Gopuram (Malware Family)

Gopuram

There is no description at this point.
References

2023-04-03 ⋅ Kaspersky Labs ⋅ Georgy Kucherin
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
Gopuram
2023-04-03 ⋅ Twitter (@kucher1n) ⋅ Georgy Kucherin
Tweet on an alternative Guporam sample
Gopuram
Yara Rules

[TLP:WHITE] win_gopuram_auto (20230715 | Detects win.gopuram.)
rule win_gopuram_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.gopuram."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gopuram"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7405 83f81a 7518 66837b400d 7511 488b0f }
            // n = 7, score = 100
            //   85c0                 | xor                 eax, eax
            //   7405                 | dec                 esp
            //   83f81a               | mov                 edi, dword ptr [esp + 0x20]
            //   7518                 | dec                 esp
            //   66837b400d           | mov                 esp, dword ptr [esp + 0x30]
            //   7511                 | dec                 eax
            //   488b0f               | mov                 edi, dword ptr [esp + 0x60]

        $sequence_1 = { ff15???????? 488d4c2438 ff15???????? 33ff 4885db 400f95c7 85ff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d4c2438           | mov                 edx, edi
            //   ff15????????         |                     
            //   33ff                 | dec                 eax
            //   4885db               | mov                 ecx, esi
            //   400f95c7             | mov                 edx, ebx
            //   85ff                 | dec                 eax

        $sequence_2 = { 89442478 4c8db3f8000000 498bce 498b16 ff5248 488bf0 4889842488000000 }
            // n = 7, score = 100
            //   89442478             | call                dword ptr [eax + 0x28]
            //   4c8db3f8000000       | dec                 eax
            //   498bce               | mov                 ecx, dword ptr [esp + 0x30]
            //   498b16               | dec                 eax
            //   ff5248               | lea                 edx, [ebx + 0x40]
            //   488bf0               | dec                 eax
            //   4889842488000000     | mov                 eax, dword ptr [ecx]

        $sequence_3 = { eb0e 490fbfc0 488945b0 498bc9 482bc8 b880000000 66443bd0 }
            // n = 7, score = 100
            //   eb0e                 | je                  0x32b
            //   490fbfc0             | inc                 ecx
            //   488945b0             | test                bh, cl
            //   498bc9               | jne                 0x307
            //   482bc8               | inc                 ecx
            //   b880000000           | or                  ecx, edi
            //   66443bd0             | dec                 esp

        $sequence_4 = { ffc0 4183c9ff 4c8bc3 89442428 48894c2420 33c9 33d2 }
            // n = 7, score = 100
            //   ffc0                 | mov                 edx, esi
            //   4183c9ff             | dec                 ebp
            //   4c8bc3               | mov                 eax, ebp
            //   89442428             | dec                 eax
            //   48894c2420           | lea                 ecx, [ebp - 0x50]
            //   33c9                 | mov                 edi, eax
            //   33d2                 | dec                 eax

        $sequence_5 = { 833d????????00 743b 48ffc1 66833c4800 75f6 488bc3 4c8b75f0 }
            // n = 7, score = 100
            //   833d????????00       |                     
            //   743b                 | dec                 eax
            //   48ffc1               | add                 eax, 8
            //   66833c4800           | dec                 eax
            //   75f6                 | lea                 eax, [0x784b6]
            //   488bc3               | cmp                 edi, dword ptr [eax - 4]
            //   4c8b75f0             | jne                 0xe14

        $sequence_6 = { b801000000 e9???????? 488b4118 4885c0 0f8466010000 4c8b4218 4d85c0 }
            // n = 7, score = 100
            //   b801000000           | call                dword ptr [edx + 0x180]
            //   e9????????           |                     
            //   488b4118             | dec                 ecx
            //   4885c0               | mov                 ecx, esp
            //   0f8466010000         | mov                 dword ptr [esp + 0x20], esi
            //   4c8b4218             | call                dword ptr [eax + 0x208]
            //   4d85c0               | mov                 edi, esi

        $sequence_7 = { 488b4d80 8b55a8 4c03eb 493bd7 7302 ffc2 8bc2 }
            // n = 7, score = 100
            //   488b4d80             | mov                 ecx, dword ptr [ebp + 0x108]
            //   8b55a8               | dec                 eax
            //   4c03eb               | mov                 edi, eax
            //   493bd7               | dec                 eax
            //   7302                 | add                 ecx, ebx
            //   ffc2                 | dec                 eax
            //   8bc2                 | lea                 ecx, [ecx*2 + 0x32]

        $sequence_8 = { e8???????? 8bf8 893d???????? 85ff 0f84a8feffff 498b8d98000000 4c8d4c2470 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 ecx, ebx
            //   893d????????         |                     
            //   85ff                 | inc                 ecx
            //   0f84a8feffff         | call                dword ptr [eax + 0x10]
            //   498b8d98000000       | dec                 eax
            //   4c8d4c2470           | cmp                 dword ptr [esp + 0x30], 0

        $sequence_9 = { 0f8586040000 0f1005???????? 0f29442450 bf02000000 448bcf 4c8b05???????? 488d542450 }
            // n = 7, score = 100
            //   0f8586040000         | dec                 eax
            //   0f1005????????       |                     
            //   0f29442450           | mov                 edx, eax
            //   bf02000000           | dec                 esp
            //   448bcf               | mov                 eax, eax
            //   4c8b05????????       |                     
            //   488d542450           | dec                 eax

    condition:
        7 of them and filesize < 1591296
}
Download all Yara Rules
Gopuram Propose Change

References

Yara Rules

Gopuram
