DataExfiltrator (Malware Family)

win.data_exfiltrator (Back to overview)
DataExfiltrator

aka: FileSender
VTCollection
There is no description at this point.
References

2021-07-15 ⋅ ReversingLabs ⋅ Robert Simmons
Data Exfiltrator - A New Tactic for Ransomware Adversaries
DataExfiltrator
Yara Rules

[TLP:WHITE] win_data_exfiltrator_auto (20230808 | Detects win.data_exfiltrator.)
rule win_data_exfiltrator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.data_exfiltrator."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4c2440 ff15???????? 4889442420 488b542448 }
            // n = 4, score = 100
            //   488b4c2440           | mov                 ecx, dword ptr [ecx + 0x4024]
            //   ff15????????         |                     
            //   4889442420           | dec                 eax
            //   488b542448           | mov                 dword ptr [esp + 8], ecx

        $sequence_1 = { e8???????? 4c8b442428 488d152c570000 488b4c2420 e8???????? 41b80a000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   4c8b442428           | dec                 eax
            //   488d152c570000       | mov                 dword ptr [esp + 8], 0
            //   488b4c2420           | dec                 eax
            //   e8????????           |                     
            //   41b80a000000         | mov                 dword ptr [esp], 0

        $sequence_2 = { 488d8c24a0000000 e8???????? 488d9424a0000000 488b8c2430010000 e8???????? 488905???????? }
            // n = 6, score = 100
            //   488d8c24a0000000     | mov                 byte ptr [esp + 0x8f], 0x70
            //   e8????????           |                     
            //   488d9424a0000000     | mov                 byte ptr [esp + 0x90], 0x5f
            //   488b8c2430010000     | mov                 byte ptr [esp + 0x91], 0x7d
            //   e8????????           |                     
            //   488905????????       |                     

        $sequence_3 = { c68424ba00000078 c68424bb00000078 c68424bc00000078 c68424bd00000078 c68424be00000000 488d8c24a0000000 }
            // n = 6, score = 100
            //   c68424ba00000078     | dec                 eax
            //   c68424bb00000078     | mov                 dword ptr [esp + 0x20], eax
            //   c68424bc00000078     | dec                 eax
            //   c68424bd00000078     | cmp                 dword ptr [esp + 0x20], 0x100
            //   c68424be00000000     | jae                 0x5d8
            //   488d8c24a0000000     | inc                 ebp

        $sequence_4 = { 48894c2408 4883ec48 48837c246001 752b }
            // n = 4, score = 100
            //   48894c2408           | dec                 eax
            //   4883ec48             | add                 eax, 0x2c
            //   48837c246001         | dec                 eax
            //   752b                 | mov                 edx, eax

        $sequence_5 = { c6442420fb c6442421fc c6442422fe c6442423ff c6442424aa c64424254d }
            // n = 6, score = 100
            //   c6442420fb           | dec                 eax
            //   c6442421fc           | mov                 dword ptr [esp + 0x18], eax
            //   c6442422fe           | cmp                 eax, ecx
            //   c6442423ff           | jne                 0xad
            //   c6442424aa           | jmp                 0xe6
            //   c64424254d           | dec                 eax

        $sequence_6 = { c68424020100006d c684240301000000 c684240401000007 c68424050100006d c68424060100004f c684240701000072 }
            // n = 6, score = 100
            //   c68424020100006d     | dec                 eax
            //   c684240301000000     | mov                 dword ptr [esp + 0x38], 1
            //   c684240401000007     | jne                 0x5e7
            //   c68424050100006d     | dec                 eax
            //   c68424060100004f     | mov                 ecx, dword ptr [esp + 0x20]
            //   c684240701000072     | dec                 eax

        $sequence_7 = { 89442428 837c242800 7c3a 8b442448 39442428 7d30 8b442420 }
            // n = 7, score = 100
            //   89442428             | mov                 byte ptr [esp + 0x118], 0x4d
            //   837c242800           | mov                 byte ptr [esp + 0x119], 0x53
            //   7c3a                 | mov                 byte ptr [esp + 0x11a], 0x4b
            //   8b442448             | mov                 byte ptr [esp + 0x11b], 0x5b
            //   39442428             | mov                 byte ptr [esp + 0x11c], 0x36
            //   7d30                 | mov                 byte ptr [esp + 0x118], 0x4d
            //   8b442420             | mov                 byte ptr [esp + 0x119], 0x53

        $sequence_8 = { 7417 488b442450 488b4c2448 4803c8 488bc1 }
            // n = 5, score = 100
            //   7417                 | dec                 eax
            //   488b442450           | sub                 esp, 0x98
            //   488b4c2448           | mov                 byte ptr [esp + 0x60], 0xfb
            //   4803c8               | mov                 byte ptr [esp + 0x61], 0xfc
            //   488bc1               | mov                 byte ptr [esp + 0x62], 0xfe

        $sequence_9 = { 48837c242800 7509 488d05d8250000 eb22 488d542420 488b4c2428 ff15???????? }
            // n = 7, score = 100
            //   48837c242800         | dec                 eax
            //   7509                 | mov                 eax, ecx
            //   488d05d8250000       | dec                 eax
            //   eb22                 | mov                 dword ptr [esp + 0x20], 0
            //   488d542420           | dec                 esp
            //   488b4c2428           | lea                 ecx, [esp + 0x40]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 107520
}
Download all Yara Rules
DataExfiltrator Propose Change

References

Yara Rules

DataExfiltrator
