SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darktequila (Back to overview)

DarkTequila


Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

References
2018-08-21Kaspersky LabsGReAT
@online{great:20180821:dark:430988e, author = {GReAT}, title = {{Dark Tequila Añejo}}, date = {2018-08-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/dark-tequila-anejo/87528/}, language = {English}, urldate = {2019-12-20} } Dark Tequila Añejo
DarkTequila
Yara Rules
[TLP:WHITE] win_darktequila_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_darktequila_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9b00000000 c60300 43 48 75f9 5f }
            // n = 6, score = 200
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   c60300               | mov                 byte ptr [ebx], 0
            //   43                   | inc                 ebx
            //   48                   | dec                 eax
            //   75f9                 | jne                 0xfffffffb
            //   5f                   | pop                 edi

        $sequence_1 = { 50 894df8 e8???????? 83c410 8bf3 e8???????? 8b45fc }
            // n = 7, score = 200
            //   50                   | push                eax
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_2 = { ff15???????? 83c404 8bc7 5f 895e10 895e08 895e04 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   895e04               | mov                 dword ptr [esi + 4], ebx

        $sequence_3 = { 56 57 8bf8 8bda 85ff }
            // n = 5, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   8bda                 | mov                 ebx, edx
            //   85ff                 | test                edi, edi

        $sequence_4 = { 50 53 51 ff15???????? 8bf8 5f }
            // n = 6, score = 200
            //   50                   | push                eax
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   5f                   | pop                 edi

        $sequence_5 = { 75f9 5f 5e b801000000 5b 8be5 }
            // n = 6, score = 200
            //   75f9                 | jne                 0xfffffffb
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_6 = { ffd7 8bf0 85f6 743f }
            // n = 4, score = 200
            //   ffd7                 | call                edi
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   743f                 | je                  0x41

        $sequence_7 = { 7414 8b5b10 85c0 740d 8d9b00000000 c60300 }
            // n = 6, score = 200
            //   7414                 | je                  0x16
            //   8b5b10               | mov                 ebx, dword ptr [ebx + 0x10]
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   c60300               | mov                 byte ptr [ebx], 0

        $sequence_8 = { 8b4314 8b13 50 8d75fc }
            // n = 4, score = 200
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   50                   | push                eax
            //   8d75fc               | lea                 esi, [ebp - 4]

        $sequence_9 = { 8b0e 33c0 81f900000080 7348 2bd0 7425 }
            // n = 6, score = 200
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   33c0                 | xor                 eax, eax
            //   81f900000080         | cmp                 ecx, 0x80000000
            //   7348                 | jae                 0x4a
            //   2bd0                 | sub                 edx, eax
            //   7425                 | je                  0x27

    condition:
        7 of them and filesize < 1827840
}
Download all Yara Rules