Actor(s): Mirage
Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.
rule win_ketrum_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.ketrum." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83e13f 5f 3bc8 7203 } // n = 4, score = 200 // 83e13f | and ecx, 0x3f // 5f | pop edi // 3bc8 | cmp ecx, eax // 7203 | jb 5 $sequence_1 = { 8d85fcebffff 50 8d85fcd3ffff 68???????? 50 ffd7 } // n = 6, score = 200 // 8d85fcebffff | lea eax, [ebp - 0x1404] // 50 | push eax // 8d85fcd3ffff | lea eax, [ebp - 0x2c04] // 68???????? | // 50 | push eax // ffd7 | call edi $sequence_2 = { ff15???????? ffb5f0cbffff ff15???????? ffb5e8cbffff ffb5f4cbffff } // n = 5, score = 200 // ff15???????? | // ffb5f0cbffff | push dword ptr [ebp - 0x3410] // ff15???????? | // ffb5e8cbffff | push dword ptr [ebp - 0x3418] // ffb5f4cbffff | push dword ptr [ebp - 0x340c] $sequence_3 = { ab ab ab ab 68???????? 6a15 bf???????? } // n = 7, score = 200 // ab | stosd dword ptr es:[edi], eax // ab | stosd dword ptr es:[edi], eax // ab | stosd dword ptr es:[edi], eax // ab | stosd dword ptr es:[edi], eax // 68???????? | // 6a15 | push 0x15 // bf???????? | $sequence_4 = { e8???????? 59 85db 7e15 57 8b7d08 2bfe } // n = 7, score = 200 // e8???????? | // 59 | pop ecx // 85db | test ebx, ebx // 7e15 | jle 0x17 // 57 | push edi // 8b7d08 | mov edi, dword ptr [ebp + 8] // 2bfe | sub edi, esi $sequence_5 = { 33c0 0fb7f0 8bc6 c1e610 ba???????? } // n = 5, score = 200 // 33c0 | xor eax, eax // 0fb7f0 | movzx esi, ax // 8bc6 | mov eax, esi // c1e610 | shl esi, 0x10 // ba???????? | $sequence_6 = { 7434 b9???????? 8bc1 8d7001 8a10 40 } // n = 6, score = 200 // 7434 | je 0x36 // b9???????? | // 8bc1 | mov eax, ecx // 8d7001 | lea esi, [eax + 1] // 8a10 | mov dl, byte ptr [eax] // 40 | inc eax $sequence_7 = { 85c0 7404 33c0 eb5e 6880000000 56 } // n = 6, score = 200 // 85c0 | test eax, eax // 7404 | je 6 // 33c0 | xor eax, eax // eb5e | jmp 0x60 // 6880000000 | push 0x80 // 56 | push esi $sequence_8 = { 397010 7699 837b1408 7204 8b13 eb02 } // n = 6, score = 100 // 397010 | cmp dword ptr [eax + 0x10], esi // 7699 | jbe 0xffffff9b // 837b1408 | cmp dword ptr [ebx + 0x14], 8 // 7204 | jb 6 // 8b13 | mov edx, dword ptr [ebx] // eb02 | jmp 4 $sequence_9 = { 8a4c181c 8888b0f74100 40 ebe9 33c0 8945e4 } // n = 6, score = 100 // 8a4c181c | mov cl, byte ptr [eax + ebx + 0x1c] // 8888b0f74100 | mov byte ptr [eax + 0x41f7b0], cl // 40 | inc eax // ebe9 | jmp 0xffffffeb // 33c0 | xor eax, eax // 8945e4 | mov dword ptr [ebp - 0x1c], eax $sequence_10 = { 6a04 8d8520efffff 50 6a1f 57 } // n = 5, score = 100 // 6a04 | push 4 // 8d8520efffff | lea eax, [ebp - 0x10e0] // 50 | push eax // 6a1f | push 0x1f // 57 | push edi $sequence_11 = { 8b8da4fdffff 2bc1 2bc6 50 03ce 51 } // n = 6, score = 100 // 8b8da4fdffff | mov ecx, dword ptr [ebp - 0x25c] // 2bc1 | sub eax, ecx // 2bc6 | sub eax, esi // 50 | push eax // 03ce | add ecx, esi // 51 | push ecx $sequence_12 = { 3bf9 732c 8b16 3bd7 7726 8bc7 2bc2 } // n = 7, score = 100 // 3bf9 | cmp edi, ecx // 732c | jae 0x2e // 8b16 | mov edx, dword ptr [esi] // 3bd7 | cmp edx, edi // 7726 | ja 0x28 // 8bc7 | mov eax, edi // 2bc2 | sub eax, edx $sequence_13 = { 8365fc00 83c074 50 8b4508 e8???????? } // n = 5, score = 100 // 8365fc00 | and dword ptr [ebp - 4], 0 // 83c074 | add eax, 0x74 // 50 | push eax // 8b4508 | mov eax, dword ptr [ebp + 8] // e8???????? | $sequence_14 = { 89a570feffff 6a0f 5f 897e14 895e10 } // n = 5, score = 100 // 89a570feffff | mov dword ptr [ebp - 0x190], esp // 6a0f | push 0xf // 5f | pop edi // 897e14 | mov dword ptr [esi + 0x14], edi // 895e10 | mov dword ptr [esi + 0x10], ebx $sequence_15 = { 33ff 8d759c e8???????? 33c0 40 e8???????? } // n = 6, score = 100 // 33ff | xor edi, edi // 8d759c | lea esi, [ebp - 0x64] // e8???????? | // 33c0 | xor eax, eax // 40 | inc eax // e8???????? | condition: 7 of them and filesize < 4599808 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY