SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gopuram (Back to overview)

Gopuram

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2023-04-03Kaspersky LabsGeorgy Kucherin
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
Gopuram
2023-04-03Twitter (@kucher1n)Georgy Kucherin
Tweet on an alternative Guporam sample
Gopuram
Yara Rules
[TLP:WHITE] win_gopuram_auto (20230808 | Detects win.gopuram.)
rule win_gopuram_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.gopuram."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gopuram"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 48894308 4885c0 7412 418d562f 488bc8 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48894308             | lea                 esi, [0x5c762]
            //   4885c0               | jmp                 0x822
            //   7412                 | inc                 ecx
            //   418d562f             | mov                 edi, 1
            //   488bc8               | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 448bfb 48895dc7 8bcb 48895d9f 48895db7 48895d97 48895da7 }
            // n = 7, score = 100
            //   448bfb               | lea                 ecx, [ebp + 0x48]
            //   48895dc7             | dec                 eax
            //   8bcb                 | mov                 dword ptr [esp + 0x48], esi
            //   48895d9f             | dec                 eax
            //   48895db7             | mov                 dword ptr [esp + 0x50], edi
            //   48895d97             | call                dword ptr [eax + 0xc0]
            //   48895da7             | dec                 eax

        $sequence_2 = { 8bc1 83e010 c1e804 898508010000 f6c104 7507 f6c108 }
            // n = 7, score = 100
            //   8bc1                 | mov                 eax, dword ptr [esp + 0x30]
            //   83e010               | xor                 edx, edx
            //   c1e804               | xor                 ecx, ecx
            //   898508010000         | mov                 dword ptr [esp + 0x28], 1
            //   f6c104               | dec                 eax
            //   7507                 | mov                 dword ptr [esp + 0x20], ebx
            //   f6c108               | inc                 ebp

        $sequence_3 = { e8???????? eb21 c7442420210e0480 41b99e100000 4c8d05938b0600 8bd7 488bce }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb21                 | jb                  0x1622
            //   c7442420210e0480     | dec                 eax
            //   41b99e100000         | mov                 eax, dword ptr [ecx]
            //   4c8d05938b0600       | call                dword ptr [eax + 0xf8]
            //   8bd7                 | call                dword ptr [eax + 0xf8]
            //   488bce               | cmp                 eax, 4

        $sequence_4 = { ff05???????? b801000000 4883c428 c3 ff0d???????? 751a 488b0d???????? }
            // n = 7, score = 100
            //   ff05????????         |                     
            //   b801000000           | lea                 ecx, [esp + 0x58]
            //   4883c428             | dec                 esp
            //   c3                   | lea                 eax, [esp + 0x50]
            //   ff0d????????         |                     
            //   751a                 | dec                 eax
            //   488b0d????????       |                     

        $sequence_5 = { e9???????? 488b0d???????? 488b01 ff90f8000000 83f805 0f84e1fdffff 488b0d???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b0d????????       |                     
            //   488b01               | mov                 ecx, esi
            //   ff90f8000000         | mov                 edx, 4
            //   83f805               | call                dword ptr [eax + 0xf8]
            //   0f84e1fdffff         | test                eax, eax
            //   488b0d????????       |                     

        $sequence_6 = { 66094354 8b8597000000 83c0fc 83f801 0f8755010000 488b742448 418bf9 }
            // n = 7, score = 100
            //   66094354             | jne                 0x1c4
            //   8b8597000000         | dec                 eax
            //   83c0fc               | add                 ecx, ebx
            //   83f801               | dec                 eax
            //   0f8755010000         | lea                 ecx, [ecx*2 + 0x4c]
            //   488b742448           | dec                 eax
            //   418bf9               | mov                 edi, eax

        $sequence_7 = { 89543104 488d051c8b0300 48898698040000 4889aea0040000 4889aea8040000 4889aeb0040000 488d8eb8040000 }
            // n = 7, score = 100
            //   89543104             | mov                 ecx, edi
            //   488d051c8b0300       | dec                 eax
            //   48898698040000       | test                eax, eax
            //   4889aea0040000       | mov                 ebx, 0x85
            //   4889aea8040000       | dec                 eax
            //   4889aeb0040000       | lea                 edx, [0x42a4e]
            //   488d8eb8040000       | dec                 eax

        $sequence_8 = { 890d???????? c705????????09000380 8bcf 488d05ce350900 6690 3b70fc 7508 }
            // n = 7, score = 100
            //   890d????????         |                     
            //   c705????????09000380     |     
            //   8bcf                 | inc                 ecx
            //   488d05ce350900       | mov                 ecx, 0x458
            //   6690                 | mov                 edx, 4
            //   3b70fc               | dec                 ecx
            //   7508                 | mov                 ecx, esi

        $sequence_9 = { bf01000000 e9???????? 488b0d???????? 488b01 ff90f8000000 83f805 7463 }
            // n = 7, score = 100
            //   bf01000000           | je                  0xd48
            //   e9????????           |                     
            //   488b0d????????       |                     
            //   488b01               | mov                 ecx, 6
            //   ff90f8000000         | dec                 esp
            //   83f805               | mov                 esi, eax
            //   7463                 | dec                 eax

    condition:
        7 of them and filesize < 1591296
}
Download all Yara Rules