EvilGrab (Malware Family)

EvilGrab

aka: Vidgrab

Actor(s): Stone Panda

There is no description at this point.

References

2015-08 ⋅ Arbor Networks ⋅ ASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_evilgrab_auto (20230407 | Detects win.evilgrab.)

rule win_evilgrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.evilgrab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e103 f3a4 66c705????????901f c705????????00000000 bf???????? 83c9ff 33c0 }
            // n = 7, score = 200
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   66c705????????901f     |     
            //   c705????????00000000     |     
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 83e103 53 f3a4 ff15???????? 85c0 7416 5f }
            // n = 7, score = 200
            //   83e103               | and                 ecx, 3
            //   53                   | push                ebx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7416                 | je                  0x18
            //   5f                   | pop                 edi

        $sequence_2 = { 752a 6a2a 68???????? 8d8500f6ffff 50 ff15???????? 83c40c }
            // n = 7, score = 200
            //   752a                 | jne                 0x2c
            //   6a2a                 | push                0x2a
            //   68????????           |                     
            //   8d8500f6ffff         | lea                 eax, [ebp - 0xa00]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 0f8497010000 8d9515ebffff 8995b0aeffff 68???????? 8d8515ebffff 50 ff15???????? }
            // n = 7, score = 200
            //   0f8497010000         | je                  0x19d
            //   8d9515ebffff         | lea                 edx, [ebp - 0x14eb]
            //   8995b0aeffff         | mov                 dword ptr [ebp - 0x5150], edx
            //   68????????           |                     
            //   8d8515ebffff         | lea                 eax, [ebp - 0x14eb]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_4 = { 52 68???????? 8d85fcf6ffff 50 ff15???????? 83c40c }
            // n = 6, score = 200
            //   52                   | push                edx
            //   68????????           |                     
            //   8d85fcf6ffff         | lea                 eax, [ebp - 0x904]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { 8d8c9000050000 51 6aff 8d953cf9ffff 52 6a00 }
            // n = 6, score = 200
            //   8d8c9000050000       | lea                 ecx, [eax + edx*4 + 0x500]
            //   51                   | push                ecx
            //   6aff                 | push                -1
            //   8d953cf9ffff         | lea                 edx, [ebp - 0x6c4]
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_6 = { 8b35???????? 8d8c242c020000 6804010000 51 68???????? ffd6 8dbc242c020000 }
            // n = 7, score = 200
            //   8b35????????         |                     
            //   8d8c242c020000       | lea                 ecx, [esp + 0x22c]
            //   6804010000           | push                0x104
            //   51                   | push                ecx
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   8dbc242c020000       | lea                 edi, [esp + 0x22c]

        $sequence_7 = { 8bfe 8b7638 8b07 50 e8???????? 8b4f04 51 }
            // n = 7, score = 200
            //   8bfe                 | mov                 edi, esi
            //   8b7638               | mov                 esi, dword ptr [esi + 0x38]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   51                   | push                ecx

        $sequence_8 = { f3ab 8b842434040000 80fc3a 0f8481000000 80fc3f 7517 }
            // n = 6, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b842434040000       | mov                 eax, dword ptr [esp + 0x434]
            //   80fc3a               | cmp                 ah, 0x3a
            //   0f8481000000         | je                  0x87
            //   80fc3f               | cmp                 ah, 0x3f
            //   7517                 | jne                 0x19

        $sequence_9 = { 51 52 ffd6 8b83c8020000 83c408 85c0 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   8b83c8020000         | mov                 eax, dword ptr [ebx + 0x2c8]
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 327680
}

[TLP:WHITE] win_evilgrab_w0 (20170517 | Vidgrab code tricks)

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w0 {
    meta:
        description = "Vidgrab code tricks"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
        
    condition:
        all of them
}

[TLP:WHITE] win_evilgrab_w1 (20170517 | Vidgrab Identifying Strings)

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w1 {
    meta:
        description = "Vidgrab Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "IDI_ICON5" wide ascii
        $s2 = "starter.exe"
        $s3 = "wmifw.exe"
        $s4 = "Software\\rar"
        $s5 = "tmp092.tmp"
        $s6 = "temp1.exe"
        
    condition:
       3 of them
}

Download all Yara Rules

EvilGrab Propose Change

References

Yara Rules

EvilGrab