SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kivars (Back to overview)

KIVARS


There is no description at this point.

References
2020-09-29SymantecThreat Hunter Team
@online{team:20200929:palmerworm:4a96e3b, author = {Threat Hunter Team}, title = {{Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors}}, date = {2020-09-29}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt}, language = {English}, urldate = {2020-10-04} } Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
KIVARS PLEAD BlackTech
2017-06-22Trend MicroLenart Bermejo, Razor Huang, CH Lei
@online{bermejo:20170622:trail:ba78447, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html}, language = {English}, urldate = {2021-01-29} } The Trail of BlackTech’s Cyber Espionage Campaigns
bifrose KIVARS PLEAD
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
Yara Rules
[TLP:WHITE] win_kivars_auto (20211008 | Detects win.kivars.)
rule win_kivars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.kivars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec20 488bea 8b8554010000 83e001 85c0 }
            // n = 5, score = 200
            //   4883ec20             | mov                 dword ptr [esp + 0x68], eax
            //   488bea               | dec                 eax
            //   8b8554010000         | mov                 eax, dword ptr [esp + 0x68]
            //   83e001               | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x60], eax

        $sequence_1 = { e8???????? 83c408 8b742410 8b5500 6a03 8bcd ff12 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c408               | jne                 0x16
            //   8b742410             | lea                 ecx, dword ptr [esp + 0x11]
            //   8b5500               | push                ecx
            //   6a03                 | add                 esp, 4
            //   8bcd                 | mov                 dword ptr [esp + 0x3c], eax
            //   ff12                 | mov                 dword ptr [esp + 0x18], eax

        $sequence_2 = { e9???????? 488b8424a0000000 4889442468 488b442468 4889442460 }
            // n = 5, score = 200
            //   e9????????           |                     
            //   488b8424a0000000     | lea                 ecx, dword ptr [esp + 0x58]
            //   4889442468           | inc                 ebp
            //   488b442468           | xor                 eax, eax
            //   4889442460           | dec                 eax

        $sequence_3 = { 7742 488b442458 8b4010 03442420 8bc0 }
            // n = 5, score = 200
            //   7742                 | sub                 esp, 0x20
            //   488b442458           | dec                 eax
            //   8b4010               | mov                 ebp, edx
            //   03442420             | mov                 eax, dword ptr [ebp + 0x154]
            //   8bc0                 | and                 eax, 1

        $sequence_4 = { b169 b065 52 56 }
            // n = 4, score = 200
            //   b169                 | lea                 ecx, dword ptr [esp + 0x11e0]
            //   b065                 | cmp                 cl, 0x5c
            //   52                   | je                  0x14
            //   56                   | lea                 eax, dword ptr [esp + 0x170]

        $sequence_5 = { 8801 b03d 885101 884102 884103 }
            // n = 5, score = 200
            //   8801                 | push                edi
            //   b03d                 | mov                 edi, dword ptr [esp + 0x14]
            //   885101               | mov                 al, byte ptr [edi + 0x101]
            //   884102               | mov                 dl, byte ptr [edi + 0x100]
            //   884103               | cmp                 al, 0x42

        $sequence_6 = { 57 8b7c2414 8a8701010000 8a9700010000 }
            // n = 4, score = 200
            //   57                   | dec                 eax
            //   8b7c2414             | mov                 eax, dword ptr [esp + 0x58]
            //   8a8701010000         | mov                 eax, dword ptr [eax + 0x10]
            //   8a9700010000         | add                 eax, dword ptr [esp + 0x20]

        $sequence_7 = { 488b842478010000 e9???????? 837c243001 754b 33d2 }
            // n = 5, score = 200
            //   488b842478010000     | test                eax, eax
            //   e9????????           |                     
            //   837c243001           | mov                 dword ptr [esp + 0x56c], 0
            //   754b                 | dec                 eax
            //   33d2                 | lea                 ecx, dword ptr [esp + 0x150]

        $sequence_8 = { 488b8c24c0010000 48894c2420 4c8d4c2458 4533c0 488bd0 }
            // n = 5, score = 200
            //   488b8c24c0010000     | dec                 eax
            //   48894c2420           | mov                 ecx, dword ptr [esp + 0x1c0]
            //   4c8d4c2458           | dec                 eax
            //   4533c0               | mov                 dword ptr [esp + 0x20], ecx
            //   488bd0               | dec                 esp

        $sequence_9 = { c644243a6d 884c243b c644243c72 c644243d79 ff15???????? 3bc5 }
            // n = 6, score = 200
            //   c644243a6d           | shr                 eax, 2
            //   884c243b             | lea                 edi, dword ptr [eax + eax*2 + 1]
            //   c644243c72           | push                edi
            //   c644243d79           | mov                 ecx, edi
            //   ff15????????         |                     
            //   3bc5                 | mov                 cl, 0x69

        $sequence_10 = { 3c42 7512 8d4c2411 51 ff15???????? 83c404 8944243c }
            // n = 7, score = 200
            //   3c42                 | mov                 eax, eax
            //   7512                 | dec                 eax
            //   8d4c2411             | mov                 eax, dword ptr [esp + 0x178]
            //   51                   | cmp                 dword ptr [esp + 0x30], 1
            //   ff15????????         |                     
            //   83c404               | jne                 0x52
            //   8944243c             | xor                 edx, edx

        $sequence_11 = { ba10000000 488bc8 e8???????? 488d8424a0010000 ba10000000 }
            // n = 5, score = 200
            //   ba10000000           | mov                 edx, eax
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   488d8424a0010000     | mov                 eax, dword ptr [esp + 0xa0]
            //   ba10000000           | dec                 eax

        $sequence_12 = { c784246c05000000000000 488d8c2450010000 e8???????? 90 }
            // n = 4, score = 200
            //   c784246c05000000000000     | mov    edx, 0x10
            //   488d8c2450010000     | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 ecx, eax

        $sequence_13 = { 89442418 c1e802 8d7c4001 57 e8???????? 8bcf }
            // n = 6, score = 200
            //   89442418             | inc                 ecx
            //   c1e802               | mov                 eax, 7
            //   8d7c4001             | dec                 ecx
            //   57                   | mov                 edx, edx
            //   e8????????           |                     
            //   8bcf                 | dec                 eax

        $sequence_14 = { 80f95c 740f 8d842470010000 68???????? }
            // n = 4, score = 200
            //   80f95c               | mov                 byte ptr [esp + 0x118f], 0xce
            //   740f                 | mov                 byte ptr [esp + 0x1190], 0x8f
            //   8d842470010000       | ja                  0x44
            //   68????????           |                     

        $sequence_15 = { c684248d110000e0 c684248e1100007e c684248f110000ce c68424901100008f }
            // n = 4, score = 200
            //   c684248d110000e0     | dec                 eax
            //   c684248e1100007e     | lea                 eax, dword ptr [esp + 0x1a0]
            //   c684248f110000ce     | mov                 edx, 0x10
            //   c68424901100008f     | dec                 eax

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules