SYMBOLCOMMON_NAMEaka. SYNONYMS
win.evilbunny (Back to overview)

Evilbunny

Actor(s): SNOWGLOBE


There is no description at this point.

References
2015-02-18CyphortMarion Marschalek
@online{marschalek:20150218:babar:f8c92b6, author = {Marion Marschalek}, title = {{Babar: Suspected Nation State Spyware In The Spotlight}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/}, language = {English}, urldate = {2020-06-08} } Babar: Suspected Nation State Spyware In The Spotlight
Babar Evilbunny SNOWGLOBE
2015-02-18G DataG Data
@online{data:20150218:babar:24e6c08, author = {G Data}, title = {{Babar: espionage software finally found and put under the microscope}}, date = {2015-02-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope}, language = {English}, urldate = {2019-12-02} } Babar: espionage software finally found and put under the microscope
Evilbunny SNOWGLOBE
2014-12-16CyphortMarion Marschalek
@online{marschalek:20141216:evilbunny:8e78c65, author = {Marion Marschalek}, title = {{EvilBunny: Malware Instrumented By Lua}}, date = {2014-12-16}, organization = {Cyphort}, url = {https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/}, language = {English}, urldate = {2020-06-08} } EvilBunny: Malware Instrumented By Lua
Evilbunny SNOWGLOBE
Yara Rules
[TLP:WHITE] win_evilbunny_auto (20221125 | Detects win.evilbunny.)
rule win_evilbunny_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.evilbunny."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1ea07 8b8548ffffff c1e019 0bd0 8b8548ffffff c1e812 8bb548ffffff }
            // n = 7, score = 200
            //   c1ea07               | shr                 edx, 7
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   c1e019               | shl                 eax, 0x19
            //   0bd0                 | or                  edx, eax
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   c1e812               | shr                 eax, 0x12
            //   8bb548ffffff         | mov                 esi, dword ptr [ebp - 0xb8]

        $sequence_1 = { e8???????? 83c404 8b4df8 6bc90c 8b550c 8b5218 890411 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   6bc90c               | imul                ecx, ecx, 0xc
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b5218               | mov                 edx, dword ptr [edx + 0x18]
            //   890411               | mov                 dword ptr [ecx + edx], eax

        $sequence_2 = { 8b4dfc 51 8b5508 52 e8???????? 83c40c 6aff }
            // n = 7, score = 200
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6aff                 | push                -1

        $sequence_3 = { e8???????? 83c408 8b450c 0fbe08 8b550c 83c201 89550c }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fbe08               | movsx               ecx, byte ptr [eax]
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   83c201               | add                 edx, 1
            //   89550c               | mov                 dword ptr [ebp + 0xc], edx

        $sequence_4 = { eb09 8b4df8 83c101 894df8 8b55f8 3b55fc 7d12 }
            // n = 7, score = 200
            //   eb09                 | jmp                 0xb
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83c101               | add                 ecx, 1
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   3b55fc               | cmp                 edx, dword ptr [ebp - 4]
            //   7d12                 | jge                 0x14

        $sequence_5 = { e8???????? 3985b0fcffff 7367 8b95b0fcffff 52 8b4df8 83c11c }
            // n = 7, score = 200
            //   e8????????           |                     
            //   3985b0fcffff         | cmp                 dword ptr [ebp - 0x350], eax
            //   7367                 | jae                 0x69
            //   8b95b0fcffff         | mov                 edx, dword ptr [ebp - 0x350]
            //   52                   | push                edx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83c11c               | add                 ecx, 0x1c

        $sequence_6 = { 8b8de0feffff 338ddcfeffff 238de4feffff 338ddcfeffff 0395fcfeffff 8d9411a5dbb5e9 8955f8 }
            // n = 7, score = 200
            //   8b8de0feffff         | mov                 ecx, dword ptr [ebp - 0x120]
            //   338ddcfeffff         | xor                 ecx, dword ptr [ebp - 0x124]
            //   238de4feffff         | and                 ecx, dword ptr [ebp - 0x11c]
            //   338ddcfeffff         | xor                 ecx, dword ptr [ebp - 0x124]
            //   0395fcfeffff         | add                 edx, dword ptr [ebp - 0x104]
            //   8d9411a5dbb5e9       | lea                 edx, [ecx + edx - 0x164a245b]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx

        $sequence_7 = { c1e912 8bb54cffffff c1e60e 0bce 33c1 8b8d4cffffff c1e903 }
            // n = 7, score = 200
            //   c1e912               | shr                 ecx, 0x12
            //   8bb54cffffff         | mov                 esi, dword ptr [ebp - 0xb4]
            //   c1e60e               | shl                 esi, 0xe
            //   0bce                 | or                  ecx, esi
            //   33c1                 | xor                 eax, ecx
            //   8b8d4cffffff         | mov                 ecx, dword ptr [ebp - 0xb4]
            //   c1e903               | shr                 ecx, 3

        $sequence_8 = { 8b55fc 8b02 83e03f 83f81b 7404 33c0 eb6d }
            // n = 7, score = 200
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   83e03f               | and                 eax, 0x3f
            //   83f81b               | cmp                 eax, 0x1b
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   eb6d                 | jmp                 0x6f

        $sequence_9 = { e8???????? 83c404 85c0 7414 8b4d08 c7411c00000000 8b5508 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c7411c00000000       | mov                 dword ptr [ecx + 0x1c], 0
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 1695744
}
Download all Yara Rules