8d93f8110000         | lea                 edx, dword ptr [ebx + 0x11f8]
            //   8954c304             | mov                 dword ptr [ebx + eax*8 + 4], edx
            //   8d84cb20120000       | lea                 eax, dword ptr [ebx + ecx*8 + 0x1220]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89b31c120000         | mov                 dword ptr [ebx + 0x121c], esi

        $sequence_9 = { be01000000 eba0 47 74b0 8d45e4 89442408 }
            // n = 6, score = 200
            //   be01000000           | mov                 esi, 1
            //   eba0                 | jmp                 0xffffffa2
            //   47                   | inc                 edi
            //   74b0                 | je                  0xffffffb2
            //   8d45e4               | lea                 eax, dword ptr [ebp - 0x1c]
            //   89442408             | mov                 dword ptr [esp + 8], eax

    condition:
        7 of them and filesize < 90112
}
Download all Yara Rules