SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killav (Back to overview)

KillAV

aka: BURNTCIGAR
VTCollection    

There is no description at this point.

References
2023-07-28Quorum CyberQuorum Cyber
Scattered Spider Threat Actor Profile
Cuba KillAV POORTRY
2022-12-13SophosAndreas Klopsch, Andrew Brandt
Signed driver malware moves up the software trust chain
KillAV
2022-02-26AonEduardo Mattos, Rob Homewood
Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
KillAV
2022-02-26AonEduardo Mattos, Rob Homewood
Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-23MandiantJoshua Shilko, Shambavi Sadayappan, Tyler McLellan
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba KillAV
Yara Rules
[TLP:WHITE] win_killav_auto (20260504 | Detects win.killav.)
rule win_killav_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.killav."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b049d70ba4300 8b4de0 f644082801 7515 e8???????? }
            // n = 5, score = 200
            //   8b049d70ba4300       | mov                 eax, dword ptr [ebx*4 + 0x43ba70]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   7515                 | jne                 0x17
            //   e8????????           |                     

        $sequence_1 = { 8bc2 8bca 83e03f c1f906 6bc038 8b0c8d70ba4300 807c012800 }
            // n = 7, score = 200
            //   8bc2                 | mov                 eax, edx
            //   8bca                 | mov                 ecx, edx
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bc038               | imul                eax, eax, 0x38
            //   8b0c8d70ba4300       | mov                 ecx, dword ptr [ecx*4 + 0x43ba70]
            //   807c012800           | cmp                 byte ptr [ecx + eax + 0x28], 0

        $sequence_2 = { c745ec07000000 668945d8 e8???????? 8d45d8 c645fc11 }
            // n = 5, score = 200
            //   c745ec07000000       | mov                 dword ptr [ebp - 0x14], 7
            //   668945d8             | mov                 word ptr [ebp - 0x28], ax
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   c645fc11             | mov                 byte ptr [ebp - 4], 0x11

        $sequence_3 = { 6a26 58 0fb60c855ed34200 0fb634855fd34200 8bf9 8985b0f8ffff }
            // n = 6, score = 200
            //   6a26                 | push                0x26
            //   58                   | pop                 eax
            //   0fb60c855ed34200     | movzx               ecx, byte ptr [eax*4 + 0x42d35e]
            //   0fb634855fd34200     | movzx               esi, byte ptr [eax*4 + 0x42d35f]
            //   8bf9                 | mov                 edi, ecx
            //   8985b0f8ffff         | mov                 dword ptr [ebp - 0x750], eax

        $sequence_4 = { e8???????? 8d45d8 c645fc1b 50 8d4dd0 e8???????? c645fc00 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   c645fc1b             | mov                 byte ptr [ebp - 4], 0x1b
            //   50                   | push                eax
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0

        $sequence_5 = { c1f806 6bc938 8b048570ba4300 0fb6440828 83e040 5d c3 }
            // n = 7, score = 200
            //   c1f806               | sar                 eax, 6
            //   6bc938               | imul                ecx, ecx, 0x38
            //   8b048570ba4300       | mov                 eax, dword ptr [eax*4 + 0x43ba70]
            //   0fb6440828           | movzx               eax, byte ptr [eax + ecx + 0x28]
            //   83e040               | and                 eax, 0x40
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_6 = { 807dfc01 8b4df4 8b55f0 7522 8b048d70ba4300 f644022d02 }
            // n = 6, score = 200
            //   807dfc01             | cmp                 byte ptr [ebp - 4], 1
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   7522                 | jne                 0x24
            //   8b048d70ba4300       | mov                 eax, dword ptr [ecx*4 + 0x43ba70]
            //   f644022d02           | test                byte ptr [edx + eax + 0x2d], 2

        $sequence_7 = { c7869800000050c74200 c7460401000000 8b4dfc 5f 5e 33cd 5b }
            // n = 7, score = 200
            //   c7869800000050c74200     | mov    dword ptr [esi + 0x98], 0x42c750
            //   c7460401000000       | mov                 dword ptr [esi + 4], 1
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33cd                 | xor                 ecx, ebp
            //   5b                   | pop                 ebx

        $sequence_8 = { eb56 8b048580bb4200 6800080000 6a00 50 8945fc ff15???????? }
            // n = 7, score = 200
            //   eb56                 | jmp                 0x58
            //   8b048580bb4200       | mov                 eax, dword ptr [eax*4 + 0x42bb80]
            //   6800080000           | push                0x800
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_9 = { 85c0 0f8561ffffff ff742410 ff15???????? }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   0f8561ffffff         | jne                 0xffffff67
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 517120
}
Download all Yara Rules