SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ksl0t (Back to overview)

KSL0T

Actor(s): Turla Group

A keylogger used by Turla.

References
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload
KSL0T
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload
KSL0T
2018-10-05_
@online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } Post 0x17.2: Analyzing Turla’s Keylogger
KSL0T
Yara Rules
[TLP:WHITE] win_ksl0t_auto (20230125 | Detects win.ksl0t.)
rule win_ksl0t_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.ksl0t."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c684248e02000039 8884248f020000 c684249002000001 c68424910200003c c684249202000038 88842493020000 888c2494020000 }
            // n = 7, score = 200
            //   c684248e02000039     | mov                 byte ptr [esp + 0x28e], 0x39
            //   8884248f020000       | mov                 byte ptr [esp + 0x28f], al
            //   c684249002000001     | mov                 byte ptr [esp + 0x290], 1
            //   c68424910200003c     | mov                 byte ptr [esp + 0x291], 0x3c
            //   c684249202000038     | mov                 byte ptr [esp + 0x292], 0x38
            //   88842493020000       | mov                 byte ptr [esp + 0x293], al
            //   888c2494020000       | mov                 byte ptr [esp + 0x294], cl

        $sequence_1 = { 4881c29e000000 41b808000000 488d0d19e60000 ff15???????? e9???????? 488d1547c30000 4881c2ae000000 }
            // n = 7, score = 200
            //   4881c29e000000       | dec                 eax
            //   41b808000000         | add                 edx, 0x9e
            //   488d0d19e60000       | inc                 ecx
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488d1547c30000       | mov                 eax, 8
            //   4881c2ae000000       | dec                 eax

        $sequence_2 = { ffd7 8d942440020000 52 55 89869c000000 }
            // n = 5, score = 200
            //   ffd7                 | call                edi
            //   8d942440020000       | lea                 edx, [esp + 0x240]
            //   52                   | push                edx
            //   55                   | push                ebp
            //   89869c000000         | mov                 dword ptr [esi + 0x9c], eax

        $sequence_3 = { 52 53 89463c ffd7 894640 }
            // n = 5, score = 200
            //   52                   | push                edx
            //   53                   | push                ebx
            //   89463c               | mov                 dword ptr [esi + 0x3c], eax
            //   ffd7                 | call                edi
            //   894640               | mov                 dword ptr [esi + 0x40], eax

        $sequence_4 = { 448b8424a8140000 488d1566d30000 488d8c24a0080000 ff15???????? }
            // n = 4, score = 200
            //   448b8424a8140000     | dec                 esp
            //   488d1566d30000       | mov                 ebx, eax
            //   488d8c24a0080000     | dec                 esp
            //   ff15????????         |                     

        $sequence_5 = { 488d05d3910000 483bf8 740e 833f00 7509 488bcf }
            // n = 6, score = 200
            //   488d05d3910000       | lea                 ecx, [0xe619]
            //   483bf8               | dec                 eax
            //   740e                 | lea                 edx, [0xc347]
            //   833f00               | dec                 eax
            //   7509                 | add                 edx, 0xae
            //   488bcf               | dec                 eax

        $sequence_6 = { 488b842420040000 4c895808 488d942438030000 488b8c24e0010000 ff942418040000 4c8bd8 }
            // n = 6, score = 200
            //   488b842420040000     | jne                 0x10
            //   4c895808             | dec                 eax
            //   488d942438030000     | mov                 ecx, edi
            //   488b8c24e0010000     | mov                 byte ptr [esp + 0x285], 0x21
            //   ff942418040000       | mov                 byte ptr [esp + 0x286], 0x55
            //   4c8bd8               | mov                 byte ptr [esp + 0x1f8], 0x38

        $sequence_7 = { c684243b01000039 c684243c01000039 c684243d01000066 c684243e01000067 }
            // n = 4, score = 200
            //   c684243b01000039     | mov                 byte ptr [esp + 0x13b], 0x39
            //   c684243c01000039     | mov                 byte ptr [esp + 0x13c], 0x39
            //   c684243d01000066     | mov                 byte ptr [esp + 0x13d], 0x66
            //   c684243e01000067     | mov                 byte ptr [esp + 0x13e], 0x67

        $sequence_8 = { c684248502000021 c684248602000055 c68424f801000038 c68424f901000034 c68424fa01000039 }
            // n = 5, score = 200
            //   c684248502000021     | lea                 eax, [0x91d3]
            //   c684248602000055     | dec                 eax
            //   c68424f801000038     | cmp                 edi, eax
            //   c68424f901000034     | je                  0x10
            //   c68424fa01000039     | cmp                 dword ptr [edi], 0

        $sequence_9 = { c684240302000038 88842404020000 c684240502000002 888c2406020000 }
            // n = 4, score = 200
            //   c684240302000038     | mov                 byte ptr [esp + 0x203], 0x38
            //   88842404020000       | mov                 byte ptr [esp + 0x204], al
            //   c684240502000002     | mov                 byte ptr [esp + 0x205], 2
            //   888c2406020000       | mov                 byte ptr [esp + 0x206], cl

        $sequence_10 = { 4c899838010000 488d942480020000 488b8c24e0000000 ff942418040000 }
            // n = 4, score = 200
            //   4c899838010000       | mov                 byte ptr [esp + 0x1f9], 0x34
            //   488d942480020000     | mov                 byte ptr [esp + 0x1fa], 0x39
            //   488b8c24e0000000     | dec                 eax
            //   ff942418040000       | mov                 eax, dword ptr [esp + 0x420]

        $sequence_11 = { e8???????? 33d2 66899500110000 68fe030000 57 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   66899500110000       | mov                 word ptr [ebp + 0x1100], dx
            //   68fe030000           | push                0x3fe
            //   57                   | push                edi

        $sequence_12 = { c684248a01000032 8884248b010000 888c248c010000 c68424a401000011 c68424a50100003c }
            // n = 5, score = 200
            //   c684248a01000032     | mov                 byte ptr [esp + 0x18a], 0x32
            //   8884248b010000       | mov                 byte ptr [esp + 0x18b], al
            //   888c248c010000       | mov                 byte ptr [esp + 0x18c], cl
            //   c68424a401000011     | mov                 byte ptr [esp + 0x1a4], 0x11
            //   c68424a50100003c     | mov                 byte ptr [esp + 0x1a5], 0x3c

        $sequence_13 = { c68424af01000026 c68424b001000034 c68424b101000032 888424b2010000 }
            // n = 4, score = 200
            //   c68424af01000026     | mov                 byte ptr [esp + 0x1af], 0x26
            //   c68424b001000034     | mov                 byte ptr [esp + 0x1b0], 0x34
            //   c68424b101000032     | mov                 byte ptr [esp + 0x1b1], 0x32
            //   888424b2010000       | mov                 byte ptr [esp + 0x1b2], al

        $sequence_14 = { c644246d1d c644246e34 c644246f3b c644247031 c644247139 88442472 }
            // n = 6, score = 200
            //   c644246d1d           | mov                 byte ptr [esp + 0x6d], 0x1d
            //   c644246e34           | mov                 byte ptr [esp + 0x6e], 0x34
            //   c644246f3b           | mov                 byte ptr [esp + 0x6f], 0x3b
            //   c644247031           | mov                 byte ptr [esp + 0x70], 0x31
            //   c644247139           | mov                 byte ptr [esp + 0x71], 0x39
            //   88442472             | mov                 byte ptr [esp + 0x72], al

        $sequence_15 = { 898424e4150000 81bc24e4150000a0000000 7439 81bc24e4150000a1000000 7402 eb52 488d15a7c60000 }
            // n = 7, score = 200
            //   898424e4150000       | dec                 esp
            //   81bc24e4150000a0000000     | mov    dword ptr [eax + 8], ebx
            //   7439                 | dec                 eax
            //   81bc24e4150000a1000000     | lea    edx, [esp + 0x338]
            //   7402                 | dec                 eax
            //   eb52                 | mov                 ecx, dword ptr [esp + 0x1e0]
            //   488d15a7c60000       | call                dword ptr [esp + 0x418]

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules