SYMBOLCOMMON_NAMEaka. SYNONYMS
win.elise (Back to overview)

Elise

aka: EVILNEST

Actor(s): Lotus Blossom

VTCollection    

There is no description at this point.

References
2021-05-20Github (microsoft)Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
2020-04-07FireEyeMichael Bailey
Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation
Elise
2020-01-01SecureworksSecureWorks
BRONZE ELGIN
Elise LOTUS PANDA
2018-02-20Joe Security's BlogJoe Security
Latest Elise APT comes packed with Sandbox Evasions
Elise
2018-01-27Accenture SecurityAccenture Security, Bart Parys
LATEST CYBER ESPIONAGE MALWARE ATTACKS - DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES
Elise
2018-01-01AccentureBart Parys, Joshua Ray
Dragonfish delivers New Form of Elise Malware targeting ASEAN Defence Ministers' Meeting and Associates
Elise LOTUS PANDA
2016-02-03Palo Alto Networks Unit 42Jen Miller-Osborn, Robert Falcone
Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?
Elise
2015-06-17Kaspersky LabsKurt Baumgartner
The Spring Dragon APT
Elise LOTUS PANDA
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-01-01Trend MicroUnknownUnknown
Targeted Attack Trends in Asia-Pacific
Elise
Yara Rules
[TLP:WHITE] win_elise_auto (20241030 | Detects win.elise.)
rule win_elise_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.elise."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8dbe1e050000 f3ab 8bc2 0fb7d0 }
            // n = 4, score = 400
            //   8dbe1e050000         | lea                 edi, [esi + 0x51e]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8bc2                 | mov                 eax, edx
            //   0fb7d0               | movzx               edx, ax

        $sequence_1 = { 7205 8d0429 eb02 33c0 5f 5e }
            // n = 6, score = 400
            //   7205                 | jb                  7
            //   8d0429               | lea                 eax, [ecx + ebp]
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { 4e 237720 d3e6 59 }
            // n = 4, score = 400
            //   4e                   | dec                 esi
            //   237720               | and                 esi, dword ptr [edi + 0x20]
            //   d3e6                 | shl                 esi, cl
            //   59                   | pop                 ecx

        $sequence_3 = { 8b10 53 8a5c2408 8d4804 }
            // n = 4, score = 400
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   53                   | push                ebx
            //   8a5c2408             | mov                 bl, byte ptr [esp + 8]
            //   8d4804               | lea                 ecx, [eax + 4]

        $sequence_4 = { 7ce9 33c0 40 5b 5e 5f c3 }
            // n = 7, score = 400
            //   7ce9                 | jl                  0xffffffeb
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c3                   | ret                 

        $sequence_5 = { 8bc6 e8???????? 85c0 0f8484000000 53 }
            // n = 5, score = 400
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8484000000         | je                  0x8a
            //   53                   | push                ebx

        $sequence_6 = { 55 33c9 57 ba00040000 85c0 760e }
            // n = 6, score = 400
            //   55                   | push                ebp
            //   33c9                 | xor                 ecx, ecx
            //   57                   | push                edi
            //   ba00040000           | mov                 edx, 0x400
            //   85c0                 | test                eax, eax
            //   760e                 | jbe                 0x10

        $sequence_7 = { 8bcb 8d3470 d3e0 0945f4 43 83fb04 }
            // n = 6, score = 400
            //   8bcb                 | mov                 ecx, ebx
            //   8d3470               | lea                 esi, [eax + esi*2]
            //   d3e0                 | shl                 eax, cl
            //   0945f4               | or                  dword ptr [ebp - 0xc], eax
            //   43                   | inc                 ebx
            //   83fb04               | cmp                 ebx, 4

        $sequence_8 = { 7cf5 33c9 888f00010000 888f01010000 8bf7 8945f8 }
            // n = 6, score = 400
            //   7cf5                 | jl                  0xfffffff7
            //   33c9                 | xor                 ecx, ecx
            //   888f00010000         | mov                 byte ptr [edi + 0x100], cl
            //   888f01010000         | mov                 byte ptr [edi + 0x101], cl
            //   8bf7                 | mov                 esi, edi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_9 = { 885d88 e8???????? 83c40c 8d4580 }
            // n = 4, score = 300
            //   885d88               | mov                 byte ptr [ebp - 0x78], bl
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4580               | lea                 eax, [ebp - 0x80]

        $sequence_10 = { 33f6 46 d3e6 0bd6 40 83f80e 72e7 }
            // n = 7, score = 300
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   d3e6                 | shl                 esi, cl
            //   0bd6                 | or                  edx, esi
            //   40                   | inc                 eax
            //   83f80e               | cmp                 eax, 0xe
            //   72e7                 | jb                  0xffffffe9

        $sequence_11 = { ff15???????? eb0b 6a02 53 53 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   eb0b                 | jmp                 0xd
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_12 = { ff75ec 1155f4 53 e8???????? 8bd8 8955ec }
            // n = 6, score = 300
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   1155f4               | adc                 dword ptr [ebp - 0xc], edx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx

        $sequence_13 = { 56 57 b99a000000 8d7510 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   57                   | push                edi
            //   b99a000000           | mov                 ecx, 0x9a
            //   8d7510               | lea                 esi, [ebp + 0x10]

        $sequence_14 = { eb03 8b7df4 8d4e01 81e1ff000080 7908 49 }
            // n = 6, score = 300
            //   eb03                 | jmp                 5
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   81e1ff000080         | and                 ecx, 0x800000ff
            //   7908                 | jns                 0xa
            //   49                   | dec                 ecx

        $sequence_15 = { 6a20 e8???????? 59 8bd8 }
            // n = 4, score = 300
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax

        $sequence_16 = { 46 4f 75eb f7d0 5f 5e }
            // n = 6, score = 300
            //   46                   | inc                 esi
            //   4f                   | dec                 edi
            //   75eb                 | jne                 0xffffffed
            //   f7d0                 | not                 eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_17 = { 83c40c 8d4580 50 8d4588 50 53 }
            // n = 6, score = 300
            //   83c40c               | add                 esp, 0xc
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   8d4588               | lea                 eax, [ebp - 0x78]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_18 = { 85ff 7415 0fb616 33d0 23d1 }
            // n = 5, score = 300
            //   85ff                 | test                edi, edi
            //   7415                 | je                  0x17
            //   0fb616               | movzx               edx, byte ptr [esi]
            //   33d0                 | xor                 edx, eax
            //   23d1                 | and                 edx, ecx

        $sequence_19 = { 50 ff7580 e8???????? 85c0 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   ff7580               | push                dword ptr [ebp - 0x80]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_20 = { 59 8b45f0 8b55f4 5f 5e 5b c9 }
            // n = 7, score = 300
            //   59                   | pop                 ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

    condition:
        7 of them and filesize < 204800
}
[TLP:WHITE] win_elise_w0   (20170517 | No description)
rule win_elise_w0 {
    meta:
        author = "ThreatConnect Intelligence Research Team - Wes Hurd"
        license = "Usage of this signature is subject to the ThreatConnect Terms of Service, which are incorporated herein by reference."
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Elise.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $0E = "\\000ELISEA"
        $D = "~DF37382D8F2E.tmp" nocase wide ascii
        $SE = "SetElise.pdb" wide ascii
        $xpage = "/%x/page_%02d%02d%02d%02d.html" wide ascii
    condition:
        any of them
}
Download all Yara Rules