SYMBOLCOMMON_NAMEaka. SYNONYMS
win.evilgrab (Back to overview)

EvilGrab

aka: Vidgrab

Actor(s): Stone Panda

VTCollection    

There is no description at this point.

References
2015-08-01Arbor NetworksASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_evilgrab_auto (20230808 | Detects win.evilgrab.)
rule win_evilgrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.evilgrab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 50 50 52 89442440 89442434 89442438 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   52                   | push                edx
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   89442438             | mov                 dword ptr [esp + 0x38], eax

        $sequence_1 = { 8dbdb8f5ffff f3a5 a4 b909000000 be???????? 8dbd5cf4ffff f3a5 }
            // n = 7, score = 200
            //   8dbdb8f5ffff         | lea                 edi, [ebp - 0xa48]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   b909000000           | mov                 ecx, 9
            //   be????????           |                     
            //   8dbd5cf4ffff         | lea                 edi, [ebp - 0xba4]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_2 = { c3 8d45c4 50 6a03 68???????? 8b0e 81c1d2000000 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   50                   | push                eax
            //   6a03                 | push                3
            //   68????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   81c1d2000000         | add                 ecx, 0xd2

        $sequence_3 = { 8b9534aeffff 52 8bcb e8???????? 85c0 7531 6aa7 }
            // n = 7, score = 200
            //   8b9534aeffff         | mov                 edx, dword ptr [ebp - 0x51cc]
            //   52                   | push                edx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7531                 | jne                 0x33
            //   6aa7                 | push                -0x59

        $sequence_4 = { 8b35???????? e9???????? 8b85c8adffff 898540a3ffff 50 e8???????? 8b85c0adffff }
            // n = 7, score = 200
            //   8b35????????         |                     
            //   e9????????           |                     
            //   8b85c8adffff         | mov                 eax, dword ptr [ebp - 0x5238]
            //   898540a3ffff         | mov                 dword ptr [ebp - 0x5cc0], eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b85c0adffff         | mov                 eax, dword ptr [ebp - 0x5240]

        $sequence_5 = { 6a00 85f6 6a00 7567 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   85f6                 | test                esi, esi
            //   6a00                 | push                0
            //   7567                 | jne                 0x69

        $sequence_6 = { 52 8b45d4 8b481c 51 e8???????? }
            // n = 5, score = 200
            //   52                   | push                edx
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   8b481c               | mov                 ecx, dword ptr [eax + 0x1c]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { 52 8b35???????? ffd6 d1e0 898565a4ffff }
            // n = 5, score = 200
            //   52                   | push                edx
            //   8b35????????         |                     
            //   ffd6                 | call                esi
            //   d1e0                 | shl                 eax, 1
            //   898565a4ffff         | mov                 dword ptr [ebp - 0x5b9b], eax

        $sequence_8 = { 52 68???????? 53 ffd5 83c410 6880000000 53 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   68????????           |                     
            //   53                   | push                ebx
            //   ffd5                 | call                ebp
            //   83c410               | add                 esp, 0x10
            //   6880000000           | push                0x80
            //   53                   | push                ebx

        $sequence_9 = { 33c0 8dbdf0efffff f3ab c685f0efffffd0 668b5304 52 e8???????? }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   8dbdf0efffff         | lea                 edi, [ebp - 0x1010]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   c685f0efffffd0       | mov                 byte ptr [ebp - 0x1010], 0xd0
            //   668b5304             | mov                 dx, word ptr [ebx + 4]
            //   52                   | push                edx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 327680
}
[TLP:WHITE] win_evilgrab_w0   (20170517 | Vidgrab code tricks)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w0 {
    meta:
        description = "Vidgrab code tricks"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
        
    condition:
        all of them
}
[TLP:WHITE] win_evilgrab_w1   (20170517 | Vidgrab Identifying Strings)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w1 {
    meta:
        description = "Vidgrab Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "IDI_ICON5" wide ascii
        $s2 = "starter.exe"
        $s3 = "wmifw.exe"
        $s4 = "Software\\rar"
        $s5 = "tmp092.tmp"
        $s6 = "temp1.exe"
        
    condition:
       3 of them
}
Download all Yara Rules