SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kivars (Back to overview)

KIVARS


There is no description at this point.

References
2020-09-29SymantecThreat Hunter Team
@online{team:20200929:palmerworm:4a96e3b, author = {Threat Hunter Team}, title = {{Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors}}, date = {2020-09-29}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt}, language = {English}, urldate = {2020-10-04} } Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
KIVARS PLEAD BlackTech
2017-06-22Trend MicroLenart Bermejo, Razor Huang, CH Lei
@online{bermejo:20170622:trail:ba78447, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html}, language = {English}, urldate = {2021-01-29} } The Trail of BlackTech’s Cyber Espionage Campaigns
bifrose KIVARS PLEAD
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
Yara Rules
[TLP:WHITE] win_kivars_auto (20230125 | Detects win.kivars.)
rule win_kivars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.kivars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b448434 89448c34 ebc9 c744243400000000 }
            // n = 4, score = 200
            //   8b448434             | cmp                 dword ptr [esp + 0x28], 3
            //   89448c34             | jne                 7
            //   ebc9                 | mov                 dword ptr [esp + 0x20], 0xffffffff
            //   c744243400000000     | mov                 dword ptr [esp + 0x2c], 0

        $sequence_1 = { 25ff000000 4898 0fb6840430010000 89842440020000 8b842440020000 }
            // n = 5, score = 200
            //   25ff000000           | cmp                 dword ptr [esp + 0x20], 0
            //   4898                 | je                  0x13
            //   0fb6840430010000     | dec                 eax
            //   89842440020000       | lea                 ecx, [esp + 0x28]
            //   8b842440020000       | and                 eax, 0xff

        $sequence_2 = { 488d8c2450020000 e8???????? 41b802000000 488d942470040000 }
            // n = 4, score = 200
            //   488d8c2450020000     | mov                 dword ptr [esp + 0x3068], eax
            //   e8????????           |                     
            //   41b802000000         | mov                 dword ptr [esp + 0x3054], 0
            //   488d942470040000     | jne                 0x12

        $sequence_3 = { 8b442440 ffc8 89442420 eb0a 8b442420 ffc8 }
            // n = 6, score = 200
            //   8b442440             | jmp                 0x1c
            //   ffc8                 | mov                 eax, dword ptr [esp + eax*4 + 0x34]
            //   89442420             | mov                 dword ptr [esp + ecx*4 + 0x34], eax
            //   eb0a                 | jmp                 0xffffffcf
            //   8b442420             | mov                 dword ptr [esp + 0x34], 0
            //   ffc8                 | mov                 eax, dword ptr [esp + 0x40]

        $sequence_4 = { 6a00 ff15???????? 8d542418 8d44242c 8a4c2470 52 50 }
            // n = 7, score = 200
            //   6a00                 | dec                 esp
            //   ff15????????         |                     
            //   8d542418             | add                 eax, edx
            //   8d44242c             | dec                 eax
            //   8a4c2470             | lea                 ecx, [esp + 0x250]
            //   52                   | inc                 ecx
            //   50                   | mov                 eax, 2

        $sequence_5 = { 83c404 89442418 85c0 c784249802000001000000 7414 668b4d04 83c506 }
            // n = 7, score = 200
            //   83c404               | dec                 eax
            //   89442418             | lea                 edx, [esp + 0x470]
            //   85c0                 | dec                 eax
            //   c784249802000001000000     | lea    ecx, [esp + 0x30]
            //   7414                 | inc                 esp
            //   668b4d04             | mov                 ecx, dword ptr [esp + 0x10b0]
            //   83c506               | inc                 ecx

        $sequence_6 = { 488bc8 ff15???????? 4889442420 48837c242000 740b 488d4c2428 }
            // n = 6, score = 200
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   4889442420           | mov                 ecx, eax
            //   48837c242000         | dec                 eax
            //   740b                 | mov                 dword ptr [esp + 0x20], eax
            //   488d4c2428           | dec                 eax

        $sequence_7 = { 33c0 8dbc241c030000 6804010000 f3ab }
            // n = 4, score = 200
            //   33c0                 | test                eax, eax
            //   8dbc241c030000       | mov                 dword ptr [esp + 0x298], 1
            //   6804010000           | je                  0x27
            //   f3ab                 | mov                 cx, word ptr [ebp + 4]

        $sequence_8 = { 48833d????????00 7505 e8???????? c7442420ffffffff c744242c00000000 eb0a }
            // n = 6, score = 200
            //   48833d????????00     |                     
            //   7505                 | mov                 dword ptr [esp + 0x240], eax
            //   e8????????           |                     
            //   c7442420ffffffff     | mov                 eax, dword ptr [esp + 0x240]
            //   c744242c00000000     | cmp                 dword ptr [esp + 0x28], 0
            //   eb0a                 | jle                 0x79

        $sequence_9 = { 488b8c24e0100000 48ffc1 8b15???????? 4c8b05???????? 4c03c2 }
            // n = 5, score = 200
            //   488b8c24e0100000     | mov                 eax, dword ptr [esp + 0x20]
            //   48ffc1               | dec                 eax
            //   8b15????????         |                     
            //   4c8b05????????       |                     
            //   4c03c2               | dec                 eax

        $sequence_10 = { 8bcb e8???????? 85c0 0f84e3000000 8bcb e8???????? }
            // n = 6, score = 200
            //   8bcb                 | push                edx
            //   e8????????           |                     
            //   85c0                 | push                eax
            //   0f84e3000000         | add                 esp, 4
            //   8bcb                 | mov                 dword ptr [esp + 0x18], eax
            //   e8????????           |                     

        $sequence_11 = { 7478 8bce e8???????? 3dc8000000 7562 }
            // n = 5, score = 200
            //   7478                 | mov                 cx, word ptr [esi + 4]
            //   8bce                 | lea                 edx, [esi + 6]
            //   e8????????           |                     
            //   3dc8000000           | push                ecx
            //   7562                 | mov                 ecx, ebx

        $sequence_12 = { 83c002 8d942490000000 50 52 }
            // n = 4, score = 200
            //   83c002               | test                eax, eax
            //   8d942490000000       | je                  0xeb
            //   50                   | mov                 ecx, ebx
            //   52                   | xor                 eax, eax

        $sequence_13 = { e8???????? 837c242800 7e77 837c242803 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   837c242800           | dec                 eax
            //   7e77                 | cwde                
            //   837c242803           | movzx               eax, byte ptr [esp + eax + 0x130]

        $sequence_14 = { f3a4 8b4c2414 896c2418 c6042900 e9???????? 83c9ff }
            // n = 6, score = 200
            //   f3a4                 | add                 ebp, 6
            //   8b4c2414             | xor                 ebx, ebx
            //   896c2418             | cmp                 eax, ebx
            //   c6042900             | mov                 dword ptr [esp + 0x3c], ebx
            //   e9????????           |                     
            //   83c9ff               | je                  0x1c

        $sequence_15 = { 33db 3bc3 895c243c 7414 668b4e04 8d5606 51 }
            // n = 7, score = 200
            //   33db                 | mov                 eax, 7
            //   3bc3                 | dec                 eax
            //   895c243c             | lea                 edx, [0x73af]
            //   7414                 | push                0
            //   668b4e04             | lea                 edx, [esp + 0x18]
            //   8d5606               | lea                 eax, [esp + 0x2c]
            //   51                   | mov                 cl, byte ptr [esp + 0x70]

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules