SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kivars (Back to overview)

KIVARS


There is no description at this point.

References
2020-09-29SymantecThreat Hunter Team
@online{team:20200929:palmerworm:4a96e3b, author = {Threat Hunter Team}, title = {{Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors}}, date = {2020-09-29}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt}, language = {English}, urldate = {2020-10-04} } Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
KIVARS PLEAD BlackTech
2017-06-22Trend MicroLenart Bermejo, Razor Huang, CH Lei
@online{bermejo:20170622:trail:ba78447, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html}, language = {English}, urldate = {2021-01-29} } The Trail of BlackTech’s Cyber Espionage Campaigns
bifrose KIVARS PLEAD
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
Yara Rules
[TLP:WHITE] win_kivars_auto (20220516 | Detects win.kivars.)
rule win_kivars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.kivars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 88442435 88442436 c64424374d 885c2438 c64424396d 884c243a c644243b72 }
            // n = 7, score = 200
            //   88442435             | mov                 eax, 7
            //   88442436             | dec                 eax
            //   c64424374d           | lea                 edx, [0x737f]
            //   885c2438             | dec                 eax
            //   c64424396d           | lea                 ecx, [esp + 0x1040]
            //   884c243a             | dec                 eax
            //   c644243b72           | sub                 ecx, eax

        $sequence_1 = { ff15???????? 8b05???????? 488b0d???????? 8b4401fc }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b05????????         |                     
            //   488b0d????????       |                     
            //   8b4401fc             | mov                 eax, dword ptr [ecx + eax - 4]

        $sequence_2 = { 0f8caa040000 8b842440010000 ffc8 8bc0 448b848444010000 }
            // n = 5, score = 200
            //   0f8caa040000         | jl                  0x4b0
            //   8b842440010000       | mov                 eax, dword ptr [esp + 0x140]
            //   ffc8                 | dec                 eax
            //   8bc0                 | mov                 eax, eax
            //   448b848444010000     | inc                 esp

        $sequence_3 = { 52 56 c644242853 885c2429 8844242a c644242b54 }
            // n = 6, score = 200
            //   52                   | push                edi
            //   56                   | push                ebx
            //   c644242853           | mov                 byte ptr [esp + 0x1c], 0x2e
            //   885c2429             | mov                 byte ptr [esp + 0x1d], 0x64
            //   8844242a             | mov                 byte ptr [esp + 0x1e], al
            //   c644242b54           | mov                 byte ptr [esp + 0x1f], al

        $sequence_4 = { 488d942494020000 488d8c2460010000 e8???????? 48898424a0030000 }
            // n = 4, score = 200
            //   488d942494020000     | mov                 byte ptr [esp + 0x273], 0x4a
            //   488d8c2460010000     | mov                 byte ptr [esp + 0x274], 0xe0
            //   e8????????           |                     
            //   48898424a0030000     | mov                 byte ptr [esp + 0x275], 0x6c

        $sequence_5 = { c644241c2e c644241d64 8844241e 8844241f ff15???????? }
            // n = 5, score = 200
            //   c644241c2e           | mov                 byte ptr [esp + 0x36], al
            //   c644241d64           | mov                 byte ptr [esp + 0x37], 0x4d
            //   8844241e             | mov                 byte ptr [esp + 0x38], bl
            //   8844241f             | mov                 byte ptr [esp + 0x39], 0x6d
            //   ff15????????         |                     

        $sequence_6 = { c68424e001000081 c68424e1010000c7 c68424e20100009d c68424e301000068 c68424e401000029 }
            // n = 5, score = 200
            //   c68424e001000081     | dec                 eax
            //   c68424e1010000c7     | lea                 ecx, [esp + 0x160]
            //   c68424e20100009d     | dec                 eax
            //   c68424e301000068     | mov                 dword ptr [esp + 0x3a0], eax
            //   c68424e401000029     | dec                 eax

        $sequence_7 = { eb6e 448b8c24b0100000 41b807000000 488d157f730000 488d8c2440100000 }
            // n = 5, score = 200
            //   eb6e                 | lea                 ecx, [esp + 0x30]
            //   448b8c24b0100000     | nop                 
            //   41b807000000         | dec                 eax
            //   488d157f730000       | lea                 ecx, [esp + 0x140]
            //   488d8c2440100000     | mov                 byte ptr [esp + 0x1e0], 0x81

        $sequence_8 = { 51 6a01 56 57 53 }
            // n = 5, score = 200
            //   51                   | mov                 dword ptr [esp + 0x124], edi
            //   6a01                 | je                  0x16
            //   56                   | mov                 cx, word ptr [ebp + 4]
            //   57                   | add                 ebp, 6
            //   53                   | mov                 byte ptr [esp + 0x35], al

        $sequence_9 = { 89bc2424010000 7414 668b4d04 83c506 }
            // n = 4, score = 200
            //   89bc2424010000       | jmp                 0x70
            //   7414                 | inc                 esp
            //   668b4d04             | mov                 ecx, dword ptr [esp + 0x10b0]
            //   83c506               | inc                 ecx

        $sequence_10 = { e8???????? 8bf0 83c404 85f6 7445 8bcf }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8bf0                 | push                eax
            //   83c404               | mov                 ecx, dword ptr [ebp + 0x14]
            //   85f6                 | push                ecx
            //   7445                 | push                1
            //   8bcf                 | push                esi

        $sequence_11 = { f3aa 52 8b4518 50 8b4d14 }
            // n = 5, score = 200
            //   f3aa                 | dec                 eax
            //   52                   | mov                 eax, ecx
            //   8b4518               | dec                 eax
            //   50                   | mov                 ecx, dword ptr [esp + 0x40]
            //   8b4d14               | movzx               ecx, word ptr [ecx + 6]

        $sequence_12 = { 8d4d66 668944246c 8d7c2428 8b11 8b9c2484020000 }
            // n = 5, score = 200
            //   8d4d66               | mov                 byte ptr [esp + 0x3a], cl
            //   668944246c           | mov                 byte ptr [esp + 0x3b], 0x72
            //   8d7c2428             | rep stosb           byte ptr es:[edi], al
            //   8b11                 | push                edx
            //   8b9c2484020000       | mov                 eax, dword ptr [ebp + 0x18]

        $sequence_13 = { 488d4c2430 e8???????? 90 488d8c2440010000 }
            // n = 4, score = 200
            //   488d4c2430           | mov                 byte ptr [esp + 0x276], 0xc7
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488d8c2440010000     | lea                 edx, [esp + 0x294]

        $sequence_14 = { c6842472020000c2 c68424730200004a c6842474020000e0 c68424750200006c c6842476020000c7 }
            // n = 5, score = 200
            //   c6842472020000c2     | mov                 ecx, dword ptr [esp + 0x28]
            //   c68424730200004a     | dec                 eax
            //   c6842474020000e0     | mov                 edx, dword ptr [esp + 0x38]
            //   c68424750200006c     | movzx               eax, byte ptr [edx + eax]
            //   c6842476020000c7     | mov                 byte ptr [esp + 0x272], 0xc2

        $sequence_15 = { 83e03f 4898 488b4c2428 488b542438 0fb60402 }
            // n = 5, score = 200
            //   83e03f               | mov                 eax, dword ptr [esp + eax*4 + 0x144]
            //   4898                 | and                 eax, 0x3f
            //   488b4c2428           | dec                 eax
            //   488b542438           | cwde                
            //   0fb60402             | dec                 eax

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules