SYMBOLCOMMON_NAMEaka. SYNONYMS
win.farseer (Back to overview)

Farseer


There is no description at this point.

References
2020-03-02Virus BulletinAlex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2019-10-03Palo Alto Networks Unit 42Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX
2019-02-26Palo Alto Networks Unit 42Alex Hinchliffe, Mike Harbison
@online{hinchliffe:20190226:farseer:62554e3, author = {Alex Hinchliffe and Mike Harbison}, title = {{Farseer: Previously Unknown Malware Family bolsters the Chinese armoury}}, date = {2019-02-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/}, language = {English}, urldate = {2020-01-08} } Farseer: Previously Unknown Malware Family bolsters the Chinese armoury
Farseer
Yara Rules
[TLP:WHITE] win_farseer_auto (20220808 | Detects win.farseer.)
rule win_farseer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.farseer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 395c2470 7304 8d4c245c 803c3122 7541 }
            // n = 5, score = 100
            //   395c2470             | cmp                 dword ptr [esp + 0x70], ebx
            //   7304                 | jae                 6
            //   8d4c245c             | lea                 ecx, [esp + 0x5c]
            //   803c3122             | cmp                 byte ptr [ecx + esi], 0x22
            //   7541                 | jne                 0x43

        $sequence_1 = { 8d942428020000 68???????? 52 e8???????? 83c418 53 6880000000 }
            // n = 7, score = 100
            //   8d942428020000       | lea                 edx, [esp + 0x228]
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   53                   | push                ebx
            //   6880000000           | push                0x80

        $sequence_2 = { 8bd6 2bd7 52 8d042f 50 }
            // n = 5, score = 100
            //   8bd6                 | mov                 edx, esi
            //   2bd7                 | sub                 edx, edi
            //   52                   | push                edx
            //   8d042f               | lea                 eax, [edi + ebp]
            //   50                   | push                eax

        $sequence_3 = { 8d542418 c746180f000000 895e14 52 8bce 885e04 }
            // n = 6, score = 100
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   c746180f000000       | mov                 dword ptr [esi + 0x18], 0xf
            //   895e14               | mov                 dword ptr [esi + 0x14], ebx
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi
            //   885e04               | mov                 byte ptr [esi + 4], bl

        $sequence_4 = { 83ec08 c1e81f 56 03c2 33f6 83f802 7636 }
            // n = 7, score = 100
            //   83ec08               | sub                 esp, 8
            //   c1e81f               | shr                 eax, 0x1f
            //   56                   | push                esi
            //   03c2                 | add                 eax, edx
            //   33f6                 | xor                 esi, esi
            //   83f802               | cmp                 eax, 2
            //   7636                 | jbe                 0x38

        $sequence_5 = { 33db 6aff 899c2498000000 53 8d8424a4000000 be0f000000 50 }
            // n = 7, score = 100
            //   33db                 | xor                 ebx, ebx
            //   6aff                 | push                -1
            //   899c2498000000       | mov                 dword ptr [esp + 0x98], ebx
            //   53                   | push                ebx
            //   8d8424a4000000       | lea                 eax, [esp + 0xa4]
            //   be0f000000           | mov                 esi, 0xf
            //   50                   | push                eax

        $sequence_6 = { 891d???????? 7426 bf???????? e8???????? 84c0 }
            // n = 5, score = 100
            //   891d????????         |                     
            //   7426                 | je                  0x28
            //   bf????????           |                     
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_7 = { 885c242c 899c2450020000 837f1810 8d4704 }
            // n = 4, score = 100
            //   885c242c             | mov                 byte ptr [esp + 0x2c], bl
            //   899c2450020000       | mov                 dword ptr [esp + 0x250], ebx
            //   837f1810             | cmp                 dword ptr [edi + 0x18], 0x10
            //   8d4704               | lea                 eax, [edi + 4]

        $sequence_8 = { 833cf59446420001 751e 8d04f590464200 8938 68a00f0000 ff30 }
            // n = 6, score = 100
            //   833cf59446420001     | cmp                 dword ptr [esi*8 + 0x424694], 1
            //   751e                 | jne                 0x20
            //   8d04f590464200       | lea                 eax, [esi*8 + 0x424690]
            //   8938                 | mov                 dword ptr [eax], edi
            //   68a00f0000           | push                0xfa0
            //   ff30                 | push                dword ptr [eax]

        $sequence_9 = { 52 50 8d4c244c 68???????? }
            // n = 4, score = 100
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d4c244c             | lea                 ecx, [esp + 0x4c]
            //   68????????           |                     

    condition:
        7 of them and filesize < 347328
}
Download all Yara Rules