SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lowzero (Back to overview)

LOWZERO

Actor(s): Lucky Cat

There is no description at this point.

References
2023-02-07MalGamyMalGamy
@online{malgamy:20230207:approach:ef67110, author = {MalGamy}, title = {{The Approach of TA413 for Tibetan Targets}}, date = {2023-02-07}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage}, language = {English}, urldate = {2023-02-09} } The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO
2022-09-22Recorded FutureInsikt Group®
@techreport{group:20220922:chinese:9349a24, author = {Insikt Group®}, title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}}, date = {2022-09-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf}, language = {English}, urldate = {2022-09-26} } Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO
Yara Rules
[TLP:WHITE] win_lowzero_auto (20230125 | Detects win.lowzero.)
rule win_lowzero_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lowzero."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowzero"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 e8???????? 59 8975fc 8b45e0 8b0485601b4300 f644030401 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b0485601b4300       | mov                 eax, dword ptr [eax*4 + 0x431b60]
            //   f644030401           | test                byte ptr [ebx + eax + 4], 1

        $sequence_1 = { 8bf0 c1ff05 83e61f c1e606 8b0cbd601b4300 }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   c1ff05               | sar                 edi, 5
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8b0cbd601b4300       | mov                 ecx, dword ptr [edi*4 + 0x431b60]

        $sequence_2 = { 7309 8b04c518dc4000 5d c3 33c0 5d c3 }
            // n = 7, score = 100
            //   7309                 | jae                 0xb
            //   8b04c518dc4000       | mov                 eax, dword ptr [eax*8 + 0x40dc18]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_3 = { 50 8b8528e5ffff 8b0485601b4300 ff3401 ff15???????? 8bb540e5ffff 8bbd34e5ffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b8528e5ffff         | mov                 eax, dword ptr [ebp - 0x1ad8]
            //   8b0485601b4300       | mov                 eax, dword ptr [eax*4 + 0x431b60]
            //   ff3401               | push                dword ptr [ecx + eax]
            //   ff15????????         |                     
            //   8bb540e5ffff         | mov                 esi, dword ptr [ebp - 0x1ac0]
            //   8bbd34e5ffff         | mov                 edi, dword ptr [ebp - 0x1acc]

        $sequence_4 = { 8b8d24e5ffff 50 8b8528e5ffff 8b0485601b4300 }
            // n = 4, score = 100
            //   8b8d24e5ffff         | mov                 ecx, dword ptr [ebp - 0x1adc]
            //   50                   | push                eax
            //   8b8528e5ffff         | mov                 eax, dword ptr [ebp - 0x1ad8]
            //   8b0485601b4300       | mov                 eax, dword ptr [eax*4 + 0x431b60]

        $sequence_5 = { 83e31f c1e306 8b0485601b4300 0fbe440304 83e001 7472 }
            // n = 6, score = 100
            //   83e31f               | and                 ebx, 0x1f
            //   c1e306               | shl                 ebx, 6
            //   8b0485601b4300       | mov                 eax, dword ptr [eax*4 + 0x431b60]
            //   0fbe440304           | movsx               eax, byte ptr [ebx + eax + 4]
            //   83e001               | and                 eax, 1
            //   7472                 | je                  0x74

        $sequence_6 = { 3de4000000 7309 8b04c518dc4000 5d c3 }
            // n = 5, score = 100
            //   3de4000000           | cmp                 eax, 0xe4
            //   7309                 | jae                 0xb
            //   8b04c518dc4000       | mov                 eax, dword ptr [eax*8 + 0x40dc18]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_7 = { c1e106 8b0485601b4300 0fbe440804 83e040 5d c3 e8???????? }
            // n = 7, score = 100
            //   c1e106               | shl                 ecx, 6
            //   8b0485601b4300       | mov                 eax, dword ptr [eax*4 + 0x431b60]
            //   0fbe440804           | movsx               eax, byte ptr [eax + ecx + 4]
            //   83e040               | and                 eax, 0x40
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   e8????????           |                     

        $sequence_8 = { 8bf0 2bf1 8bcf f30f6f01 83c210 8d4910 }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   2bf1                 | sub                 esi, ecx
            //   8bcf                 | mov                 ecx, edi
            //   f30f6f01             | movdqu              xmm0, xmmword ptr [ecx]
            //   83c210               | add                 edx, 0x10
            //   8d4910               | lea                 ecx, [ecx + 0x10]

        $sequence_9 = { 8a441918 888180114100 41 ebe8 8975e4 81fe00010000 }
            // n = 6, score = 100
            //   8a441918             | mov                 al, byte ptr [ecx + ebx + 0x18]
            //   888180114100         | mov                 byte ptr [ecx + 0x411180], al
            //   41                   | inc                 ecx
            //   ebe8                 | jmp                 0xffffffea
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   81fe00010000         | cmp                 esi, 0x100

    condition:
        7 of them and filesize < 433152
}
Download all Yara Rules