CatB (Malware Family)

CatB

There is no description at this point.

References

2023-03-13 ⋅ SentinelOne ⋅ Jim Walter
CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking
CatB

2022-12-29 ⋅ Minerva Labs ⋅ Natalie Zargarov
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
CatB

Yara Rules

[TLP:WHITE] win_catb_auto (20230125 | Detects win.catb.)

rule win_catb_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.catb."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48896c2470 33db 4c89742460 488bea 4d8bf0 4c897c2458 488bd1 }
            // n = 7, score = 100
            //   48896c2470           | mov                 ecx, 2
            //   33db                 | int                 0x29
            //   4c89742460           | dec                 eax
            //   488bea               | lea                 ecx, [0x41972]
            //   4d8bf0               | test                eax, eax
            //   4c897c2458           | je                  0xd58
            //   488bd1               | mov                 ecx, 2

        $sequence_1 = { 4b8d045b 4132d0 4132d2 885301 0fb6544f01 4b8d0c40 321447 }
            // n = 7, score = 100
            //   4b8d045b             | inc                 ebx
            //   4132d0               | dec                 esp
            //   4132d2               | mov                 edx, dword ptr [esp + 0x90]
            //   885301               | dec                 ebp
            //   0fb6544f01           | cmp                 esi, edi
            //   4b8d0c40             | jmp                 0x4ef
            //   321447               | sub                 ecx, 2

        $sequence_2 = { 0f8516010000 488b0d???????? e8???????? 488d0d844d0100 48891d???????? ff15???????? }
            // n = 6, score = 100
            //   0f8516010000         | dec                 eax
            //   488b0d????????       |                     
            //   e8????????           |                     
            //   488d0d844d0100       | lea                 ecx, [esp + 0x54]
            //   48891d????????       |                     
            //   ff15????????         |                     

        $sequence_3 = { 488d15089f0000 448bc6 488bcf e8???????? 85c0 }
            // n = 5, score = 100
            //   488d15089f0000       | dec                 eax
            //   448bc6               | mov                 dword ptr [esp + 0x40], ecx
            //   488bcf               | js                  0x2e1
            //   e8????????           |                     
            //   85c0                 | dec                 ecx

        $sequence_4 = { 84c0 0f84a1000000 b901000000 e8???????? 483bd8 7509 488d3d00d60300 }
            // n = 7, score = 100
            //   84c0                 | inc                 ecx
            //   0f84a1000000         | push                edi
            //   b901000000           | dec                 eax
            //   e8????????           |                     
            //   483bd8               | sub                 esp, 0x20
            //   7509                 | inc                 esp
            //   488d3d00d60300       | mov                 edi, ecx

        $sequence_5 = { 3045f1 8bc1 c1e818 3045ea 8bc1 c1e810 }
            // n = 6, score = 100
            //   3045f1               | xor                 dl, byte ptr [edi + eax*2]
            //   8bc1                 | dec                 ebx
            //   c1e818               | lea                 eax, [ecx + ecx*2]
            //   3045ea               | inc                 esp
            //   8bc1                 | movzx               eax, byte ptr [ebx + 0xf]
            //   c1e810               | inc                 ecx

        $sequence_6 = { 4c8d0d757d0000 488bd9 488d156b7d0000 b916000000 4c8d05577d0000 e8???????? 488bcb }
            // n = 7, score = 100
            //   4c8d0d757d0000       | je                  0x423
            //   488bd9               | lea                 edi, [eax - 1]
            //   488d156b7d0000       | shr                 edi, 1
            //   b916000000           | inc                 edi
            //   4c8d05577d0000       | nop                 dword ptr [eax]
            //   e8????????           |                     
            //   488bcb               | inc                 esp

        $sequence_7 = { 0fb645f6 8845f7 0fb645f5 884df5 488d4de8 8845f6 e8???????? }
            // n = 7, score = 100
            //   0fb645f6             | dec                 eax
            //   8845f7               | add                 esp, 0x20
            //   0fb645f5             | dec                 eax
            //   884df5               | lea                 edx, [0x1f6ad]
            //   488d4de8             | dec                 eax
            //   8845f6               | lea                 ecx, [esp + 0x54]
            //   e8????????           |                     

        $sequence_8 = { 488d542430 498bcf e8???????? 4c8d0512f50100 4c8d0d1bf50100 85c0 }
            // n = 6, score = 100
            //   488d542430           | add                 eax, 0x24
            //   498bcf               | mov                 dword ptr [eax], edi
            //   e8????????           |                     
            //   4c8d0512f50100       | dec                 eax
            //   4c8d0d1bf50100       | lea                 ebx, [0x143e7]
            //   85c0                 | jmp                 0x6c

        $sequence_9 = { 418b4804 8845f0 8bc1 c1e818 41324204 8845e9 8bc1 }
            // n = 7, score = 100
            //   418b4804             | sar                 eax, 6
            //   8845f0               | dec                 eax
            //   8bc1                 | lea                 ecx, [0x3e310]
            //   c1e818               | dec                 esp
            //   41324204             | arpl                dx, dx
            //   8845e9               | dec                 eax
            //   8bc1                 | mov                 edi, ecx

    condition:
        7 of them and filesize < 593920
}

[TLP:WHITE] win_catb_w0 (20230118 | detect_CatB_ransomware)

rule win_catb_w0 {
    meta:
	    description = "detect_CatB_ransomware"
	    author = "@malgamy12"
	    date = "2023/1/4"
        hash = "35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"  

    strings:
        $op1 = {C1 C0 ?? 44 8B C0 8B C8 41 8B D0 48 C1 E9 ?? 83 E1 ?? 48 C1 E8 ?? 48 C1 E1 ?? 83 E0 ?? 48 03 C8 48 C1 EA ?? 83 E2 ?? 48 C1 E2 ?? 42 0F B6 04 19 41 8B C8 48 C1 E9 ?? 83 E1 ?? C1 E0 ?? 48 03 D1 42 0F B6 0C 1A 41 8B D0 C1 E1 ?? 03 C1 48 C1 EA ?? 41 8B C8 48 C1 E2 ?? 48 C1 E9 ?? 83 E1 ?? 48 03 D1 42 0F B6 0C 1A C1 E1 ?? 03 C1 41 8B C8 48 C1 E9 ?? 41 83 E0 ?? 83 E1 ?? 48 C1 E1 ?? 49 03 C8 42 0F B6 0C 19 03 C1}
        $op2 = {44 0F B6 59 ?? 48 8D 3D ?? ?? ?? ?? 44 0F B6 09 48 8B D9 44 0F B6 51 ?? 44 0F B6 41 ?? 4B 8D 14 5B 0F B6 4C 57 ?? 4B 8D 04 49 32 0C 47 4B 8D 04 5B 41 32 C8 41 32 CA 88 0B 4B 8D 0C} 
        $op3 = {52 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 52 41 32 D0 41 32 D1 88 53 ?? 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 49 44 0F B6 43 ?? 41 32 D3 41 32 D1 44 0F B6 4B ?? 88 53 ?? 0F B6 14 4F 32 54 47 ?? 41 32 D3 4B 8D 04 49 44 0F B6 5B ?? 41 32 D2 44 0F B6 53 ?? 88 53 ?? 4B 8D 0C 5B 0F B6 54 4F ?? 4B 8D 0C 52 32 14 47 4B 8D 04 5B 41 32 D0 41 32 D2 88 53 ?? 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 52 41 32 D0 41 32 D1 88 53 ?? 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 49 44 0F B6 43 ?? 41 32 D3 41 32 D1 44 0F B6 4B ?? 88 53 ?? 0F B6 14 4F 32 54 47 ?? 41 32 D3 4B 8D 04 49 44 0F B6 5B ?? 41 32 D2 44 0F B6 53 ?? 88 53 ?? 4B 8D 0C 5B 0F B6 54 4F ?? 4B 8D 0C 52 32 14 47 4B 8D 04 5B 41 32 D0 41 32 D2 88 53 ?? 0F B6 54 4F ?? 32 14 47 41 32 D0 4B 8D 0C 40 41 32 D1 4B 8D 04 52 88 53 ?? 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 49 44 0F B6 43 ?? 41 32 D3 41 32 D1 44 0F B6 4B ?? 88 53 ?? 0F B6 14 4F 32 54 47 ?? 41 32 D3 4B 8D 04 49 44 0F B6 5B ?? 41 32 D2 44 0F B6 53 ?? 88 53 ?? 4B 8D 0C 5B 0F B6 54 4F ?? 4B 8D 0C 52 32 14 47 4B 8D 04 5B 41 32 D0 41 32 D2 88 53 ?? 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 52 41 32 D0 41 32 D1 88 53 ?? 0F B6 54 4F ?? 4B 8D 0C 40 32 14 47 4B 8D 04 49 41 32 D3 41 32 D1 88 53 ?? 0F B6 14 4F 32 54 47 ?? 48 8B 7C 24 ?? 41 32 D3 41 32 D2 88 53 ?? 48 8B 5C 24}

    condition:
        uint16(0) == 0x5A4D and all of them
}

Download all Yara Rules

CatB Propose Change

References

Yara Rules

CatB