SYMBOLCOMMON_NAMEaka. SYNONYMS
win.expiro (Back to overview)

Expiro

aka: Xpiro
VTCollection    

Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).
Expiro "infiltrates" executables on 32- and 64bit Windows OS versions.
It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).
There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.

References
2023-08-30Medium walmartglobaltechJason Reaves
Gazavat / Expiro DMSniff connection and DGA analysis
DMSniff Expiro
2023-03-31Youtube (ThreatCatch)ThreatCat.ch
Sinkholing the Domain Generation Algorithm of m0yv
Expiro m0yv
2019-10-09Github (GiacomoFerro)Francesco Gobbi, Giacomo Ferro, Riccardo Astolfi
Corso di Codice Malevolo: Relazione sull’analisi del malware sample2.exe
Expiro
2017-10-31McAfeeXiaobing Lin
Expiro Malware Is Back and Even Harder to Remove
Expiro
2013-07-30ESET Researchwelivesecurity
Versatile and infectious: Win64/Expiro is a cross‑platform file infector
Expiro
2011-05-19MicrosoftMicrosoft Security Intelligence
Win32/Expiro
Expiro
Yara Rules
[TLP:WHITE] win_expiro_auto (20230808 | Detects win.expiro.)
rule win_expiro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.expiro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 6689147e 3bcd 5f 1bc0 5e }
            // n = 6, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   6689147e             | mov                 word ptr [esi + edi*2], dx
            //   3bcd                 | cmp                 ecx, ebp
            //   5f                   | pop                 edi
            //   1bc0                 | sbb                 eax, eax
            //   5e                   | pop                 esi

        $sequence_1 = { 52 e8???????? 83c404 33c0 668944244c 6a04 897c2464 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   668944244c           | mov                 word ptr [esp + 0x4c], ax
            //   6a04                 | push                4
            //   897c2464             | mov                 dword ptr [esp + 0x64], edi

        $sequence_2 = { 0f848f000000 803d????????00 0f8582000000 803d????????00 7579 8d8c24cc010000 }
            // n = 6, score = 100
            //   0f848f000000         | je                  0x95
            //   803d????????00       |                     
            //   0f8582000000         | jne                 0x88
            //   803d????????00       |                     
            //   7579                 | jne                 0x7b
            //   8d8c24cc010000       | lea                 ecx, [esp + 0x1cc]

        $sequence_3 = { 8b4d00 eb02 8bcd 8d3441 0fb703 }
            // n = 5, score = 100
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   eb02                 | jmp                 4
            //   8bcd                 | mov                 ecx, ebp
            //   8d3441               | lea                 esi, [ecx + eax*2]
            //   0fb703               | movzx               eax, word ptr [ebx]

        $sequence_4 = { b8???????? 8d4c2414 e8???????? 8d442414 50 8d4c2434 51 }
            // n = 7, score = 100
            //   b8????????           |                     
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   e8????????           |                     
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   50                   | push                eax
            //   8d4c2434             | lea                 ecx, [esp + 0x34]
            //   51                   | push                ecx

        $sequence_5 = { 7373 7373 7353 7373 13ea 02abd9737373 }
            // n = 6, score = 100
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   7353                 | jae                 0x55
            //   7373                 | jae                 0x75
            //   13ea                 | adc                 ebp, edx
            //   02abd9737373         | add                 ch, byte ptr [ebx + 0x737373d9]

        $sequence_6 = { bf5c000000 52 55 8d5fa5 33c0 897c241c }
            // n = 6, score = 100
            //   bf5c000000           | mov                 edi, 0x5c
            //   52                   | push                edx
            //   55                   | push                ebp
            //   8d5fa5               | lea                 ebx, [edi - 0x5b]
            //   33c0                 | xor                 eax, eax
            //   897c241c             | mov                 dword ptr [esp + 0x1c], edi

        $sequence_7 = { 0fb74208 f6c303 7409 8d04c5c6234100 eb23 f6c30c }
            // n = 6, score = 100
            //   0fb74208             | movzx               eax, word ptr [edx + 8]
            //   f6c303               | test                bl, 3
            //   7409                 | je                  0xb
            //   8d04c5c6234100       | lea                 eax, [eax*8 + 0x4123c6]
            //   eb23                 | jmp                 0x25
            //   f6c30c               | test                bl, 0xc

        $sequence_8 = { 31733e 45 cf 7160 7373 7308 7373 }
            // n = 7, score = 100
            //   31733e               | xor                 dword ptr [ebx + 0x3e], esi
            //   45                   | inc                 ebp
            //   cf                   | iretd               
            //   7160                 | jno                 0x62
            //   7373                 | jae                 0x75
            //   7308                 | jae                 0xa
            //   7373                 | jae                 0x75

        $sequence_9 = { 7373 7377 7373 7373 7373 7373 93 }
            // n = 7, score = 100
            //   7373                 | jae                 0x75
            //   7377                 | jae                 0x79
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   93                   | xchg                eax, ebx

    condition:
        7 of them and filesize < 3776512
}
Download all Yara Rules