SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ksl0t (Back to overview)

KSL0T

Actor(s): Turla Group


A keylogger used by Turla.

References
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload
KSL0T
2019-07-080ffset Blog0verfl0w_
@online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload
KSL0T
2018-10-05_
@online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } Post 0x17.2: Analyzing Turla’s Keylogger
KSL0T
Yara Rules
[TLP:WHITE] win_ksl0t_auto (20210616 | Detects win.ksl0t.)
rule win_ksl0t_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.ksl0t."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 448b8424a4140000 488d15f3d20000 488d8c24a0100000 ff15???????? 488d8c24a0100000 ff15???????? 4c8bc0 }
            // n = 7, score = 200
            //   448b8424a4140000     | lea                 ecx, dword ptr [esp + 0x360]
            //   488d15f3d20000       | call                dword ptr [esp + 0x178]
            //   488d8c24a0100000     | dec                 eax
            //   ff15????????         |                     
            //   488d8c24a0100000     | mov                 dword ptr [esp + 0x1e0], eax
            //   ff15????????         |                     
            //   4c8bc0               | dec                 eax

        $sequence_1 = { 488b8c24e0010000 ff942418040000 4c8bd8 488b842420040000 4c895810 488d942418030000 488b8c24e0010000 }
            // n = 7, score = 200
            //   488b8c24e0010000     | lea                 ecx, dword ptr [esp + 0x10a0]
            //   ff942418040000       | dec                 eax
            //   4c8bd8               | lea                 ecx, dword ptr [esp + 0x10a0]
            //   488b842420040000     | dec                 esp
            //   4c895810             | mov                 eax, eax
            //   488d942418030000     | dec                 eax
            //   488b8c24e0010000     | mov                 ecx, dword ptr [esi + 0xb8]

        $sequence_2 = { 7420 a1???????? 6a00 50 }
            // n = 4, score = 200
            //   7420                 | add                 edx, 0x92
            //   a1????????           |                     
            //   6a00                 | inc                 ecx
            //   50                   | mov                 eax, 1

        $sequence_3 = { 488d0df3e50000 ff15???????? e9???????? 488d1521c30000 }
            // n = 4, score = 200
            //   488d0df3e50000       | dec                 eax
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488d1521c30000       | lea                 ecx, dword ptr [0xe5f3]

        $sequence_4 = { c684242002000012 c684242102000030 c684242202000021 c684242302000005 c684242402000027 c68424250200003a c684242602000036 }
            // n = 7, score = 200
            //   c684242002000012     | cmp                 ecx, esp
            //   c684242102000030     | je                  0x13
            //   c684242202000021     | jmp                 0xe
            //   c684242302000005     | dec                 eax
            //   c684242402000027     | lea                 edx, dword ptr [0xc451]
            //   c68424250200003a     | dec                 eax
            //   c684242602000036     | add                 edx, 0x92

        $sequence_5 = { 72f3 33c0 90 308c04c0020000 }
            // n = 4, score = 200
            //   72f3                 | dec                 eax
            //   33c0                 | lea                 ecx, dword ptr [0xe6fd]
            //   90                   | dec                 eax
            //   308c04c0020000       | mov                 ecx, dword ptr [esp + 0x1e0]

        $sequence_6 = { c644242019 c64424213c c644242237 c644242327 c644242434 c644242527 c64424262c }
            // n = 7, score = 200
            //   c644242019           | dec                 esp
            //   c64424213c           | mov                 eax, eax
            //   c644242237           | dec                 eax
            //   c644242327           | mov                 ecx, dword ptr [esi + 0xb8]
            //   c644242434           | dec                 esp
            //   c644242527           | lea                 esp, dword ptr [0x72d6]
            //   c64424262c           | dec                 ecx

        $sequence_7 = { 83ec08 8d0424 50 51 ff15???????? 85c0 741d }
            // n = 7, score = 200
            //   83ec08               | cmp                 ecx, esp
            //   8d0424               | je                  0x1a
            //   50                   | jmp                 0x15
            //   51                   | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 edx, dword ptr [0xc451]
            //   741d                 | dec                 eax

        $sequence_8 = { 4c8d25d6720000 493bcc 740e e8???????? eb07 4c8d25c3720000 }
            // n = 6, score = 200
            //   4c8d25d6720000       | dec                 eax
            //   493bcc               | lea                 edx, dword ptr [0xc321]
            //   740e                 | dec                 esp
            //   e8????????           |                     
            //   eb07                 | lea                 esp, dword ptr [0x72d6]
            //   4c8d25c3720000       | dec                 ecx

        $sequence_9 = { b077 b26d c684240403000073 88842405030000 }
            // n = 4, score = 200
            //   b077                 | call                dword ptr [esp + 0x178]
            //   b26d                 | dec                 eax
            //   c684240403000073     | mov                 dword ptr [esp + 0x1e0], eax
            //   88842405030000       | dec                 eax

        $sequence_10 = { 68???????? 68???????? ff15???????? 83c40c e9???????? 6a0b }
            // n = 6, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   83c40c               | dec                 eax
            //   e9????????           |                     
            //   6a0b                 | lea                 ecx, dword ptr [esp + 0x10a0]

        $sequence_11 = { 83c40c 8d8d00100000 51 ff15???????? }
            // n = 4, score = 200
            //   83c40c               | lea                 ecx, dword ptr [esp + 0x2c0]
            //   8d8d00100000         | call                dword ptr [esp + 0x178]
            //   51                   | dec                 eax
            //   ff15????????         |                     

        $sequence_12 = { e9???????? 488d1551c40000 4881c292000000 41b801000000 488d0dfde60000 ff15???????? e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488d1551c40000       | mov                 eax, dword ptr [esp + 0x14a4]
            //   4881c292000000       | dec                 eax
            //   41b801000000         | lea                 edx, dword ptr [0xd2f3]
            //   488d0dfde60000       | dec                 eax
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_13 = { c68424ef01000032 c68424f001000023 c68424f101000002 888c24f2010000 c644242c20 c644242d26 8844242e }
            // n = 7, score = 200
            //   c68424ef01000032     | mov                 dword ptr [esp + 0x3c0], eax
            //   c68424f001000023     | inc                 esp
            //   c68424f101000002     | mov                 eax, dword ptr [esp + 0x14a4]
            //   888c24f2010000       | dec                 eax
            //   c644242c20           | lea                 edx, dword ptr [0xd2f3]
            //   c644242d26           | dec                 eax
            //   8844242e             | lea                 ecx, dword ptr [esp + 0x10a0]

        $sequence_14 = { 488d8c2460030000 ff942478010000 48898424e0010000 488d8c24c0020000 ff942478010000 48898424c0030000 }
            // n = 6, score = 200
            //   488d8c2460030000     | cmp                 ecx, esp
            //   ff942478010000       | je                  0x1a
            //   48898424e0010000     | jmp                 9
            //   488d8c24c0020000     | dec                 esp
            //   ff942478010000       | lea                 esp, dword ptr [0x72c3]
            //   48898424c0030000     | dec                 eax

        $sequence_15 = { 4881c294000000 41b801000000 488d0dd7e60000 ff15???????? }
            // n = 4, score = 200
            //   4881c294000000       | dec                 esp
            //   41b801000000         | lea                 esp, dword ptr [0x72d6]
            //   488d0dd7e60000       | dec                 ecx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 196608
}
Download all Yara Rules