SYMBOLCOMMON_NAMEaka. SYNONYMS
win.byeby (Back to overview)

BYEBY

Actor(s): Calypso group, Karma Panda

VTCollection    

There is no description at this point.

References
2020-05-14Avast DecodedLuigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin
2020-05-14ESET ResearchPeter Kálnai
Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin
2020-05-14Avast DecodedLuigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-03-12Check PointCheck Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2019-10-31PTSecurityPTSecurity
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX
2017-09-28Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone
Threat Actors Target Government of Belarus Using CMSTAR Trojan
BYEBY CMSTAR
2017-09-28Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone
Threat Actors Target Government of Belarus Using CMSTAR Trojan
BYEBY CMSTAR Vicious Panda
Yara Rules
[TLP:WHITE] win_byeby_auto (20230808 | Detects win.byeby.)
rule win_byeby_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.byeby."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 68???????? 8d45f0 c745f0f4320110 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   68????????           |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   c745f0f4320110       | mov                 dword ptr [ebp - 0x10], 0x100132f4

        $sequence_1 = { e8???????? 8b7df0 83c40c 037e74 c7467400000000 eb03 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   83c40c               | add                 esp, 0xc
            //   037e74               | add                 edi, dword ptr [esi + 0x74]
            //   c7467400000000       | mov                 dword ptr [esi + 0x74], 0
            //   eb03                 | jmp                 5

        $sequence_2 = { 8bf0 53 ff742430 6a00 6a00 }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   53                   | push                ebx
            //   ff742430             | push                dword ptr [esp + 0x30]
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_3 = { 50 8b8528e5ffff 0f94c1 898d3ce5ffff 8b8d24e5ffff 8b048518ab0110 ff3401 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b8528e5ffff         | mov                 eax, dword ptr [ebp - 0x1ad8]
            //   0f94c1               | sete                cl
            //   898d3ce5ffff         | mov                 dword ptr [ebp - 0x1ac4], ecx
            //   8b8d24e5ffff         | mov                 ecx, dword ptr [ebp - 0x1adc]
            //   8b048518ab0110       | mov                 eax, dword ptr [eax*4 + 0x1001ab18]
            //   ff3401               | push                dword ptr [ecx + eax]

        $sequence_4 = { 8b8528e5ffff 8b048518ab0110 ff3401 ff15???????? 8bb540e5ffff 8bbd34e5ffff 85c0 }
            // n = 7, score = 100
            //   8b8528e5ffff         | mov                 eax, dword ptr [ebp - 0x1ad8]
            //   8b048518ab0110       | mov                 eax, dword ptr [eax*4 + 0x1001ab18]
            //   ff3401               | push                dword ptr [ecx + eax]
            //   ff15????????         |                     
            //   8bb540e5ffff         | mov                 esi, dword ptr [ebp - 0x1ac0]
            //   8bbd34e5ffff         | mov                 edi, dword ptr [ebp - 0x1acc]
            //   85c0                 | test                eax, eax

        $sequence_5 = { 8d84245c020000 50 c78424600200005630564d c78424640200005130394e ffd7 40 50 }
            // n = 7, score = 100
            //   8d84245c020000       | lea                 eax, [esp + 0x25c]
            //   50                   | push                eax
            //   c78424600200005630564d     | mov    dword ptr [esp + 0x260], 0x4d563056
            //   c78424640200005130394e     | mov    dword ptr [esp + 0x264], 0x4e393051
            //   ffd7                 | call                edi
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_6 = { 8b35???????? 8d442410 50 ff35???????? }
            // n = 4, score = 100
            //   8b35????????         |                     
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   ff35????????         |                     

        $sequence_7 = { 7309 8b04c5e84e0110 5d c3 33c0 }
            // n = 5, score = 100
            //   7309                 | jae                 0xb
            //   8b04c5e84e0110       | mov                 eax, dword ptr [eax*8 + 0x10014ee8]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 0f8641010000 8b4c2420 83c714 8bff 837ff005 0f85fa000000 0fb707 }
            // n = 7, score = 100
            //   0f8641010000         | jbe                 0x147
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   83c714               | add                 edi, 0x14
            //   8bff                 | mov                 edi, edi
            //   837ff005             | cmp                 dword ptr [edi - 0x10], 5
            //   0f85fa000000         | jne                 0x100
            //   0fb707               | movzx               eax, word ptr [edi]

        $sequence_9 = { 3b0cc510900110 7427 40 83f82d 72f1 8d41ed }
            // n = 6, score = 100
            //   3b0cc510900110       | cmp                 ecx, dword ptr [eax*8 + 0x10019010]
            //   7427                 | je                  0x29
            //   40                   | inc                 eax
            //   83f82d               | cmp                 eax, 0x2d
            //   72f1                 | jb                  0xfffffff3
            //   8d41ed               | lea                 eax, [ecx - 0x13]

    condition:
        7 of them and filesize < 253952
}
Download all Yara Rules