SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ksl0t (Back to overview)

KSL0T

Actor(s): Turla Group


A keylogger used by Turla.

References
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload
KSL0T
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload
KSL0T
2018-10-05_
@online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } Post 0x17.2: Analyzing Turla’s Keylogger
KSL0T
Yara Rules
[TLP:WHITE] win_ksl0t_auto (20220808 | Detects win.ksl0t.)
rule win_ksl0t_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.ksl0t."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 ff15???????? 56 68???????? 8d8500110000 50 eb6a }
            // n = 7, score = 200
            //   52                   | push                edx
            //   ff15????????         |                     
            //   56                   | push                esi
            //   68????????           |                     
            //   8d8500110000         | lea                 eax, [ebp + 0x1100]
            //   50                   | push                eax
            //   eb6a                 | jmp                 0x6c

        $sequence_1 = { 7d1a 4863cf 8a84191d010000 4288840120fd0000 }
            // n = 4, score = 200
            //   7d1a                 | dec                 eax
            //   4863cf               | mov                 dword ptr [esp + 0x30], eax
            //   8a84191d010000       | mov                 dword ptr [esp + 0x20], 0
            //   4288840120fd0000     | dec                 eax

        $sequence_2 = { 6800020000 57 8d8500090000 50 }
            // n = 4, score = 200
            //   6800020000           | push                0x200
            //   57                   | push                edi
            //   8d8500090000         | lea                 eax, [ebp + 0x900]
            //   50                   | push                eax

        $sequence_3 = { 03c0 50 8d8d00090000 51 68???????? }
            // n = 5, score = 200
            //   03c0                 | add                 eax, eax
            //   50                   | push                eax
            //   8d8d00090000         | lea                 ecx, [ebp + 0x900]
            //   51                   | push                ecx
            //   68????????           |                     

        $sequence_4 = { ffd7 8d8c24d0000000 51 53 }
            // n = 4, score = 200
            //   ffd7                 | call                edi
            //   8d8c24d0000000       | lea                 ecx, [esp + 0xd0]
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_5 = { c684244b01000039 8884244c010000 c684244d01000002 888c244e010000 c644245016 c644245127 88442452 }
            // n = 7, score = 200
            //   c684244b01000039     | mov                 byte ptr [esp + 0x14b], 0x39
            //   8884244c010000       | mov                 byte ptr [esp + 0x14c], al
            //   c684244d01000002     | mov                 byte ptr [esp + 0x14d], 2
            //   888c244e010000       | mov                 byte ptr [esp + 0x14e], cl
            //   c644245016           | mov                 byte ptr [esp + 0x50], 0x16
            //   c644245127           | mov                 byte ptr [esp + 0x51], 0x27
            //   88442452             | mov                 byte ptr [esp + 0x52], al

        $sequence_6 = { 8138a0000000 0f84c3000000 488b442450 8138a3000000 }
            // n = 4, score = 200
            //   8138a0000000         | dec                 eax
            //   0f84c3000000         | add                 edx, 0xec
            //   488b442450           | inc                 ecx
            //   8138a3000000         | mov                 eax, 4

        $sequence_7 = { e8???????? 488d15563c0000 41b810200100 488bcf e8???????? eb45 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   488d15563c0000       | dec                 eax
            //   41b810200100         | lea                 edx, [0x3c56]
            //   488bcf               | inc                 ecx
            //   e8????????           |                     
            //   eb45                 | mov                 eax, 0x12010

        $sequence_8 = { 889c2441020000 c684244202000073 889c2443020000 c684244402000061 c684244502000074 c684244602000000 88942448020000 }
            // n = 7, score = 200
            //   889c2441020000       | mov                 byte ptr [esp + 0x241], bl
            //   c684244202000073     | mov                 byte ptr [esp + 0x242], 0x73
            //   889c2443020000       | mov                 byte ptr [esp + 0x243], bl
            //   c684244402000061     | mov                 byte ptr [esp + 0x244], 0x61
            //   c684244502000074     | mov                 byte ptr [esp + 0x245], 0x74
            //   c684244602000000     | mov                 byte ptr [esp + 0x246], 0
            //   88942448020000       | mov                 byte ptr [esp + 0x248], dl

        $sequence_9 = { 83ed3b 2bc1 89442414 c744241006000000 90 }
            // n = 5, score = 200
            //   83ed3b               | sub                 ebp, 0x3b
            //   2bc1                 | sub                 eax, ecx
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   c744241006000000     | mov                 dword ptr [esp + 0x10], 6
            //   90                   | nop                 

        $sequence_10 = { c68424a501000038 c68424a601000001 c68424a70100003c c68424a801000038 }
            // n = 4, score = 200
            //   c68424a501000038     | dec                 eax
            //   c68424a601000001     | mov                 ecx, edi
            //   c68424a70100003c     | jmp                 0x4a
            //   c68424a801000038     | mov                 byte ptr [esp + 0x1a5], 0x38

        $sequence_11 = { c684240a03000074 c684240b03000066 c684240c03000000 888424a0020000 889c24a1020000 }
            // n = 5, score = 200
            //   c684240a03000074     | mov                 byte ptr [esp + 0x30a], 0x74
            //   c684240b03000066     | mov                 byte ptr [esp + 0x30b], 0x66
            //   c684240c03000000     | mov                 byte ptr [esp + 0x30c], 0
            //   888424a0020000       | mov                 byte ptr [esp + 0x2a0], al
            //   889c24a1020000       | mov                 byte ptr [esp + 0x2a1], bl

        $sequence_12 = { ff15???????? 4889442450 48837c245000 756e ff15???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   4889442450           | dec                 eax
            //   48837c245000         | arpl                di, cx
            //   756e                 | mov                 al, byte ptr [ecx + ebx + 0x11d]
            //   ff15????????         |                     

        $sequence_13 = { 488d0563a00000 4889442430 c744242000000000 488d542420 488b4c2450 ff15???????? }
            // n = 6, score = 200
            //   488d0563a00000       | mov                 byte ptr [esp + 0x1a6], 1
            //   4889442430           | mov                 byte ptr [esp + 0x1a7], 0x3c
            //   c744242000000000     | mov                 byte ptr [esp + 0x1a8], 0x38
            //   488d542420           | dec                 eax
            //   488b4c2450           | lea                 eax, [0xa063]
            //   ff15????????         |                     

        $sequence_14 = { c744242001000000 4c8d8c24d0140000 4c8d8424e0140000 8bd7 }
            // n = 4, score = 200
            //   c744242001000000     | inc                 edx
            //   4c8d8c24d0140000     | mov                 byte ptr [ecx + eax + 0xfd20], al
            //   4c8d8424e0140000     | dec                 eax
            //   8bd7                 | lea                 edx, [0xc289]

        $sequence_15 = { ff15???????? e9???????? 488d1589c20000 4881c2ec000000 41b804000000 488d0d35e50000 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488d1589c20000       | lea                 edx, [esp + 0x20]
            //   4881c2ec000000       | dec                 eax
            //   41b804000000         | mov                 ecx, dword ptr [esp + 0x50]
            //   488d0d35e50000       | jge                 0x1c

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules