SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megumin (Back to overview)

MeguminTrojan


Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2019-05-03fumik0 blogfumik0
@online{fumik0:20190503:lets:39770a3, author = {fumik0}, title = {{Let’s nuke Megumin Trojan}}, date = {2019-05-03}, organization = {fumik0 blog}, url = {https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/}, language = {English}, urldate = {2019-11-28} } Let’s nuke Megumin Trojan
MeguminTrojan
Yara Rules
[TLP:WHITE] win_megumin_auto (20230125 | Detects win.megumin.)
rule win_megumin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.megumin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4dd8 e8???????? 84c0 7555 6a1a b9???????? e8???????? }
            // n = 7, score = 200
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7555                 | jne                 0x57
            //   6a1a                 | push                0x1a
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_1 = { c645fc11 8d45d4 837de810 0f4345d4 50 51 8d8d98fdffff }
            // n = 7, score = 200
            //   c645fc11             | mov                 byte ptr [ebp - 4], 0x11
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   837de810             | cmp                 dword ptr [ebp - 0x18], 0x10
            //   0f4345d4             | cmovae              eax, dword ptr [ebp - 0x2c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d8d98fdffff         | lea                 ecx, [ebp - 0x268]

        $sequence_2 = { 84c0 746e 6a16 b9???????? e8???????? 50 8d4dd8 }
            // n = 7, score = 200
            //   84c0                 | test                al, al
            //   746e                 | je                  0x70
            //   6a16                 | push                0x16
            //   b9????????           |                     
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_3 = { c7470400000000 c7470800000000 c78594fdffff01000000 c7459c00000000 c745a00f000000 }
            // n = 5, score = 200
            //   c7470400000000       | mov                 dword ptr [edi + 4], 0
            //   c7470800000000       | mov                 dword ptr [edi + 8], 0
            //   c78594fdffff01000000     | mov    dword ptr [ebp - 0x26c], 1
            //   c7459c00000000       | mov                 dword ptr [ebp - 0x64], 0
            //   c745a00f000000       | mov                 dword ptr [ebp - 0x60], 0xf

        $sequence_4 = { f20f1085f8feffff 8d855cffffff c645fc0f 83bd70ffffff10 0f43855cffffff 83ec08 f20f110424 }
            // n = 7, score = 200
            //   f20f1085f8feffff     | movsd               xmm0, qword ptr [ebp - 0x108]
            //   8d855cffffff         | lea                 eax, [ebp - 0xa4]
            //   c645fc0f             | mov                 byte ptr [ebp - 4], 0xf
            //   83bd70ffffff10       | cmp                 dword ptr [ebp - 0x90], 0x10
            //   0f43855cffffff       | cmovae              eax, dword ptr [ebp - 0xa4]
            //   83ec08               | sub                 esp, 8
            //   f20f110424           | movsd               qword ptr [esp], xmm0

        $sequence_5 = { 3bc6 742f 8bc8 e8???????? 0f1006 0f11851cffffff f30f7e4610 }
            // n = 7, score = 200
            //   3bc6                 | cmp                 eax, esi
            //   742f                 | je                  0x31
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   0f1006               | movups              xmm0, xmmword ptr [esi]
            //   0f11851cffffff       | movups              xmmword ptr [ebp - 0xe4], xmm0
            //   f30f7e4610           | movq                xmm0, qword ptr [esi + 0x10]

        $sequence_6 = { 2bc2 8b7d08 8955fc 3bc7 0f824e010000 8d043a }
            // n = 6, score = 200
            //   2bc2                 | sub                 eax, edx
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   3bc7                 | cmp                 eax, edi
            //   0f824e010000         | jb                  0x154
            //   8d043a               | lea                 eax, [edx + edi]

        $sequence_7 = { 8d410e 0f43b574ffffff 03f1 894584 56 }
            // n = 5, score = 200
            //   8d410e               | lea                 eax, [ecx + 0xe]
            //   0f43b574ffffff       | cmovae              esi, dword ptr [ebp - 0x8c]
            //   03f1                 | add                 esi, ecx
            //   894584               | mov                 dword ptr [ebp - 0x7c], eax
            //   56                   | push                esi

        $sequence_8 = { 68f4010000 51 6a02 50 ff15???????? }
            // n = 5, score = 200
            //   68f4010000           | push                0x1f4
            //   51                   | push                ecx
            //   6a02                 | push                2
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_9 = { 83f801 0f8209010000 8b7714 8d5a01 83cb0f 8975f8 3bd9 }
            // n = 7, score = 200
            //   83f801               | cmp                 eax, 1
            //   0f8209010000         | jb                  0x10f
            //   8b7714               | mov                 esi, dword ptr [edi + 0x14]
            //   8d5a01               | lea                 ebx, [edx + 1]
            //   83cb0f               | or                  ebx, 0xf
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   3bd9                 | cmp                 ebx, ecx

    condition:
        7 of them and filesize < 1007616
}
[TLP:WHITE] win_megumin_w0   (20190503 | Detecting Megumin v2)
rule win_megumin_w0 {
    meta:
        description = "Detecting Megumin v2"
        author = "Fumik0_"
        date = "2019-05-02"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin"
        malpedia_version = "20190503"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $s1 = "Megumin/2.0" wide ascii
        $s2 = "/cpu" wide ascii
        $s3 = "/task?hwid=" wide ascii
        $s4 = "/gate?hwid=" wide ascii
        $s5 = "/suicide" wide ascii

    condition:
        all of them
}
Download all Yara Rules