SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kurton (Back to overview)

Kurton

Actor(s): Comment Crew

VTCollection    

There is no description at this point.

References
2018-01-01MandiantMandiant
APT1
Auriga Biscuit Bouncer Combos CookieBag Dairy GetMail GlooxMail Goggles Hacksfase Helauto Kurton ManItsMe MAPIget MiniASP NewsReels SeaSalt StarsyPound Sword TabMsgSQL Tarsip WebC2-AdSpace WebC2-Ausov WebC2-Bolid WebC2-Cson WebC2-DIV WebC2-GreenCat WebC2-Head WebC2-Kt3 WebC2-Qbp WebC2-Rave WebC2-Table WebC2-UGX WebC2-Yahoo
Yara Rules
[TLP:WHITE] win_kurton_auto (20260504 | Detects win.kurton.)
rule win_kurton_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.kurton."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4c2418 e8???????? bf???????? 83c9ff 33c0 8b54241c f2ae }
            // n = 7, score = 100
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   e8????????           |                     
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]

        $sequence_1 = { eb23 33c0 8a8718cc0110 668b9486760a0000 66d3e2 660996b0160000 83c103 }
            // n = 7, score = 100
            //   eb23                 | jmp                 0x25
            //   33c0                 | xor                 eax, eax
            //   8a8718cc0110         | mov                 al, byte ptr [edi + 0x1001cc18]
            //   668b9486760a0000     | mov                 dx, word ptr [esi + eax*4 + 0xa76]
            //   66d3e2               | shl                 dx, cl
            //   660996b0160000       | or                  word ptr [esi + 0x16b0], dx
            //   83c103               | add                 ecx, 3

        $sequence_2 = { 84c0 7431 8b4704 3bdd b9???????? 761b }
            // n = 6, score = 100
            //   84c0                 | test                al, al
            //   7431                 | je                  0x33
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   3bdd                 | cmp                 ebx, ebp
            //   b9????????           |                     
            //   761b                 | jbe                 0x1d

        $sequence_3 = { 33c0 8dbc2465040000 889c2464040000 f3ab 3bf3 66ab }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   8dbc2465040000       | lea                 edi, [esp + 0x465]
            //   889c2464040000       | mov                 byte ptr [esp + 0x464], bl
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   3bf3                 | cmp                 esi, ebx
            //   66ab                 | stosw               word ptr es:[edi], ax

        $sequence_4 = { e8???????? 3d00040000 8d4c2414 7618 e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   3d00040000           | cmp                 eax, 0x400
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   7618                 | jbe                 0x1a
            //   e8????????           |                     

        $sequence_5 = { e8???????? 83c424 8d442404 68???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   8d442404             | lea                 eax, [esp + 4]
            //   68????????           |                     

        $sequence_6 = { c70000000000 6844030000 c7450000000000 e8???????? 8bb42430010000 8bd8 b984000000 }
            // n = 7, score = 100
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   6844030000           | push                0x344
            //   c7450000000000       | mov                 dword ptr [ebp], 0
            //   e8????????           |                     
            //   8bb42430010000       | mov                 esi, dword ptr [esp + 0x130]
            //   8bd8                 | mov                 ebx, eax
            //   b984000000           | mov                 ecx, 0x84

        $sequence_7 = { 896f0c 8a542413 8d4e30 55 c644242801 8811 e8???????? }
            // n = 7, score = 100
            //   896f0c               | mov                 dword ptr [edi + 0xc], ebp
            //   8a542413             | mov                 dl, byte ptr [esp + 0x13]
            //   8d4e30               | lea                 ecx, [esi + 0x30]
            //   55                   | push                ebp
            //   c644242801           | mov                 byte ptr [esp + 0x28], 1
            //   8811                 | mov                 byte ptr [ecx], dl
            //   e8????????           |                     

        $sequence_8 = { 83c130 e9???????? 8b4df0 83c150 e9???????? 8b4df0 83c160 }
            // n = 7, score = 100
            //   83c130               | add                 ecx, 0x30
            //   e9????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   83c150               | add                 ecx, 0x50
            //   e9????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   83c160               | add                 ecx, 0x60

        $sequence_9 = { 8b8694000000 50 ffd7 8bce e8???????? }
            // n = 5, score = 100
            //   8b8694000000         | mov                 eax, dword ptr [esi + 0x94]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 344064
}
Download all Yara Rules