win.metamorfo (Back to overview)

Metamorfo

aka: Casbaneiro
URLhaus    

There is no description at this point.

References
2020-02-11 ⋅ Github (jeFF0Falltrades)Jeff Archer
@online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } Metamorfo (aka Casbaneiro)
Metamorfo Unidentified 072 (Metamorfo Loader)
2019-07-16 ⋅ enSiloChen Erlich
@online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://blog.ensilo.com/metamorfo-avast-abuser}, language = {English}, urldate = {2020-01-08} } The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable
Metamorfo
2018-11-08 ⋅ Cisco TalosEdmund Brumaghin, Warren Mercer, Paul Rascagnères, Vitor Ventura
@online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } Metamorfo Banking Trojan Keeps Its Sights on Brazil
Metamorfo
2018-04-24 ⋅ FireEyeEdson Sierra, Gerardo Iglesias
@online{sierra:20180424:metamorfo:aa4b1fe, author = {Edson Sierra and Gerardo Iglesias}, title = {{Metamorfo Campaigns Targeting Brazilian Users}}, date = {2018-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html}, language = {English}, urldate = {2019-12-20} } Metamorfo Campaigns Targeting Brazilian Users
Metamorfo
Yara Rules
[TLP:WHITE] win_metamorfo_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_metamorfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff537c 66ff45a6 66ff4da2 0f85d9feffff 5f 5e 5b }
            // n = 7, score = 100
            //   ff537c               | call                dword ptr [ebx + 0x7c]
            //   66ff45a6             | inc                 word ptr [ebp - 0x5a]
            //   66ff4da2             | dec                 word ptr [ebp - 0x5e]
            //   0f85d9feffff         | jne                 0xfffffedf
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_1 = { ff513c baf4825104 8b45f4 8b08 ff513c ba40835104 8b45f4 }
            // n = 7, score = 100
            //   ff513c               | call                dword ptr [ecx + 0x3c]
            //   baf4825104           | mov                 edx, 0x45182f4
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff513c               | call                dword ptr [ecx + 0x3c]
            //   ba40835104           | mov                 edx, 0x4518340
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_2 = { eb0c 52 8b4d0c 8d55e0 e8???????? 5f 5e }
            // n = 7, score = 100
            //   eb0c                 | jmp                 0xe
            //   52                   | push                edx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8d55e0               | lea                 edx, [ebp - 0x20]
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { f7d9 8b9554ffffff f7da 8d8564ffffff e8???????? c645d900 8d45a8 }
            // n = 7, score = 100
            //   f7d9                 | neg                 ecx
            //   8b9554ffffff         | mov                 edx, dword ptr [ebp - 0xac]
            //   f7da                 | neg                 edx
            //   8d8564ffffff         | lea                 eax, [ebp - 0x9c]
            //   e8????????           |                     
            //   c645d900             | mov                 byte ptr [ebp - 0x27], 0
            //   8d45a8               | lea                 eax, [ebp - 0x58]

        $sequence_4 = { ff513c ba54385104 8b45f4 8b08 ff513c ba90385104 8b45f4 }
            // n = 7, score = 100
            //   ff513c               | call                dword ptr [ecx + 0x3c]
            //   ba54385104           | mov                 edx, 0x4513854
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff513c               | call                dword ptr [ecx + 0x3c]
            //   ba90385104           | mov                 edx, 0x4513890
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_5 = { eb11 8d45f0 8b55f8 8b0d???????? e8???????? 8b4df4 8b55f0 }
            // n = 7, score = 100
            //   eb11                 | jmp                 0x13
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b0d????????         |                     
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]

        $sequence_6 = { e9???????? 8b75f8 8b36 8b45f8 8b4008 2b45f0 8945ec }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   2b45f0               | sub                 eax, dword ptr [ebp - 0x10]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_7 = { eb07 c745f003000000 8b5508 8bc3 e8???????? 85c0 0f8e87000000 }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   c745f003000000       | mov                 dword ptr [ebp - 0x10], 3
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8e87000000         | jle                 0x8d

        $sequence_8 = { ff513c ba5c4d5104 8b45f4 8b08 ff513c ba7c4d5104 8b45f4 }
            // n = 7, score = 100
            //   ff513c               | call                dword ptr [ecx + 0x3c]
            //   ba5c4d5104           | mov                 edx, 0x4514d5c
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff513c               | call                dword ptr [ecx + 0x3c]
            //   ba7c4d5104           | mov                 edx, 0x4514d7c
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_9 = { ff5230 50 8b45fc 8b4068 8b4050 8b10 ff5224 }
            // n = 7, score = 100
            //   ff5230               | call                dword ptr [edx + 0x30]
            //   50                   | push                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4068               | mov                 eax, dword ptr [eax + 0x68]
            //   8b4050               | mov                 eax, dword ptr [eax + 0x50]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ff5224               | call                dword ptr [edx + 0x24]

    condition:
        7 of them
}
Download all Yara Rules