Credraptor (Malware Family)

Credraptor

Actor(s): TeleBots
There is no description at this point.
References

2016-12-13 ⋅ ESET Research ⋅ Anton Cherepanov
The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
Yara Rules

[TLP:WHITE] win_credraptor_auto (20230125 | Detects win.credraptor.)
rule win_credraptor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.credraptor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb18 8b0d???????? 890f 8b15???????? 895704 c74708ffffffff 8d4630 }
            // n = 7, score = 100
            //   eb18                 | jmp                 0x1a
            //   8b0d????????         |                     
            //   890f                 | mov                 dword ptr [edi], ecx
            //   8b15????????         |                     
            //   895704               | mov                 dword ptr [edi + 4], edx
            //   c74708ffffffff       | mov                 dword ptr [edi + 8], 0xffffffff
            //   8d4630               | lea                 eax, [esi + 0x30]

        $sequence_1 = { c74310ffffffff 8bcb e8???????? 5f 5e 32c0 5b }
            // n = 7, score = 100
            //   c74310ffffffff       | mov                 dword ptr [ebx + 0x10], 0xffffffff
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   32c0                 | xor                 al, al
            //   5b                   | pop                 ebx

        $sequence_2 = { e8???????? 8b53c8 83c410 897db8 e9???????? 8b45b8 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b53c8               | mov                 edx, dword ptr [ebx - 0x38]
            //   83c410               | add                 esp, 0x10
            //   897db8               | mov                 dword ptr [ebp - 0x48], edi
            //   e9????????           |                     
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   85c0                 | test                eax, eax

        $sequence_3 = { 8d642400 8b01 85c0 7406 80780900 754a 42 }
            // n = 7, score = 100
            //   8d642400             | lea                 esp, [esp]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   80780900             | cmp                 byte ptr [eax + 9], 0
            //   754a                 | jne                 0x4c
            //   42                   | inc                 edx

        $sequence_4 = { be01000000 84c0 741a 90 3c3a 7415 0fb6c0 }
            // n = 7, score = 100
            //   be01000000           | mov                 esi, 1
            //   84c0                 | test                al, al
            //   741a                 | je                  0x1c
            //   90                   | nop                 
            //   3c3a                 | cmp                 al, 0x3a
            //   7415                 | je                  0x17
            //   0fb6c0               | movzx               eax, al

        $sequence_5 = { c6039a 894308 c60000 c7431801000000 894b2c 89531c 66897b20 }
            // n = 7, score = 100
            //   c6039a               | mov                 byte ptr [ebx], 0x9a
            //   894308               | mov                 dword ptr [ebx + 8], eax
            //   c60000               | mov                 byte ptr [eax], 0
            //   c7431801000000       | mov                 dword ptr [ebx + 0x18], 1
            //   894b2c               | mov                 dword ptr [ebx + 0x2c], ecx
            //   89531c               | mov                 dword ptr [ebx + 0x1c], edx
            //   66897b20             | mov                 word ptr [ebx + 0x20], di

        $sequence_6 = { e8???????? 6a01 6a00 6a61 8bf3 e8???????? 8b4d08 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a61                 | push                0x61
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_7 = { dfe0 f6c444 7b1b 83ec08 dd1c24 68???????? 8d4dc8 }
            // n = 7, score = 100
            //   dfe0                 | fnstsw              ax
            //   f6c444               | test                ah, 0x44
            //   7b1b                 | jnp                 0x1d
            //   83ec08               | sub                 esp, 8
            //   dd1c24               | fstp                qword ptr [esp]
            //   68????????           |                     
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]

        $sequence_8 = { e8???????? 53 e8???????? 83c408 68918f0000 ff15???????? 8b8d64ffffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   68918f0000           | push                0x8f91
            //   ff15????????         |                     
            //   8b8d64ffffff         | mov                 ecx, dword ptr [ebp - 0x9c]

        $sequence_9 = { b8abaaaaaa f7e2 8b45f0 49 81e1ffff0000 c1ea02 41 }
            // n = 7, score = 100
            //   b8abaaaaaa           | mov                 eax, 0xaaaaaaab
            //   f7e2                 | mul                 edx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   49                   | dec                 ecx
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   c1ea02               | shr                 edx, 2
            //   41                   | inc                 ecx

    condition:
        7 of them and filesize < 1728512
}
Download all Yara Rules
Credraptor Propose Change

References

Yara Rules

Credraptor
