2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
https://lokalhost.pl/gozi_tree.txt |
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
rule win_dreambot_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2018-11-23"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
malpedia_version = "20180607"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 03c8 8bc5 c1ed18 c1e808 }
// n = 4, score = 1000
// 03c8 | add ecx, eax
// 8bc5 | mov eax, ebp
// c1ed18 | shr ebp, 0x18
// c1e808 | shr eax, 8
$sequence_1 = { 0f8431010000 488d1562ef0200 488bc8 ff15d9c10200 }
// n = 4, score = 1000
// 0f8431010000 | je 0x543b360
// 488d1562ef0200 | lea rdx, qword ptr [rip + 0x2ef62]
// 488bc8 | mov rcx, rax
// ff15d9c10200 | call qword ptr [rip + 0x2c1d9]
$sequence_2 = { 2bce 83f908 894c2458 0f8798000000 }
// n = 4, score = 1000
// 2bce | sub ecx, esi
// 83f908 | cmp ecx, 8
// 894c2458 | mov dword ptr [rsp + 0x58], ecx
// 0f8798000000 | ja 0x5440294
$sequence_3 = { 0f84e3030000 2bcb 7462 2bcb }
// n = 4, score = 1000
// 0f84e3030000 | je 0x5443d7e
// 2bcb | sub ecx, ebx
// 7462 | je 0x5443a01
// 2bcb | sub ecx, ebx
$sequence_4 = { 25ff7f0000 41c1e005 0fb68c18c8000000 4433c1 }
// n = 4, score = 1000
// 25ff7f0000 | and eax, 0x7fff
// 41c1e005 | shl r8d, 5
// 0fb68c18c8000000 | movzx ecx, byte ptr [rax + rbx + 0xc8]
// 4433c1 | xor r8d, ecx
$sequence_5 = { 0f84ef000000 8b4c2470 83c3c0 3bcb }
// n = 4, score = 1000
// 0f84ef000000 | je 0x545b0f0
// 8b4c2470 | mov ecx, dword ptr [rsp + 0x70]
// 83c3c0 | add ebx, -0x40
// 3bcb | cmp ecx, ebx
$sequence_6 = { 33d2 48894720 ff1570970000 48395f20 }
// n = 4, score = 1000
// 33d2 | xor edx, edx
// 48894720 | mov qword ptr [rdi + 0x20], rax
// ff1570970000 | call qword ptr [rip + 0x9770]
// 48395f20 | cmp qword ptr [rdi + 0x20], rbx
$sequence_7 = { 33c9 448be3 ff5010 3bc3 }
// n = 4, score = 1000
// 33c9 | xor ecx, ecx
// 448be3 | mov r12d, ebx
// ff5010 | call qword ptr [rax + 0x10]
// 3bc3 | cmp eax, ebx
$sequence_8 = { 33d2 41b800100000 ff1501770000 4885c0 }
// n = 4, score = 1000
// 33d2 | xor edx, edx
// 41b800100000 | mov r8d, 0x1000
// ff1501770000 | call qword ptr [rip + 0x7701]
// 4885c0 | test rax, rax
$sequence_9 = { 03d8 448d441b0c ff151d810000 483bc7 }
// n = 4, score = 1000
// 03d8 | add ebx, eax
// 448d441b0c | lea r8d, dword ptr [rbx + rbx + 0xc]
// ff151d810000 | call qword ptr [rip + 0x811d]
// 483bc7 | cmp rax, rdi
condition:
7 of them
}