KGH_SPY (Malware Family)

KGH_SPY

There is no description at this point.
References

2021-07-14 ⋅ Microstep Online Research Response Center ⋅ Microstep Online Research Response Center
Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky
KGH_SPY
2020-11-02 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky
Yara Rules

[TLP:WHITE] win_kgh_spy_auto (20230407 | Detects win.kgh_spy.)
rule win_kgh_spy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.kgh_spy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8491000000 488b442430 48b90000000000000080 488b00 4823c1 4885c0 }
            // n = 6, score = 100
            //   0f8491000000         | inc                 ecx
            //   488b442430           | mov                 eax, 6
            //   48b90000000000000080     | dec    eax
            //   488b00               | lea                 edx, [0xa3b4]
            //   4823c1               | dec                 eax
            //   4885c0               | cmp                 dword ptr [eax - 0x10], edx

        $sequence_1 = { 488b442450 488d0dd0bb0000 488b0cc1 4c8d4c244c 488d9520060000 498b0c0c 895c2448 }
            // n = 7, score = 100
            //   488b442450           | dec                 eax
            //   488d0dd0bb0000       | mov                 eax, ecx
            //   488b0cc1             | mov                 ecx, 2
            //   4c8d4c244c           | dec                 eax
            //   488d9520060000       | div                 ecx
            //   498b0c0c             | dec                 eax
            //   895c2448             | mov                 ecx, dword ptr [esp + 0x50]

        $sequence_2 = { 4889442420 448bc9 4c8d8424300a0000 ba01000000 }
            // n = 4, score = 100
            //   4889442420           | dec                 eax
            //   448bc9               | mov                 ecx, dword ptr [esp + 0x60]
            //   4c8d8424300a0000     | dec                 eax
            //   ba01000000           | xor                 eax, esp

        $sequence_3 = { 2500000002 85c0 7428 488b442420 8b4010 488b4c2420 8b4908 }
            // n = 7, score = 100
            //   2500000002           | xor                 ecx, ecx
            //   85c0                 | inc                 ebp
            //   7428                 | xor                 eax, eax
            //   488b442420           | dec                 eax
            //   8b4010               | lea                 edx, [esp + 0x120]
            //   488b4c2420           | mov                 eax, dword ptr [esp + 0x64]
            //   8b4908               | dec                 eax

        $sequence_4 = { 4c8d0d2f090100 4c8d05e8ee0000 488d1561bd0000 488d4c2440 e8???????? 488d942450010000 488d4c2440 }
            // n = 7, score = 100
            //   4c8d0d2f090100       | mov                 eax, ecx
            //   4c8d05e8ee0000       | dec                 eax
            //   488d1561bd0000       | lea                 ecx, [0x13070]
            //   488d4c2440           | dec                 eax
            //   e8????????           |                     
            //   488d942450010000     | mov                 edi, ecx
            //   488d4c2440           | dec                 eax

        $sequence_5 = { 488d8424f0030000 488bf8 33c0 b908020000 f3aa 4c8d0df7e30000 4c8d842410070000 }
            // n = 7, score = 100
            //   488d8424f0030000     | dec                 eax
            //   488bf8               | mov                 eax, dword ptr [esp + 0x80]
            //   33c0                 | dec                 eax
            //   b908020000           | mov                 eax, dword ptr [eax]
            //   f3aa                 | dec                 eax
            //   4c8d0df7e30000       | mov                 ecx, dword ptr [esp + 0x80]
            //   4c8d842410070000     | dec                 eax

        $sequence_6 = { 0fbae809 89442430 488b442420 8b4010 89442428 837c242800 7546 }
            // n = 7, score = 100
            //   0fbae809             | mov                 edx, dword ptr [esp + 0x190]
            //   89442430             | movzx               eax, byte ptr [edx + eax]
            //   488b442420           | xor                 eax, ecx
            //   8b4010               | mov                 ecx, dword ptr [esp + 0x4c]
            //   89442428             | mov                 eax, dword ptr [esp + 0x4c]
            //   837c242800           | inc                 eax
            //   7546                 | mov                 dword ptr [esp + 0x4c], eax

        $sequence_7 = { 33c0 b908020000 f3aa 4c8d0df7e30000 4c8d842410070000 488d15f0e30000 488d8c24f0030000 }
            // n = 7, score = 100
            //   33c0                 | mov                 ecx, dword ptr [esp + 0x30]
            //   b908020000           | dec                 eax
            //   f3aa                 | mov                 eax, dword ptr [esp + 0x38]
            //   4c8d0df7e30000       | mov                 eax, dword ptr [eax + 0x54]
            //   4c8d842410070000     | inc                 ecx
            //   488d15f0e30000       | mov                 ecx, 4
            //   488d8c24f0030000     | mov                 edx, eax

        $sequence_8 = { 85c0 0f85f4000000 4c8d05d0710000 498bd7 }
            // n = 4, score = 100
            //   85c0                 | add                 ecx, eax
            //   0f85f4000000         | dec                 eax
            //   4c8d05d0710000       | mov                 eax, ecx
            //   498bd7               | dec                 eax

        $sequence_9 = { 488d7b28 bd06000000 488d0545a20000 483947f0 741a 488b0f }
            // n = 6, score = 100
            //   488d7b28             | dec                 eax
            //   bd06000000           | mov                 dword ptr [esp + 0x40], eax
            //   488d0545a20000       | dec                 eax
            //   483947f0             | mov                 eax, dword ptr [esp + 0x20]
            //   741a                 | dec                 eax
            //   488b0f               | mov                 ecx, dword ptr [esp + 0x40]

    condition:
        7 of them and filesize < 207872
}
Download all Yara Rules
KGH_SPY Propose Change

References

Yara Rules

KGH_SPY
