SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megumin (Back to overview)

MeguminTrojan


Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2019-05-03fumik0 blogfumik0
@online{fumik0:20190503:lets:39770a3, author = {fumik0}, title = {{Let’s nuke Megumin Trojan}}, date = {2019-05-03}, organization = {fumik0 blog}, url = {https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/}, language = {English}, urldate = {2019-11-28} } Let’s nuke Megumin Trojan
MeguminTrojan
Yara Rules
[TLP:WHITE] win_megumin_auto (20220808 | Detects win.megumin.)
rule win_megumin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.megumin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c645fc06 50 b9???????? e8???????? 8d8db8fdffff }
            // n = 6, score = 200
            //   e8????????           |                     
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6
            //   50                   | push                eax
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d8db8fdffff         | lea                 ecx, [ebp - 0x248]

        $sequence_1 = { 8b531c 8bc2 8b4b18 2bc1 6a03 68???????? 83f803 }
            // n = 7, score = 200
            //   8b531c               | mov                 edx, dword ptr [ebx + 0x1c]
            //   8bc2                 | mov                 eax, edx
            //   8b4b18               | mov                 ecx, dword ptr [ebx + 0x18]
            //   2bc1                 | sub                 eax, ecx
            //   6a03                 | push                3
            //   68????????           |                     
            //   83f803               | cmp                 eax, 3

        $sequence_2 = { a804 7411 83e0fb 8d4d94 8945ec e8???????? }
            // n = 6, score = 200
            //   a804                 | test                al, 4
            //   7411                 | je                  0x13
            //   83e0fb               | and                 eax, 0xfffffffb
            //   8d4d94               | lea                 ecx, [ebp - 0x6c]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   e8????????           |                     

        $sequence_3 = { 8b45e0 89460c 8b4dc0 8d45e4 3bc8 740e ff75c0 }
            // n = 7, score = 200
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   3bc8                 | cmp                 ecx, eax
            //   740e                 | je                  0x10
            //   ff75c0               | push                dword ptr [ebp - 0x40]

        $sequence_4 = { 8d8d4cfdffff e8???????? 83c404 8d8db4fdffff c645fc0e 51 8bd0 }
            // n = 7, score = 200
            //   8d8d4cfdffff         | lea                 ecx, [ebp - 0x2b4]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d8db4fdffff         | lea                 ecx, [ebp - 0x24c]
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   51                   | push                ecx
            //   8bd0                 | mov                 edx, eax

        $sequence_5 = { 50 52 e8???????? eba8 f7466020200000 7407 8b464c }
            // n = 7, score = 200
            //   50                   | push                eax
            //   52                   | push                edx
            //   e8????????           |                     
            //   eba8                 | jmp                 0xffffffaa
            //   f7466020200000       | test                dword ptr [esi + 0x60], 0x2020
            //   7407                 | je                  9
            //   8b464c               | mov                 eax, dword ptr [esi + 0x4c]

        $sequence_6 = { 8965b8 68???????? e8???????? 83ec18 c645fc59 8bf4 }
            // n = 6, score = 200
            //   8965b8               | mov                 dword ptr [ebp - 0x48], esp
            //   68????????           |                     
            //   e8????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   c645fc59             | mov                 byte ptr [ebp - 4], 0x59
            //   8bf4                 | mov                 esi, esp

        $sequence_7 = { 83f810 0f434db8 8b36 8b5614 8bc2 8b5e10 2bc3 }
            // n = 7, score = 200
            //   83f810               | cmp                 eax, 0x10
            //   0f434db8             | cmovae              ecx, dword ptr [ebp - 0x48]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]
            //   8bc2                 | mov                 eax, edx
            //   8b5e10               | mov                 ebx, dword ptr [esi + 0x10]
            //   2bc3                 | sub                 eax, ebx

        $sequence_8 = { 6848010000 8d8558feffff 6a00 50 e8???????? 83c40c }
            // n = 6, score = 200
            //   6848010000           | push                0x148
            //   8d8558feffff         | lea                 eax, [ebp - 0x1a8]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { 8bca 83e103 f3a4 8d8dacfdffff e8???????? 8d85d0feffff 50 }
            // n = 7, score = 200
            //   8bca                 | mov                 ecx, edx
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d8dacfdffff         | lea                 ecx, [ebp - 0x254]
            //   e8????????           |                     
            //   8d85d0feffff         | lea                 eax, [ebp - 0x130]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 1007616
}
[TLP:WHITE] win_megumin_w0   (20190503 | Detecting Megumin v2)
rule win_megumin_w0 {
    meta:
        description = "Detecting Megumin v2"
        author = "Fumik0_"
        date = "2019-05-02"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin"
        malpedia_version = "20190503"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $s1 = "Megumin/2.0" wide ascii
        $s2 = "/cpu" wide ascii
        $s3 = "/task?hwid=" wide ascii
        $s4 = "/gate?hwid=" wide ascii
        $s5 = "/suicide" wide ascii

    condition:
        all of them
}
Download all Yara Rules