SYMBOLCOMMON_NAMEaka. SYNONYMS
win.findpos (Back to overview)

FindPOS

aka: Poseidon
VTCollection    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2015-03-20Cisco TalosAlain Zidouemba, Andrea Allievi, Angel Villegas, Ben Baker, Douglas Goddard, JJ Cummings, Nick Biasini, William Largent
Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
FindPOS
2015-03-19Palo Alto Networks Unit 42Josh Grunzweig
FindPOS: New POS Malware Family Discovered
FindPOS
Yara Rules
[TLP:WHITE] win_findpos_auto (20260504 | Detects win.findpos.)
rule win_findpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.findpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85ff 747b 8bc7 3bfb 7d17 3bc3 737b }
            // n = 7, score = 100
            //   85ff                 | test                edi, edi
            //   747b                 | je                  0x7d
            //   8bc7                 | mov                 eax, edi
            //   3bfb                 | cmp                 edi, ebx
            //   7d17                 | jge                 0x19
            //   3bc3                 | cmp                 eax, ebx
            //   737b                 | jae                 0x7d

        $sequence_1 = { ad 098525ae1eb2 a5 82b4b01d4b73d7c9 }
            // n = 4, score = 100
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   098525ae1eb2         | or                  dword ptr [ebp - 0x4de151db], eax
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   82b4b01d4b73d7c9     | xor                 byte ptr [eax + esi*4 - 0x288cb4e3], 0xc9

        $sequence_2 = { 895dfc e8???????? 837dec10 8d55d8 0f4355d8 33c9 e8???????? }
            // n = 7, score = 100
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   8d55d8               | lea                 edx, [ebp - 0x28]
            //   0f4355d8             | cmovae              edx, dword ptr [ebp - 0x28]
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_3 = { 8bc7 c1f805 8bf7 83e61f c1e606 033485a0ed4100 8975dc }
            // n = 7, score = 100
            //   8bc7                 | mov                 eax, edi
            //   c1f805               | sar                 eax, 5
            //   8bf7                 | mov                 esi, edi
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   033485a0ed4100       | add                 esi, dword ptr [eax*4 + 0x41eda0]
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi

        $sequence_4 = { 48 743f 48 0f8574fcffff 68???????? 8d8c24bc000000 e8???????? }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   743f                 | je                  0x41
            //   48                   | dec                 eax
            //   0f8574fcffff         | jne                 0xfffffc7a
            //   68????????           |                     
            //   8d8c24bc000000       | lea                 ecx, [esp + 0xbc]
            //   e8????????           |                     

        $sequence_5 = { 42 884dab 83f80b 0f877b020000 ff248547e64000 }
            // n = 5, score = 100
            //   42                   | inc                 edx
            //   884dab               | mov                 byte ptr [ebp - 0x55], cl
            //   83f80b               | cmp                 eax, 0xb
            //   0f877b020000         | ja                  0x281
            //   ff248547e64000       | jmp                 dword ptr [eax*4 + 0x40e647]

        $sequence_6 = { e8???????? 33f6 46 53 85c0 7409 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   53                   | push                ebx
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     

        $sequence_7 = { 8bec 56 8b7508 833cf558b3410000 7513 56 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   833cf558b3410000     | cmp                 dword ptr [esi*8 + 0x41b358], 0
            //   7513                 | jne                 0x15
            //   56                   | push                esi

        $sequence_8 = { 7411 8b45e8 53 8b4808 51 80790d00 7495 }
            // n = 7, score = 100
            //   7411                 | je                  0x13
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   53                   | push                ebx
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   51                   | push                ecx
            //   80790d00             | cmp                 byte ptr [ecx + 0xd], 0
            //   7495                 | je                  0xffffff97

        $sequence_9 = { 6a18 b8???????? e8???????? 8b5d14 }
            // n = 4, score = 100
            //   6a18                 | push                0x18
            //   b8????????           |                     
            //   e8????????           |                     
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules