SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ksl0t (Back to overview)

KSL0T

Actor(s): Turla


A keylogger used by Turla.

References
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload
KSL0T
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload
KSL0T
2018-10-05_
@online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } Post 0x17.2: Analyzing Turla’s Keylogger
KSL0T
Yara Rules
[TLP:WHITE] win_ksl0t_auto (20230715 | Detects win.ksl0t.)
rule win_ksl0t_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.ksl0t."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d15a1d80000 b93d000000 e8???????? 41b806000000 488d15ded70000 }
            // n = 5, score = 200
            //   488d15a1d80000       | xor                 ecx, ecx
            //   b93d000000           | movzx               eax, word ptr [eax]
            //   e8????????           |                     
            //   41b806000000         | test                eax, eax
            //   488d15ded70000       | je                  0x28

        $sequence_1 = { 57 8d8502110000 50 e8???????? }
            // n = 4, score = 200
            //   57                   | push                edi
            //   8d8502110000         | lea                 eax, [ebp + 0x1102]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { 488d15d5dd0000 488d8c24b0020000 ff15???????? 488d1554af0000 }
            // n = 4, score = 200
            //   488d15d5dd0000       | lea                 edx, [0xd93b]
            //   488d8c24b0020000     | mov                 ecx, 0x39
            //   ff15????????         |                     
            //   488d1554af0000       | dec                 eax

        $sequence_3 = { 754f 4c8d05ad2e0000 458bcd ba00010000 33c9 }
            // n = 5, score = 200
            //   754f                 | lea                 edx, [0xddd5]
            //   4c8d05ad2e0000       | dec                 eax
            //   458bcd               | lea                 ecx, [esp + 0x2b0]
            //   ba00010000           | dec                 eax
            //   33c9                 | lea                 edx, [0xaf54]

        $sequence_4 = { 57 8d9500110000 52 ff15???????? 0fb745e0 50 68???????? }
            // n = 7, score = 200
            //   57                   | push                edi
            //   8d9500110000         | lea                 edx, [ebp + 0x1100]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   0fb745e0             | movzx               eax, word ptr [ebp - 0x20]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_5 = { bd???????? b8???????? 2bf9 2bd9 83ed49 2bc1 89442418 }
            // n = 7, score = 200
            //   bd????????           |                     
            //   b8????????           |                     
            //   2bf9                 | sub                 edi, ecx
            //   2bd9                 | sub                 ebx, ecx
            //   83ed49               | sub                 ebp, 0x49
            //   2bc1                 | sub                 eax, ecx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_6 = { 8b74241c 30040e 83c104 836c241001 0f8579ffffff bb23000000 }
            // n = 6, score = 200
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]
            //   30040e               | xor                 byte ptr [esi + ecx], al
            //   83c104               | add                 ecx, 4
            //   836c241001           | sub                 dword ptr [esp + 0x10], 1
            //   0f8579ffffff         | jne                 0xffffff7f
            //   bb23000000           | mov                 ebx, 0x23

        $sequence_7 = { 64a100000000 50 83ec1c a1???????? 3145f8 33c5 898568080000 }
            // n = 7, score = 200
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   50                   | push                eax
            //   83ec1c               | sub                 esp, 0x1c
            //   a1????????           |                     
            //   3145f8               | xor                 dword ptr [ebp - 8], eax
            //   33c5                 | xor                 eax, ebp
            //   898568080000         | mov                 dword ptr [ebp + 0x868], eax

        $sequence_8 = { c68424c002000012 888424c1020000 889c24c2020000 c68424c302000002 }
            // n = 4, score = 200
            //   c68424c002000012     | mov                 byte ptr [esp + 0x2c0], 0x12
            //   888424c1020000       | mov                 byte ptr [esp + 0x2c1], al
            //   889c24c2020000       | mov                 byte ptr [esp + 0x2c2], bl
            //   c68424c302000002     | mov                 byte ptr [esp + 0x2c3], 2

        $sequence_9 = { 68???????? ff15???????? 83c40c e9???????? 6a06 }
            // n = 5, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   e9????????           |                     
            //   6a06                 | push                6

        $sequence_10 = { 33cd e8???????? 81c56c080000 8be5 }
            // n = 4, score = 200
            //   33cd                 | xor                 ecx, ebp
            //   e8????????           |                     
            //   81c56c080000         | add                 ebp, 0x86c
            //   8be5                 | mov                 esp, ebp

        $sequence_11 = { ff15???????? e9???????? 488d15a5c10000 4881c21c010000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488d15a5c10000       | lea                 edx, [0xd7de]
            //   4881c21c010000       | mov                 byte ptr [esp + 0x39f], 0x20

        $sequence_12 = { 448b842438090000 8b8424f4080000 488b4c2448 4803c8 }
            // n = 4, score = 200
            //   448b842438090000     | mov                 ecx, 0x3d
            //   8b8424f4080000       | inc                 ecx
            //   488b4c2448           | mov                 eax, 6
            //   4803c8               | dec                 eax

        $sequence_13 = { c684249f03000020 c68424a003000021 c68424a103000055 c684249000000001 c68424910000003a c684249200000000 }
            // n = 6, score = 200
            //   c684249f03000020     | dec                 eax
            //   c68424a003000021     | mov                 eax, dword ptr [esp + 0x30]
            //   c68424a103000055     | movzx               eax, word ptr [eax]
            //   c684249000000001     | cmp                 eax, 0x2d
            //   c68424910000003a     | dec                 eax
            //   c684249200000000     | lea                 edx, [0xd8a1]

        $sequence_14 = { 0fb700 85c0 7426 488b442430 0fb700 83f82d }
            // n = 6, score = 200
            //   0fb700               | jne                 0x51
            //   85c0                 | dec                 esp
            //   7426                 | lea                 eax, [0x2ead]
            //   488b442430           | inc                 ebp
            //   0fb700               | mov                 ecx, ebp
            //   83f82d               | mov                 edx, 0x100

        $sequence_15 = { b92f000000 e8???????? 41b824000000 488d153bd90000 b939000000 }
            // n = 5, score = 200
            //   b92f000000           | mov                 ecx, 0x2f
            //   e8????????           |                     
            //   41b824000000         | inc                 ecx
            //   488d153bd90000       | mov                 eax, 0x24
            //   b939000000           | dec                 eax

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules