SYMBOLCOMMON_NAMEaka. SYNONYMS
win.metamorfo (Back to overview)

Metamorfo

aka: Casbaneiro
URLhaus    

There is no description at this point.

References
2020-06-04BitdefenderJanos Gergo Szeles, Ruben Andrei Condor
@techreport{szeles:20200604:loading:072fc29, author = {Janos Gergo Szeles and Ruben Andrei Condor}, title = {{Loading DLLs for illicit profit. A story about a Metamorfo distribution campaign}}, date = {2020-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-10} } Loading DLLs for illicit profit. A story about a Metamorfo distribution campaign
Metamorfo
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-02-11Github (jeFF0Falltrades)Jeff Archer
@online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } Metamorfo (aka Casbaneiro)
Metamorfo Unidentified 072 (Metamorfo Loader)
2019-12-06BotconfJuraj Horňák, Jakub Souček
@techreport{hork:20191206:demystifying:1285ddd, author = {Juraj Horňák and Jakub Souček}, title = {{Demystifying banking trojans from Latin America}}, date = {2019-12-06}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf}, language = {English}, urldate = {2020-05-05} } Demystifying banking trojans from Latin America
Astaroth Metamorfo
2019-07-16enSiloChen Erlich
@online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767}, language = {English}, urldate = {2020-04-13} } The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable
Metamorfo
2018-11-08Cisco TalosEdmund Brumaghin, Warren Mercer, Paul Rascagnères, Vitor Ventura
@online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } Metamorfo Banking Trojan Keeps Its Sights on Brazil
Metamorfo
2018-04-24FireEyeEdson Sierra, Gerardo Iglesias
@online{sierra:20180424:metamorfo:aa4b1fe, author = {Edson Sierra and Gerardo Iglesias}, title = {{Metamorfo Campaigns Targeting Brazilian Users}}, date = {2018-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html}, language = {English}, urldate = {2019-12-20} } Metamorfo Campaigns Targeting Brazilian Users
Metamorfo
Yara Rules
[TLP:WHITE] win_metamorfo_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_metamorfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a1???????? 8b80747e0000 8b4010 e8???????? 50 8b45fc 83c010 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8b80747e0000         | mov                 eax, dword ptr [eax + 0x7e74]
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c010               | add                 eax, 0x10

        $sequence_1 = { e8???????? 894304 8b4304 83c0fe 83e802 0f832e0f0000 b101 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   83c0fe               | add                 eax, -2
            //   83e802               | sub                 eax, 2
            //   0f832e0f0000         | jae                 0xf34
            //   b101                 | mov                 cl, 1

        $sequence_2 = { ff5214 85c0 0f8e18050000 33c0 8945f0 8d9d04fdffff 8bc3 }
            // n = 7, score = 100
            //   ff5214               | call                dword ptr [edx + 0x14]
            //   85c0                 | test                eax, eax
            //   0f8e18050000         | jle                 0x51e
            //   33c0                 | xor                 eax, eax
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8d9d04fdffff         | lea                 ebx, [ebp - 0x2fc]
            //   8bc3                 | mov                 eax, ebx

        $sequence_3 = { a1???????? 8b00 8b8088010000 eb0b 8b876c020000 e8???????? 33d2 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b8088010000         | mov                 eax, dword ptr [eax + 0x188]
            //   eb0b                 | jmp                 0xd
            //   8b876c020000         | mov                 eax, dword ptr [edi + 0x26c]
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx

        $sequence_4 = { f6c304 7416 f6c308 0f95c0 33c9 ba01000000 e8???????? }
            // n = 7, score = 100
            //   f6c304               | test                bl, 4
            //   7416                 | je                  0x18
            //   f6c308               | test                bl, 8
            //   0f95c0               | setne               al
            //   33c9                 | xor                 ecx, ecx
            //   ba01000000           | mov                 edx, 1
            //   e8????????           |                     

        $sequence_5 = { ffb508ffffff 68???????? a1???????? ff30 68???????? 8d9504ffffff 8b45fc }
            // n = 7, score = 100
            //   ffb508ffffff         | push                dword ptr [ebp - 0xf8]
            //   68????????           |                     
            //   a1????????           |                     
            //   ff30                 | push                dword ptr [eax]
            //   68????????           |                     
            //   8d9504ffffff         | lea                 edx, [ebp - 0xfc]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_6 = { e8???????? e9???????? 837e0800 7508 66816772fffd eb06 66814f720002 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   7508                 | jne                 0xa
            //   66816772fffd         | and                 word ptr [edi + 0x72], 0xfdff
            //   eb06                 | jmp                 8
            //   66814f720002         | or                  word ptr [edi + 0x72], 0x200

        $sequence_7 = { f680c403000004 7420 80b8cb02000001 7417 80b8c602000002 740e b101 }
            // n = 7, score = 100
            //   f680c403000004       | test                byte ptr [eax + 0x3c4], 4
            //   7420                 | je                  0x22
            //   80b8cb02000001       | cmp                 byte ptr [eax + 0x2cb], 1
            //   7417                 | je                  0x19
            //   80b8c602000002       | cmp                 byte ptr [eax + 0x2c6], 2
            //   740e                 | je                  0x10
            //   b101                 | mov                 cl, 1

        $sequence_8 = { ff7004 ff75d4 ff75d8 ff75d4 ff75d8 e8???????? 59 }
            // n = 7, score = 100
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_9 = { ffd3 8b45ec 0345e4 83c002 b903000000 99 f7f9 }
            // n = 7, score = 100
            //   ffd3                 | call                ebx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   0345e4               | add                 eax, dword ptr [ebp - 0x1c]
            //   83c002               | add                 eax, 2
            //   b903000000           | mov                 ecx, 3
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx

    condition:
        7 of them and filesize < 20349952
}
Download all Yara Rules