SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kasperagent (Back to overview)

KasperAgent

VTCollection    

There is no description at this point.

References
2017-06-14ThreatConnectThreatConnect Research Team
Phantom of the Opaera: New KASPERAGENT Malware Campaign
KasperAgent AridViper
2017-04-05Palo Alto Networks Unit 42Tom Lancaster, Tomer Bar
Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
KasperAgent Micropsia
Yara Rules
[TLP:WHITE] win_kasperagent_auto (20230808 | Detects win.kasperagent.)
rule win_kasperagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.kasperagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 84c0 741e 8bd6 57 52 e8???????? }
            // n = 6, score = 200
            //   84c0                 | test                al, al
            //   741e                 | je                  0x20
            //   8bd6                 | mov                 edx, esi
            //   57                   | push                edi
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_1 = { ffb4b5b4fdffff 8b95ccfdffff 8b8dd8fdffff e8???????? 59 3bc3 }
            // n = 6, score = 200
            //   ffb4b5b4fdffff       | push                dword ptr [ebp + esi*4 - 0x24c]
            //   8b95ccfdffff         | mov                 edx, dword ptr [ebp - 0x234]
            //   8b8dd8fdffff         | mov                 ecx, dword ptr [ebp - 0x228]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   3bc3                 | cmp                 eax, ebx

        $sequence_2 = { 83c404 8bd8 83caff f00fc117 }
            // n = 4, score = 200
            //   83c404               | add                 esp, 4
            //   8bd8                 | mov                 ebx, eax
            //   83caff               | or                  edx, 0xffffffff
            //   f00fc117             | lock xadd           dword ptr [edi], edx

        $sequence_3 = { 33c9 894c2430 894c2434 894c2438 894c243c 85c0 7463 }
            // n = 7, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   894c2430             | mov                 dword ptr [esp + 0x30], ecx
            //   894c2434             | mov                 dword ptr [esp + 0x34], ecx
            //   894c2438             | mov                 dword ptr [esp + 0x38], ecx
            //   894c243c             | mov                 dword ptr [esp + 0x3c], ecx
            //   85c0                 | test                eax, eax
            //   7463                 | je                  0x65

        $sequence_4 = { 8d742410 8d442408 c7470800000000 894c240c e8???????? 84c0 }
            // n = 6, score = 200
            //   8d742410             | lea                 esi, [esp + 0x10]
            //   8d442408             | lea                 eax, [esp + 8]
            //   c7470800000000       | mov                 dword ptr [edi + 8], 0
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_5 = { 7cb4 8b4c2414 8b01 3b70f8 }
            // n = 4, score = 200
            //   7cb4                 | jl                  0xffffffb6
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   3b70f8               | cmp                 esi, dword ptr [eax - 8]

        $sequence_6 = { 66390c78 7535 84db 7524 }
            // n = 4, score = 200
            //   66390c78             | cmp                 word ptr [eax + edi*2], cx
            //   7535                 | jne                 0x37
            //   84db                 | test                bl, bl
            //   7524                 | jne                 0x26

        $sequence_7 = { 8b50f4 52 50 e8???????? 5d }
            // n = 5, score = 200
            //   8b50f4               | mov                 edx, dword ptr [eax - 0xc]
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   5d                   | pop                 ebp

        $sequence_8 = { 7419 8d642400 3bfa 7311 }
            // n = 4, score = 200
            //   7419                 | je                  0x1b
            //   8d642400             | lea                 esp, [esp]
            //   3bfa                 | cmp                 edi, edx
            //   7311                 | jae                 0x13

        $sequence_9 = { 8d3451 33ff 3bce 7419 8d642400 3bfa }
            // n = 6, score = 200
            //   8d3451               | lea                 esi, [ecx + edx*2]
            //   33ff                 | xor                 edi, edi
            //   3bce                 | cmp                 ecx, esi
            //   7419                 | je                  0x1b
            //   8d642400             | lea                 esp, [esp]
            //   3bfa                 | cmp                 edi, edx

    condition:
        7 of them and filesize < 1605632
}
Download all Yara Rules