win.darkcomet (Back to overview)

DarkComet

aka: Fynloski, klovbot

Actor(s): APT33, Operation C-Major

URLhaus        

There is no description at this point.

References
https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
https://darkcomet.net
https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/
Yara Rules
[TLP:WHITE] win_darkcomet_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_darkcomet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 0fb74028 6683e001 6683f801 0f9405ec244900 }
            // n = 4, score = 1000
            //   0fb74028             | movzx               eax, word ptr [eax + 0x28]
            //   6683e001             | and                 ax, 1
            //   6683f801             | cmp                 ax, 1
            //   0f9405ec244900       | sete                byte ptr [0x4924ec]

        $sequence_1 = { 03f8 8bf7 8b7a20 033d1c284900 }
            // n = 4, score = 1000
            //   03f8                 | add                 edi, eax
            //   8bf7                 | mov                 esi, edi
            //   8b7a20               | mov                 edi, dword ptr [edx + 0x20]
            //   033d1c284900         | add                 edi, dword ptr [0x49281c]

        $sequence_2 = { 0fafef 8b3c24 01afa4160000 6689548e02 }
            // n = 4, score = 1000
            //   0fafef               | imul                ebp, edi
            //   8b3c24               | mov                 edi, dword ptr [esp]
            //   01afa4160000         | add                 dword ptr [edi + 0x16a4], ebp
            //   6689548e02           | mov                 word ptr [esi + ecx*4 + 2], dx

        $sequence_3 = { 0383b8160000 8983b8160000 eb1c 8b8bb8160000 }
            // n = 4, score = 1000
            //   0383b8160000         | add                 eax, dword ptr [ebx + 0x16b8]
            //   8983b8160000         | mov                 dword ptr [ebx + 0x16b8], eax
            //   eb1c                 | jmp                 0x46c845
            //   8b8bb8160000         | mov                 ecx, dword ptr [ebx + 0x16b8]

        $sequence_4 = { 03fb 8bcf 8b7a18 033df4274900 }
            // n = 4, score = 1000
            //   03fb                 | add                 edi, ebx
            //   8bcf                 | mov                 ecx, edi
            //   8b7a18               | mov                 edi, dword ptr [edx + 0x18]
            //   033df4274900         | add                 edi, dword ptr [0x4927f4]

        $sequence_5 = { 03d6 83c26c e8e2090000 89442428 }
            // n = 4, score = 1000
            //   03d6                 | add                 edx, esi
            //   83c26c               | add                 edx, 0x6c
            //   e8e2090000           | call                0x46adbc
            //   89442428             | mov                 dword ptr [esp + 0x28], eax

        $sequence_6 = { 33c0 55 680cd74300 64ff30 }
            // n = 4, score = 1000
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   680cd74300           | push                0x43d70c
            //   64ff30               | push                dword ptr fs:[eax]

        $sequence_7 = { 03fb 8bcf 8b7a38 033d14284900 }
            // n = 4, score = 1000
            //   03fb                 | add                 edi, ebx
            //   8bcf                 | mov                 ecx, edi
            //   8b7a38               | mov                 edi, dword ptr [edx + 0x38]
            //   033d14284900         | add                 edi, dword ptr [0x492814]

        $sequence_8 = { 0fb75604 52 50 e863f7fcff }
            // n = 4, score = 1000
            //   0fb75604             | movzx               edx, word ptr [esi + 4]
            //   52                   | push                edx
            //   50                   | push                eax
            //   e863f7fcff           | call                0x408218

        $sequence_9 = { 2bcf 3b88b8160000 0f8d81000000 8b0c24 }
            // n = 4, score = 1000
            //   2bcf                 | sub                 ecx, edi
            //   3b88b8160000         | cmp                 ecx, dword ptr [eax + 0x16b8]
            //   0f8d81000000         | jge                 0x46ccff
            //   8b0c24               | mov                 ecx, dword ptr [esp]

    condition:
        7 of them
}
Download all Yara Rules