SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gcman (Back to overview)

gcman

VTCollection    

There is no description at this point.

References
2016-02-08Kaspersky LabsComputer Incidents Investigation Department, GReAT
APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks
gcman GCMAN
Yara Rules
[TLP:WHITE] win_gcman_auto (20230808 | Detects win.gcman.)
rule win_gcman_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.gcman."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a1???????? 8944240c c7442408???????? 8b85d0ebffff }
            // n = 4, score = 100
            //   a1????????           |                     
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c7442408????????     |                     
            //   8b85d0ebffff         | mov                 eax, dword ptr [ebp - 0x1430]

        $sequence_1 = { 0375e0 01f1 81e959dc6b54 c1c10f 01d9 89c6 }
            // n = 6, score = 100
            //   0375e0               | add                 esi, dword ptr [ebp - 0x20]
            //   01f1                 | add                 ecx, esi
            //   81e959dc6b54         | sub                 ecx, 0x546bdc59
            //   c1c10f               | rol                 ecx, 0xf
            //   01d9                 | add                 ecx, ebx
            //   89c6                 | mov                 esi, eax

        $sequence_2 = { 89442408 c7442404???????? 8d8528eaffff 890424 e8???????? }
            // n = 5, score = 100
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   c7442404????????     |                     
            //   8d8528eaffff         | lea                 eax, [ebp - 0x15d8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_3 = { 8944240c c7442408???????? 89542404 8b45f4 890424 }
            // n = 5, score = 100
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c7442408????????     |                     
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_4 = { c705????????00000000 c705????????00000000 e8???????? 85c0 7439 8d859ceaffff 89442410 }
            // n = 7, score = 100
            //   c705????????00000000     |     
            //   c705????????00000000     |     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7439                 | je                  0x3b
            //   8d859ceaffff         | lea                 eax, [ebp - 0x1564]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_5 = { c745c400000000 e9???????? c744241c00000000 c744241800000000 c744241403000000 c744241000000000 }
            // n = 6, score = 100
            //   c745c400000000       | mov                 dword ptr [ebp - 0x3c], 0
            //   e9????????           |                     
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   c744241403000000     | mov                 dword ptr [esp + 0x14], 3
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0

        $sequence_6 = { 83bdd4ebffff00 750c c7042401000000 e8???????? }
            // n = 4, score = 100
            //   83bdd4ebffff00       | cmp                 dword ptr [ebp - 0x142c], 0
            //   750c                 | jne                 0xe
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     

        $sequence_7 = { 8b8558efffff 890424 e8???????? 83ec08 81bde8efffff03010000 7405 }
            // n = 6, score = 100
            //   8b8558efffff         | mov                 eax, dword ptr [ebp - 0x10a8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   81bde8efffff03010000     | cmp    dword ptr [ebp - 0x1018], 0x103
            //   7405                 | je                  7

        $sequence_8 = { 89c6 31d6 31ce 0375d8 01f3 81eb1b662419 c1c30b }
            // n = 7, score = 100
            //   89c6                 | mov                 esi, eax
            //   31d6                 | xor                 esi, edx
            //   31ce                 | xor                 esi, ecx
            //   0375d8               | add                 esi, dword ptr [ebp - 0x28]
            //   01f3                 | add                 ebx, esi
            //   81eb1b662419         | sub                 ebx, 0x1924661b
            //   c1c30b               | rol                 ebx, 0xb

        $sequence_9 = { 40 890424 e8???????? 8945fc 8b45fc 89442408 8b450c }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules