SYMBOLCOMMON_NAMEaka. SYNONYMS
win.burnbook (Back to overview)

BURNBOOK

Actor(s): UNC2970

VTCollection    

According to Mandiant, BURNBOOK is a dropper for TEARPAGE.

References
2025-11-20Orange CyberdefenseAlexis Bonnefoi, Marine PICHON
A Pain in the Mist: Navigating Operation DreamJob’s arsenal
BURNBOOK MISTPEN
2025-10-23ESET ResearchAlexis Rapin, Peter Kálnai
Gotta fly: Lazarus targets the UAV sector
BURNBOOK QuanPinLoader ScoringMathTea
2024-09-17MandiantMandiant
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
BURNBOOK MISTPEN
Yara Rules
[TLP:WHITE] win_burnbook_auto (20260504 | Detects win.burnbook.)
rule win_burnbook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.burnbook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.burnbook"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff432c e9???????? 44396b30 7432 8b4b34 8d41db 83f838 }
            // n = 7, score = 200
            //   ff432c               | inc                 ecx
            //   e9????????           |                     
            //   44396b30             | mov                 dword ptr [ecx], eax
            //   7432                 | cmp                 eax, 2
            //   8b4b34               | jne                 0x133a
            //   8d41db               | inc                 ecx
            //   83f838               | mov                 eax, dword ptr [ecx + ecx*4]

        $sequence_1 = { f7d8 894614 8b461c f7d8 89461c 0fb67b6a e8???????? }
            // n = 7, score = 200
            //   f7d8                 | mov                 ecx, eax
            //   894614               | dec                 esp
            //   8b461c               | lea                 eax, [0x8112b4]
            //   f7d8                 | mov                 edx, 2
            //   89461c               | dec                 eax
            //   0fb67b6a             | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_2 = { ffc8 894afc 85c0 7fec 0fb64500 41ffc2 49ffc3 }
            // n = 7, score = 200
            //   ffc8                 | mov                 ebx, dword ptr [esp + 0x70]
            //   894afc               | dec                 esp
            //   85c0                 | mov                 eax, eax
            //   7fec                 | dec                 ebp
            //   0fb64500             | test                eax, eax
            //   41ffc2               | je                  0x86b
            //   49ffc3               | inc                 esp

        $sequence_3 = { f30f1007 f30f104f04 488b4b28 f30f59c6 f30f59ce f30f2cc0 f30f104708 }
            // n = 7, score = 200
            //   f30f1007             | sar                 ecx, 1
            //   f30f104f04           | inc                 ecx
            //   488b4b28             | add                 ecx, eax
            //   f30f59c6             | inc                 edx
            //   f30f59ce             | mov                 dword ptr [edi + ebx*4 + 4], ecx
            //   f30f2cc0             | dec                 ecx
            //   f30f104708           | add                 ebx, 2

        $sequence_4 = { f30f585110 f30f10491c 0f28df f30f584914 f30f585120 f30f584924 f30f585128 }
            // n = 7, score = 200
            //   f30f585110           | mov                 eax, dword ptr [edi + 0x38]
            //   f30f10491c           | ret                 
            //   0f28df               | dec                 eax
            //   f30f584914           | lea                 edx, [0x79e850]
            //   f30f585120           | dec                 eax
            //   f30f584924           | mov                 ecx, edi
            //   f30f585128           | test                eax, eax

        $sequence_5 = { f20f594240 f20f5cf2 f2440f5cc0 0f28c7 f20f5902 0f28ce f20f594a10 }
            // n = 7, score = 200
            //   f20f594240           | mov                 ecx, 0x800
            //   f20f5cf2             | shr                 ecx, 0xb
            //   f2440f5cc0           | imul                ecx, edx
            //   0f28c7               | cmp                 eax, ecx
            //   f20f5902             | jae                 0x1411
            //   0f28ce               | inc                 esp
            //   f20f594a10           | mov                 ecx, ecx

        $sequence_6 = { f7d9 4585db 410f44cc 41c1e313 4183cb10 41894d00 41834ffc20 }
            // n = 7, score = 200
            //   f7d9                 | mov                 dword ptr [edi + 0x130], eax
            //   4585db               | dec                 eax
            //   410f44cc             | mov                 ecx, edi
            //   41c1e313             | int3                
            //   4183cb10             | dec                 eax
            //   41894d00             | mov                 ecx, edi
            //   41834ffc20           | int3                

        $sequence_7 = { f20f59ca f20f580d???????? 660f2fc1 720a 33c0 66c1c008 668901 }
            // n = 7, score = 200
            //   f20f59ca             | jae                 0x1dd6
            //   f20f580d????????     |                     
            //   660f2fc1             | inc                 ebp
            //   720a                 | cmp                 edx, ebx
            //   33c0                 | jae                 0x1d66
            //   66c1c008             | shr                 ecx, 0x10
            //   668901               | inc                 esp

        $sequence_8 = { f00fc14108 83f801 7505 e8???????? 488b4d30 48897530 4885c9 }
            // n = 7, score = 200
            //   f00fc14108           | mov                 dword ptr [esp + 0x38], esi
            //   83f801               | dec                 eax
            //   7505                 | test                ecx, ecx
            //   e8????????           |                     
            //   488b4d30             | je                  0x1ca0
            //   48897530             | mov                 eax, edi
            //   4885c9               | mov                 edi, 0xffffffff

        $sequence_9 = { f7d9 81e1ff7f0000 894b68 488b4378 488bc8 ff10 8b4b6c }
            // n = 7, score = 200
            //   f7d9                 | mov                 ecx, edi
            //   81e1ff7f0000         | int3                
            //   894b68               | dec                 eax
            //   488b4378             | lea                 edx, [0x7526da]
            //   488bc8               | dec                 eax
            //   ff10                 | mov                 ecx, edi
            //   8b4b6c               | int3                

    condition:
        7 of them and filesize < 22976512
}
Download all Yara Rules