Credraptor (Malware Family)

Credraptor

Actor(s): TeleBots
VTCollection
There is no description at this point.
References

2016-12-13 ⋅ ESET Research ⋅ Anton Cherepanov
The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
Yara Rules

[TLP:WHITE] win_credraptor_auto (20230808 | Detects win.credraptor.)
rule win_credraptor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.credraptor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bb???????? 8bf8 e8???????? 8945fc 8b45f8 83c408 85c0 }
            // n = 7, score = 100
            //   bb????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_1 = { c6402597 895028 8b5120 89502c 8bce 8bc3 e8???????? }
            // n = 7, score = 100
            //   c6402597             | mov                 byte ptr [eax + 0x25], 0x97
            //   895028               | mov                 dword ptr [eax + 0x28], edx
            //   8b5120               | mov                 edx, dword ptr [ecx + 0x20]
            //   89502c               | mov                 dword ptr [eax + 0x2c], edx
            //   8bce                 | mov                 ecx, esi
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_2 = { 8d4db4 e8???????? 85c0 754b 8d55b4 52 e8???????? }
            // n = 7, score = 100
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   754b                 | jne                 0x4d
            //   8d55b4               | lea                 edx, [ebp - 0x4c]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_3 = { b800020000 660bc8 8b45f8 5f 894604 894624 66894e1c }
            // n = 7, score = 100
            //   b800020000           | mov                 eax, 0x200
            //   660bc8               | or                  cx, ax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5f                   | pop                 edi
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   894624               | mov                 dword ptr [esi + 0x24], eax
            //   66894e1c             | mov                 word ptr [esi + 0x1c], cx

        $sequence_4 = { a900050000 7565 837b1c00 745f 8b4df8 8b5110 52 }
            // n = 7, score = 100
            //   a900050000           | test                eax, 0x500
            //   7565                 | jne                 0x67
            //   837b1c00             | cmp                 dword ptr [ebx + 0x1c], 0
            //   745f                 | je                  0x61
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]
            //   52                   | push                edx

        $sequence_5 = { 8b8e14020000 8975f0 895df8 e8???????? 8bf8 83c404 897dfc }
            // n = 7, score = 100
            //   8b8e14020000         | mov                 ecx, dword ptr [esi + 0x214]
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   897dfc               | mov                 dword ptr [ebp - 4], edi

        $sequence_6 = { 8db5c8fdffff e8???????? 85c0 7430 8b8dccfdffff 8b7f0c 8b95c8fdffff }
            // n = 7, score = 100
            //   8db5c8fdffff         | lea                 esi, [ebp - 0x238]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7430                 | je                  0x32
            //   8b8dccfdffff         | mov                 ecx, dword ptr [ebp - 0x234]
            //   8b7f0c               | mov                 edi, dword ptr [edi + 0xc]
            //   8b95c8fdffff         | mov                 edx, dword ptr [ebp - 0x238]

        $sequence_7 = { 894d94 8bff 8a01 dd8574ffffff dd05???????? 3c25 7409 }
            // n = 7, score = 100
            //   894d94               | mov                 dword ptr [ebp - 0x6c], ecx
            //   8bff                 | mov                 edi, edi
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   dd8574ffffff         | fld                 qword ptr [ebp - 0x8c]
            //   dd05????????         |                     
            //   3c25                 | cmp                 al, 0x25
            //   7409                 | je                  0xb

        $sequence_8 = { c7461000000000 53 c60600 e8???????? 83c404 807f4100 8bdf }
            // n = 7, score = 100
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   53                   | push                ebx
            //   c60600               | mov                 byte ptr [esi], 0
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   807f4100             | cmp                 byte ptr [edi + 0x41], 0
            //   8bdf                 | mov                 ebx, edi

        $sequence_9 = { bb07000000 85ff 7439 ba60240000 6685571c 7409 57 }
            // n = 7, score = 100
            //   bb07000000           | mov                 ebx, 7
            //   85ff                 | test                edi, edi
            //   7439                 | je                  0x3b
            //   ba60240000           | mov                 edx, 0x2460
            //   6685571c             | test                word ptr [edi + 0x1c], dx
            //   7409                 | je                  0xb
            //   57                   | push                edi

    condition:
        7 of them and filesize < 1728512
}
Download all Yara Rules
Credraptor Propose Change

References

Yara Rules

Credraptor
