SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mapiget (Back to overview)

MAPIget

Actor(s): Comment Crew

There is no description at this point.

References
2018MandiantMandiant
@techreport{mandiant:2018:apt1:b76cc4d, author = {Mandiant}, title = {{APT1}}, date = {2018}, institution = {Mandiant}, url = {https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf}, language = {English}, urldate = {2020-01-13} } APT1
Auriga Biscuit Bouncer Combos CookieBag Dairy GetMail GlooxMail Goggles Hacksfase Helauto Kurton ManItsMe MAPIget MiniASP NewsReels SeaSalt StarsyPound Sword TabMsgSQL Tarsip WebC2-AdSpace WebC2-Ausov WebC2-Bolid WebC2-Cson WebC2-DIV WebC2-GreenCat WebC2-Head WebC2-Kt3 WebC2-Qbp WebC2-Rave WebC2-Table WebC2-UGX WebC2-Yahoo
Yara Rules
[TLP:WHITE] win_mapiget_auto (20230125 | Detects win.mapiget.)
rule win_mapiget_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.mapiget."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7429 8bd6 8bde c1fa05 83e31f 8b149520174100 f644da0480 }
            // n = 7, score = 100
            //   7429                 | je                  0x2b
            //   8bd6                 | mov                 edx, esi
            //   8bde                 | mov                 ebx, esi
            //   c1fa05               | sar                 edx, 5
            //   83e31f               | and                 ebx, 0x1f
            //   8b149520174100       | mov                 edx, dword ptr [edx*4 + 0x411720]
            //   f644da0480           | test                byte ptr [edx + ebx*8 + 4], 0x80

        $sequence_1 = { 6683382d 754a 33c9 668b4802 83c1ba 83f92d }
            // n = 6, score = 100
            //   6683382d             | cmp                 word ptr [eax], 0x2d
            //   754a                 | jne                 0x4c
            //   33c9                 | xor                 ecx, ecx
            //   668b4802             | mov                 cx, word ptr [eax + 2]
            //   83c1ba               | add                 ecx, -0x46
            //   83f92d               | cmp                 ecx, 0x2d

        $sequence_2 = { e8???????? 83c404 6683bc45eefeffff0a 7517 8d95f0feffff 52 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6683bc45eefeffff0a     | cmp    word ptr [ebp + eax*2 - 0x112], 0xa
            //   7517                 | jne                 0x19
            //   8d95f0feffff         | lea                 edx, [ebp - 0x110]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_3 = { 7f04 33c0 eb33 ff4d0c 7428 ff7510 e8???????? }
            // n = 7, score = 100
            //   7f04                 | jg                  6
            //   33c0                 | xor                 eax, eax
            //   eb33                 | jmp                 0x35
            //   ff4d0c               | dec                 dword ptr [ebp + 0xc]
            //   7428                 | je                  0x2a
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     

        $sequence_4 = { 8b0d???????? 03c8 3bc1 7d1e 8d1440 2bc8 8d1495e0ea4000 }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   03c8                 | add                 ecx, eax
            //   3bc1                 | cmp                 eax, ecx
            //   7d1e                 | jge                 0x20
            //   8d1440               | lea                 edx, [eax + eax*2]
            //   2bc8                 | sub                 ecx, eax
            //   8d1495e0ea4000       | lea                 edx, [edx*4 + 0x40eae0]

        $sequence_5 = { c705????????01000000 46 83c704 3bf3 7ca6 }
            // n = 5, score = 100
            //   c705????????01000000     |     
            //   46                   | inc                 esi
            //   83c704               | add                 edi, 4
            //   3bf3                 | cmp                 esi, ebx
            //   7ca6                 | jl                  0xffffffa8

        $sequence_6 = { 50 895dfc e8???????? 83c408 83f8ff 751c }
            // n = 6, score = 100
            //   50                   | push                eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   83f8ff               | cmp                 eax, -1
            //   751c                 | jne                 0x1e

        $sequence_7 = { 8b048520174100 8d04d0 eb05 b8???????? }
            // n = 4, score = 100
            //   8b048520174100       | mov                 eax, dword ptr [eax*4 + 0x411720]
            //   8d04d0               | lea                 eax, [eax + edx*8]
            //   eb05                 | jmp                 7
            //   b8????????           |                     

        $sequence_8 = { 52 c744244044000000 c744244808e24000 c744246c01000000 ff15???????? 85c0 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   c744244044000000     | mov                 dword ptr [esp + 0x40], 0x44
            //   c744244808e24000     | mov                 dword ptr [esp + 0x48], 0x40e208
            //   c744246c01000000     | mov                 dword ptr [esp + 0x6c], 1
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { 83e61f 8d1c8520174100 c1e603 8b03 f644300401 7469 57 }
            // n = 7, score = 100
            //   83e61f               | and                 esi, 0x1f
            //   8d1c8520174100       | lea                 ebx, [eax*4 + 0x411720]
            //   c1e603               | shl                 esi, 3
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   f644300401           | test                byte ptr [eax + esi + 4], 1
            //   7469                 | je                  0x6b
            //   57                   | push                edi

    condition:
        7 of them and filesize < 163840
}
Download all Yara Rules