SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darktequila (Back to overview)

DarkTequila

VTCollection    

Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

References
2018-08-21Kaspersky LabsGReAT
Dark Tequila Añejo
DarkTequila
Yara Rules
[TLP:WHITE] win_darktequila_auto (20260504 | Detects win.darktequila.)
rule win_darktequila_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.darktequila."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c410 8bf3 e8???????? 8b45fc 8b4df8 8b55f4 }
            // n = 6, score = 200
            //   83c410               | add                 esp, 0x10
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_1 = { 85c0 7466 8b4b0c 8b5310 894df4 8b4b08 51 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7466                 | je                  0x68
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   8b5310               | mov                 edx, dword ptr [ebx + 0x10]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b4b08               | mov                 ecx, dword ptr [ebx + 8]
            //   51                   | push                ecx

        $sequence_2 = { 037d0c 7509 8bf3 e8???????? eb65 3b7b04 }
            // n = 6, score = 200
            //   037d0c               | add                 edi, dword ptr [ebp + 0xc]
            //   7509                 | jne                 0xb
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   eb65                 | jmp                 0x67
            //   3b7b04               | cmp                 edi, dword ptr [ebx + 4]

        $sequence_3 = { b81b000000 e8???????? 50 57 ffd6 a3???????? 85c0 }
            // n = 7, score = 200
            //   b81b000000           | mov                 eax, 0x1b
            //   e8????????           |                     
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   a3????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_4 = { 8b15???????? 51 52 bb???????? }
            // n = 4, score = 200
            //   8b15????????         |                     
            //   51                   | push                ecx
            //   52                   | push                edx
            //   bb????????           |                     

        $sequence_5 = { 83f814 72dc b8???????? c3 33d2 3915???????? 0f859c000000 }
            // n = 7, score = 200
            //   83f814               | cmp                 eax, 0x14
            //   72dc                 | jb                  0xffffffde
            //   b8????????           |                     
            //   c3                   | ret                 
            //   33d2                 | xor                 edx, edx
            //   3915????????         |                     
            //   0f859c000000         | jne                 0xa2

        $sequence_6 = { 50 53 51 ff15???????? 8bf8 5f 895e10 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   5f                   | pop                 edi
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx

        $sequence_7 = { 7412 8b16 8bc8 85d2 }
            // n = 4, score = 200
            //   7412                 | je                  0x14
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   85d2                 | test                edx, edx

        $sequence_8 = { c604085c 8b5310 52 ff15???????? }
            // n = 4, score = 200
            //   c604085c             | mov                 byte ptr [eax + ecx], 0x5c
            //   8b5310               | mov                 edx, dword ptr [ebx + 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_9 = { cc 8bff 55 8bec 81ecd0020000 a1???????? 33c5 }
            // n = 7, score = 200
            //   cc                   | int3                
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecd0020000         | sub                 esp, 0x2d0
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp

    condition:
        7 of them and filesize < 1827840
}
Download all Yara Rules