EvilGrab (Malware Family)

EvilGrab

aka: Vidgrab

Actor(s): Stone Panda

There is no description at this point.

References

2015-08 ⋅ Arbor Networks ⋅ ASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_evilgrab_auto (20230715 | Detects win.evilgrab.)

rule win_evilgrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.evilgrab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e103 f3a4 8bca 51 50 8b9524cfffff 52 }
            // n = 7, score = 200
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8b9524cfffff         | mov                 edx, dword ptr [ebp - 0x30dc]
            //   52                   | push                edx

        $sequence_1 = { 8b45e0 83f801 0f8c33010000 8a4f04 84c9 0f8428010000 }
            // n = 6, score = 200
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   83f801               | cmp                 eax, 1
            //   0f8c33010000         | jl                  0x139
            //   8a4f04               | mov                 cl, byte ptr [edi + 4]
            //   84c9                 | test                cl, cl
            //   0f8428010000         | je                  0x12e

        $sequence_2 = { 68???????? 52 ffd7 83c408 c60000 }
            // n = 5, score = 200
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   83c408               | add                 esp, 8
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_3 = { 6a2a 68???????? 8d8504f6ffff 50 ff15???????? 83c410 8d8d04f6ffff }
            // n = 7, score = 200
            //   6a2a                 | push                0x2a
            //   68????????           |                     
            //   8d8504f6ffff         | lea                 eax, [ebp - 0x9fc]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   8d8d04f6ffff         | lea                 ecx, [ebp - 0x9fc]

        $sequence_4 = { 8b850cebffff 3dfc0f0000 0f87393b0000 85c0 0f847dfeffff c645fc03 9b }
            // n = 7, score = 200
            //   8b850cebffff         | mov                 eax, dword ptr [ebp - 0x14f4]
            //   3dfc0f0000           | cmp                 eax, 0xffc
            //   0f87393b0000         | ja                  0x3b3f
            //   85c0                 | test                eax, eax
            //   0f847dfeffff         | je                  0xfffffe83
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   9b                   | wait                

        $sequence_5 = { ff15???????? 83c408 85c0 75c2 8d8515ebffff 50 8bcb }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   75c2                 | jne                 0xffffffc4
            //   8d8515ebffff         | lea                 eax, [ebp - 0x14eb]
            //   50                   | push                eax
            //   8bcb                 | mov                 ecx, ebx

        $sequence_6 = { 0f8c33010000 8a4f04 84c9 0f8428010000 50 e8???????? 83c404 }
            // n = 7, score = 200
            //   0f8c33010000         | jl                  0x139
            //   8a4f04               | mov                 cl, byte ptr [edi + 4]
            //   84c9                 | test                cl, cl
            //   0f8428010000         | je                  0x12e
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_7 = { 6a28 8d45c4 50 e8???????? 83c41c c745ec28000000 83be0408000009 }
            // n = 7, score = 200
            //   6a28                 | push                0x28
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   c745ec28000000       | mov                 dword ptr [ebp - 0x14], 0x28
            //   83be0408000009       | cmp                 dword ptr [esi + 0x804], 9

        $sequence_8 = { 55 57 b941000000 33c0 8d7c2414 f3ab }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   57                   | push                edi
            //   b941000000           | mov                 ecx, 0x41
            //   33c0                 | xor                 eax, eax
            //   8d7c2414             | lea                 edi, [esp + 0x14]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_9 = { 5b 81c4902b0000 c20400 8b83c8020000 85c0 7464 8d93cc020000 }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   81c4902b0000         | add                 esp, 0x2b90
            //   c20400               | ret                 4
            //   8b83c8020000         | mov                 eax, dword ptr [ebx + 0x2c8]
            //   85c0                 | test                eax, eax
            //   7464                 | je                  0x66
            //   8d93cc020000         | lea                 edx, [ebx + 0x2cc]

    condition:
        7 of them and filesize < 327680
}

[TLP:WHITE] win_evilgrab_w0 (20170517 | Vidgrab code tricks)

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w0 {
    meta:
        description = "Vidgrab code tricks"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
        
    condition:
        all of them
}

[TLP:WHITE] win_evilgrab_w1 (20170517 | Vidgrab Identifying Strings)

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w1 {
    meta:
        description = "Vidgrab Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "IDI_ICON5" wide ascii
        $s2 = "starter.exe"
        $s3 = "wmifw.exe"
        $s4 = "Software\\rar"
        $s5 = "tmp092.tmp"
        $s6 = "temp1.exe"
        
    condition:
       3 of them
}

Download all Yara Rules

EvilGrab Propose Change

References

Yara Rules

EvilGrab