SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doubleback (Back to overview)

DOUBLEBACK

VTCollection    

DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine.

References
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2021-05-04FireEyeDimiter Andonov, Nick Richard
The UNC2529 Triple Double: A Trifecta Phishing Campaign
DOUBLEBACK
Yara Rules
[TLP:WHITE] win_doubleback_auto (20230808 | Detects win.doubleback.)
rule win_doubleback_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.doubleback."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9e3050000 eb3b b90b070000 eb34 2d63450000 7428 }
            // n = 6, score = 400
            //   b9e3050000           | mov                 edx, dword ptr [edi + 0xfa396]
            //   eb3b                 | push                eax
            //   b90b070000           | push                0
            //   eb34                 | mov                 dword ptr [ebp + 0x14], eax
            //   2d63450000           | test                eax, eax
            //   7428                 | je                  0xf8b

        $sequence_1 = { b9ad060000 eb57 b9a7060000 eb50 b947060000 eb49 }
            // n = 6, score = 400
            //   b9ad060000           | push                eax
            //   eb57                 | push                dword ptr [ebp - 0x10]
            //   b9a7060000           | push                eax
            //   eb50                 | push                0
            //   b947060000           | lea                 eax, [ebp - 8]
            //   eb49                 | push                eax

        $sequence_2 = { eb3b b90b070000 eb34 2d63450000 }
            // n = 4, score = 400
            //   eb3b                 | add                 edi, 0xc
            //   b90b070000           | mov                 dword ptr [ebp - 4], eax
            //   eb34                 | mov                 byte ptr [esi + 6], al
            //   2d63450000           | add                 ebx, dword ptr [ebp - 4]

        $sequence_3 = { 3d39380000 741c 3dd73a0000 740e 3dab3f0000 }
            // n = 5, score = 400
            //   3d39380000           | movzx               ecx, ax
            //   741c                 | mov                 ebx, 2
            //   3dd73a0000           | mov                 edx, 0x130
            //   740e                 | dec                 eax
            //   3dab3f0000           | lea                 ecx, [esp + 0x20]

        $sequence_4 = { b9e7050000 eb42 b9e3050000 eb3b b90b070000 }
            // n = 5, score = 400
            //   b9e7050000           | mov                 word ptr [ebx + esi*2 + 0xa], ax
            //   eb42                 | push                0x63
            //   b9e3050000           | pop                 edi
            //   eb3b                 | mov                 word ptr [ebx + esi*2 + 0xc], di
            //   b90b070000           | mov                 word ptr [ebx + esi*2 + 0xa], cx

        $sequence_5 = { b90b070000 eb34 2d63450000 7428 2d57020000 }
            // n = 5, score = 400
            //   b90b070000           | mov                 dword ptr [ebp + 0xc8], 0x80
            //   eb34                 | dec                 eax
            //   2d63450000           | lea                 edx, [ebp + 0xc8]
            //   7428                 | mov                 edi, 0xc
            //   2d57020000           | mov                 word ptr [ebx + 0xe], cx

        $sequence_6 = { 774f 7446 3d00280000 7438 3d5a290000 742a 3d39380000 }
            // n = 7, score = 400
            //   774f                 | lea                 edx, [esi + 0x10]
            //   7446                 | dec                 esp
            //   3d00280000           | mov                 ebp, eax
            //   7438                 | dec                 eax
            //   3d5a290000           | test                eax, eax
            //   742a                 | je                  0x27b
            //   3d39380000           | inc                 ecx

        $sequence_7 = { 7438 3d5a290000 742a 3d39380000 }
            // n = 4, score = 400
            //   7438                 | mov                 ecx, esp
            //   3d5a290000           | dec                 esp
            //   742a                 | mov                 eax, ebx
            //   3d39380000           | mov                 word ptr [ebx + eax*2], cx

        $sequence_8 = { e8???????? 85c0 7508 c60703 e9???????? }
            // n = 5, score = 400
            //   e8????????           |                     
            //   85c0                 | mov                 word ptr [esi + 0x20], dx
            //   7508                 | lea                 edx, [ebp - 0x2c]
            //   c60703               | push                0x70
            //   e9????????           |                     

        $sequence_9 = { 7446 3d00280000 7438 3d5a290000 742a 3d39380000 741c }
            // n = 7, score = 400
            //   7446                 | jmp                 0x9b1
            //   3d00280000           | mov                 ebx, dword ptr [edi + 0x40e]
            //   7438                 | push                esi
            //   3d5a290000           | mov                 ecx, 0xeb4
            //   742a                 | mov                 dword ptr [ebp - 4], eax
            //   3d39380000           | mov                 dword ptr [ebp - 0xc], edx
            //   741c                 | xor                 edx, edx

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules