Actor(s): Kimsuki, Kimsuky
There is no description at this point.
rule win_kimsuky_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.kimsuky." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b9???????? e8???????? 8d85f8feffff 50 6a00 6a00 6a1a } // n = 7, score = 400 // b9???????? | // e8???????? | // 8d85f8feffff | lea eax, dword ptr [ebp - 0x108] // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 // 6a1a | push 0x1a $sequence_1 = { 50 e8???????? 83c418 8d85f8feffff 6a00 } // n = 5, score = 400 // 50 | push eax // e8???????? | // 83c418 | add esp, 0x18 // 8d85f8feffff | lea eax, dword ptr [ebp - 0x108] // 6a00 | push 0 $sequence_2 = { 7516 ff15???????? 8bd8 e8???????? 0fafd8 } // n = 5, score = 400 // 7516 | jne 0x18 // ff15???????? | // 8bd8 | mov ebx, eax // e8???????? | // 0fafd8 | imul ebx, eax $sequence_3 = { 6a00 50 ff15???????? 8d85ecfbffff 50 8d85f8feffff 50 } // n = 7, score = 400 // 6a00 | push 0 // 50 | push eax // ff15???????? | // 8d85ecfbffff | lea eax, dword ptr [ebp - 0x414] // 50 | push eax // 8d85f8feffff | lea eax, dword ptr [ebp - 0x108] // 50 | push eax $sequence_4 = { 83c430 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff b9???????? e8???????? } // n = 7, score = 400 // 83c430 | add esp, 0x30 // 8d95f0fcffff | lea edx, dword ptr [ebp - 0x310] // b9???????? | // e8???????? | // 8d95ecfbffff | lea edx, dword ptr [ebp - 0x414] // b9???????? | // e8???????? | $sequence_5 = { ffd7 a3???????? 8d85ecfbffff 50 } // n = 4, score = 400 // ffd7 | call edi // a3???????? | // 8d85ecfbffff | lea eax, dword ptr [ebp - 0x414] // 50 | push eax $sequence_6 = { 50 e8???????? 8d85f0fcffff 50 8d85f8feffff 6804010000 } // n = 6, score = 400 // 50 | push eax // e8???????? | // 8d85f0fcffff | lea eax, dword ptr [ebp - 0x310] // 50 | push eax // 8d85f8feffff | lea eax, dword ptr [ebp - 0x108] // 6804010000 | push 0x104 $sequence_7 = { 50 ff15???????? 85c0 7516 ff15???????? 33c0 } // n = 6, score = 400 // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 7516 | jne 0x18 // ff15???????? | // 33c0 | xor eax, eax $sequence_8 = { 7423 6a00 8d85f0feffff 50 68???????? ff15???????? } // n = 6, score = 400 // 7423 | je 0x25 // 6a00 | push 0 // 8d85f0feffff | lea eax, dword ptr [ebp - 0x110] // 50 | push eax // 68???????? | // ff15???????? | $sequence_9 = { 4c896c2420 33f6 4533ed 4533e4 } // n = 4, score = 300 // 4c896c2420 | mov eax, 0x5a4d // 33f6 | nop dword ptr [eax + eax] // 4533ed | dec ecx // 4533e4 | add eax, 4 $sequence_10 = { 4533e4 4c897c2468 e8???????? 488be8 b84d5a0000 0f1f440000 } // n = 6, score = 300 // 4533e4 | mov edx, ebp // 4c897c2468 | dec esp // e8???????? | // 488be8 | mov esi, eax // b84d5a0000 | dec ebp // 0f1f440000 | test eax, eax $sequence_11 = { cc 4883ec28 833d????????00 7529 b906000000 } // n = 5, score = 300 // cc | jne 0xffffffb5 // 4883ec28 | dec esp // 833d????????00 | // 7529 | mov dword ptr [esp + 0x68], edi // b906000000 | inc ecx $sequence_12 = { 48833b00 75a9 8b4520 4883c514 85c0 0f857affffff 4c8b7c2460 } // n = 7, score = 300 // 48833b00 | mov ebx, 1 // 75a9 | dec esp // 8b4520 | mov dword ptr [esp + 0x20], ebp // 4883c514 | xor esi, esi // 85c0 | inc ebp // 0f857affffff | xor ebp, ebp // 4c8b7c2460 | inc ebp $sequence_13 = { 4983c004 4983c102 664585db 75af 4c897c2468 41bb01000000 } // n = 6, score = 300 // 4983c004 | inc ebp // 4983c102 | xor esp, esp // 664585db | dec esp // 75af | mov dword ptr [esp + 0x68], edi // 4c897c2468 | dec eax // 41bb01000000 | mov ebp, eax $sequence_14 = { 468b5c0f24 4d03d1 4d03d9 666666660f1f840000000000 418b0a } // n = 5, score = 300 // 468b5c0f24 | test ebx, ebx // 4d03d1 | jne 0xffffffb1 // 4d03d9 | dec esp // 666666660f1f840000000000 | mov dword ptr [esp + 0x68], edi // 418b0a | int3 $sequence_15 = { 4c897c2460 ffd6 458b4754 488bd5 4c8bf0 4d85c0 } // n = 6, score = 300 // 4c897c2460 | dec esp // ffd6 | mov dword ptr [esp + 0x60], edi // 458b4754 | call esi // 488bd5 | inc ebp // 4c8bf0 | mov eax, dword ptr [edi + 0x54] // 4d85c0 | dec eax $sequence_16 = { 8d4702 03c2 89442450 8bf0 8bc8 } // n = 5, score = 200 // 8d4702 | call esi // 03c2 | inc ebp // 89442450 | mov eax, dword ptr [edi + 0x54] // 8bf0 | dec eax // 8bc8 | mov edx, ebp $sequence_17 = { 488d4c2450 e8???????? 90 488b5008 } // n = 4, score = 200 // 488d4c2450 | inc ebp // e8???????? | // 90 | mov eax, dword ptr [edi + 0x54] // 488b5008 | dec eax $sequence_18 = { 8bcf 85c0 0f94c1 85c9 0f8494020000 89bda0000000 897d30 } // n = 7, score = 200 // 8bcf | push edi // 85c0 | dec eax // 0f94c1 | sub esp, 0x40 // 85c9 | dec eax // 0f8494020000 | mov dword ptr [esp + 0x70], ebp // 89bda0000000 | dec eax // 897d30 | mov dword ptr [esp + 0x38], esi $sequence_19 = { 8b442468 6683f809 7508 83f809 8d7340 7405 be20000000 } // n = 7, score = 200 // 8b442468 | jne 0x18 // 6683f809 | mov ebx, eax // 7508 | imul ebx, eax // 83f809 | test eax, eax // 8d7340 | jne 0x18 // 7405 | mov ebx, eax // be20000000 | test eax, eax $sequence_20 = { 8b7590 660f1f440000 837df000 0f841b020000 } // n = 4, score = 200 // 8b7590 | jne 0x1a // 660f1f440000 | mov ebx, eax // 837df000 | test eax, eax // 0f841b020000 | jne 0x1a $sequence_21 = { 498bc6 488b4d20 4833cc e8???????? } // n = 4, score = 200 // 498bc6 | nop dword ptr [eax + eax] // 488b4d20 | dec ecx // 4833cc | add eax, 4 // e8???????? | $sequence_22 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? } // n = 4, score = 200 // 488d8a38000000 | mov dword ptr [esp + 0x60], edi // e9???????? | // 488d8a28010000 | call esi // e9???????? | $sequence_23 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 } // n = 6, score = 200 // 4c89642430 | mov edx, ebp // c744242880000000 | dec esp // c744242002000000 | mov esi, eax // 4533c9 | dec ebp // 4533c0 | test eax, eax // ba00000040 | inc ebp $sequence_24 = { 85c0 0f84e6000000 c6850801000000 33c0 } // n = 4, score = 200 // 85c0 | lea eax, dword ptr [edi + 2] // 0f84e6000000 | add eax, edx // c6850801000000 | mov dword ptr [esp + 0x50], eax // 33c0 | mov edi, dword ptr [ebp + 0x1a0] $sequence_25 = { 8bc1 81fb00000001 0f97c0 89442440 } // n = 4, score = 200 // 8bc1 | mov ebx, eax // 81fb00000001 | imul ebx, eax // 0f97c0 | lea eax, dword ptr [edi + 2] // 89442440 | add eax, edx $sequence_26 = { 8bf0 85c0 7471 895c2468 } // n = 4, score = 200 // 8bf0 | jmp 0xd // 85c0 | mov ebx, dword ptr [esp + 0x58] // 7471 | mov byte ptr [ebp + 0xd70], 0 // 895c2468 | mov eax, dword ptr [esp + 0x68] $sequence_27 = { e8???????? 33ed 48896f10 48c7471807000000 } // n = 4, score = 100 // e8???????? | // 33ed | dec ebp // 48896f10 | add ebx, ecx // 48c7471807000000 | nop word ptr [eax + eax] $sequence_28 = { e8???????? 33db 8bf8 85c0 0f8453020000 4c8d2d6eb70200 } // n = 6, score = 100 // e8???????? | // 33db | xor esi, esi // 8bf8 | inc ebp // 85c0 | xor ebp, ebp // 0f8453020000 | inc ebp // 4c8d2d6eb70200 | xor esp, esp $sequence_29 = { e8???????? 33db 488d442454 895c2438 4c8d4c2448 48895c2430 488d55e0 } // n = 7, score = 100 // e8???????? | // 33db | xor esp, esp // 488d442454 | dec ecx // 895c2438 | add ecx, 2 // 4c8d4c2448 | inc bp // 48895c2430 | test ebx, ebx // 488d55e0 | jne 0xffffffb5 $sequence_30 = { e8???????? 33db 488dbc2470010000 0f1f00 } // n = 4, score = 100 // e8???????? | // 33db | dec esp // 488dbc2470010000 | mov dword ptr [esp + 0x68], edi // 0f1f00 | int3 condition: 7 of them and filesize < 1021952 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
