SYMBOLCOMMON_NAMEaka. SYNONYMS
win.holerun (Back to overview)

HOLERUN


There is no description at this point.

References
2023-03-23MandiantRyan Tomcik, Rufus Brown, Josh Fleischer
@online{tomcik:20230323:unc961:68bbb35, author = {Ryan Tomcik and Rufus Brown and Josh Fleischer}, title = {{UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor}}, date = {2023-03-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated}, language = {English}, urldate = {2023-04-25} } UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor
HOLERUN LIGHTBUNNY
Yara Rules
[TLP:WHITE] win_holerun_auto (20230715 | Detects win.holerun.)
rule win_holerun_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.holerun."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.holerun"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488945f8 48837de007 0f8eba020000 48837de00b }
            // n = 4, score = 100
            //   488945f8             | mov                 eax, dword ptr [ebp - 8]
            //   48837de007           | dec                 eax
            //   0f8eba020000         | add                 eax, 0x60
            //   48837de00b           | dec                 eax

        $sequence_1 = { 4883ec40 48894d10 488d053d780000 488b00 4889c1 e8???????? 488945f0 }
            // n = 7, score = 100
            //   4883ec40             | mov                 eax, dword ptr [ebp - 0x10]
            //   48894d10             | dec                 eax
            //   488d053d780000       | cmp                 eax, -1
            //   488b00               | jne                 0x777
            //   4889c1               | dec                 eax
            //   e8????????           |                     
            //   488945f0             | mov                 dword ptr [ebp - 0x10], eax

        $sequence_2 = { c70001000000 e8???????? e8???????? 8945fc 90 90 }
            // n = 6, score = 100
            //   c70001000000         | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8945fc               | mov                 edi, edx
            //   90                   | pop                 esi
            //   90                   | pop                 edi

        $sequence_3 = { 488b45f8 4889c1 e8???????? 85c0 7507 b800000000 eb22 }
            // n = 7, score = 100
            //   488b45f8             | mov                 eax, dword ptr [eax + 0x10]
            //   4889c1               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | cmp                 eax, -1
            //   7507                 | jne                 0x75d
            //   b800000000           | dec                 eax
            //   eb22                 | mov                 edx, eax

        $sequence_4 = { e8???????? 8b05???????? 4881c4e0000000 5d c3 55 4889e5 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b05????????         |                     
            //   4881c4e0000000       | cmp                 dword ptr [ebp - 0xc], 0
            //   5d                   | jne                 0x77
            //   c3                   | jmp                 0xb7
            //   55                   | dec                 eax
            //   4889e5               | add                 dword ptr [ebp - 8], 1

        $sequence_5 = { 488955e8 8b45e0 83c001 4898 48c1e003 4889c1 }
            // n = 6, score = 100
            //   488955e8             | jmp                 0x2c9
            //   8b45e0               | mov                 eax, 1
            //   83c001               | dec                 eax
            //   4898                 | add                 esp, 0x40
            //   48c1e003             | pop                 ebp
            //   4889c1               | mov                 eax, 0

        $sequence_6 = { 48894d10 488b4510 488905???????? 488b4d10 e8???????? }
            // n = 5, score = 100
            //   48894d10             | dec                 eax
            //   488b4510             | mov                 eax, dword ptr [ebp + 0x10]
            //   488905????????       |                     
            //   488b4d10             | mov                 dword ptr [eax + 0x34], edx
            //   e8????????           |                     

        $sequence_7 = { 4801d0 0fb600 8845e3 807de300 7419 807de320 }
            // n = 6, score = 100
            //   4801d0               | arpl                ax, dx
            //   0fb600               | dec                 eax
            //   8845e3               | mov                 eax, dword ptr [ebp - 0x10]
            //   807de300             | jne                 0x626
            //   7419                 | dec                 eax
            //   807de320             | mov                 eax, dword ptr [ebp + 0xe0]

        $sequence_8 = { 4889e5 4883ec20 488b05???????? c70001000000 }
            // n = 4, score = 100
            //   4889e5               | dec                 eax
            //   4883ec20             | mov                 dword ptr [ebp - 0x18], eax
            //   488b05????????       |                     
            //   c70001000000         | dec                 eax

        $sequence_9 = { 7437 83f840 744a eb5f 488b45e0 488d55d0 }
            // n = 6, score = 100
            //   7437                 | dec                 eax
            //   83f840               | mov                 dword ptr [ebp - 0x18], eax
            //   744a                 | dec                 eax
            //   eb5f                 | mov                 eax, dword ptr [ebp - 0x18]
            //   488b45e0             | movzx               eax, word ptr [eax]
            //   488d55d0             | cmp                 ax, 0x20b

    condition:
        7 of them and filesize < 156672
}
Download all Yara Rules