SYMBOLCOMMON_NAMEaka. SYNONYMS
win.misha (Back to overview)

Misha


Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".

References
2022-11-26BushidoToken BlogBushidoToken
@online{bushidotoken:20221126:detecting:e5cee52, author = {BushidoToken}, title = {{Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms}}, date = {2022-11-26}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html}, language = {English}, urldate = {2022-11-28} } Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms
CollectorGoomba Misha TitanStealer
2021-11-04MalwareBazaarabuse.ch
@online{abusech:20211104:malwarebazaar:27b4390, author = {abuse.ch}, title = {{MalwareBazaar Report for Misha sample}}, date = {2021-11-04}, organization = {MalwareBazaar}, url = {https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/}, language = {English}, urldate = {2021-11-09} } MalwareBazaar Report for Misha sample
Misha
Yara Rules
[TLP:WHITE] win_misha_auto (20230407 | Detects win.misha.)
rule win_misha_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.misha."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 99 bbb0150000 f7fb 56 33f6 57 33ff }
            // n = 7, score = 300
            //   99                   | cdq                 
            //   bbb0150000           | mov                 ebx, 0x15b0
            //   f7fb                 | idiv                ebx
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_1 = { e8???????? 33f6 8bd8 8937 897704 897708 e8???????? }
            // n = 7, score = 300
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   8bd8                 | mov                 ebx, eax
            //   8937                 | mov                 dword ptr [edi], esi
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   897708               | mov                 dword ptr [edi + 8], esi
            //   e8????????           |                     

        $sequence_2 = { ff75c8 8b4314 83c070 50 8b8578ffffff 48 48 }
            // n = 7, score = 300
            //   ff75c8               | push                dword ptr [ebp - 0x38]
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   83c070               | add                 eax, 0x70
            //   50                   | push                eax
            //   8b8578ffffff         | mov                 eax, dword ptr [ebp - 0x88]
            //   48                   | dec                 eax
            //   48                   | dec                 eax

        $sequence_3 = { 8d4f02 8bd8 e8???????? f7d0 25ffff0000 3bd8 }
            // n = 6, score = 300
            //   8d4f02               | lea                 ecx, [edi + 2]
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   f7d0                 | not                 eax
            //   25ffff0000           | and                 eax, 0xffff
            //   3bd8                 | cmp                 ebx, eax

        $sequence_4 = { 8b4dc0 668901 8b45c0 40 40 8945c0 837d2402 }
            // n = 7, score = 300
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   668901               | mov                 word ptr [ecx], ax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   40                   | inc                 eax
            //   40                   | inc                 eax
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   837d2402             | cmp                 dword ptr [ebp + 0x24], 2

        $sequence_5 = { 7546 8b460c 385804 743e 8365fc00 8d580c }
            // n = 6, score = 300
            //   7546                 | jne                 0x48
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   385804               | cmp                 byte ptr [eax + 4], bl
            //   743e                 | je                  0x40
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d580c               | lea                 ebx, [eax + 0xc]

        $sequence_6 = { ff74242c ff7330 e8???????? 8b7c2440 89442424 8b03 0344242c }
            // n = 7, score = 300
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   ff7330               | push                dword ptr [ebx + 0x30]
            //   e8????????           |                     
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   0344242c             | add                 eax, dword ptr [esp + 0x2c]

        $sequence_7 = { 66898598fdffff 58 6689859afdffff 6a30 58 6689859cfdffff 6a60 }
            // n = 7, score = 300
            //   66898598fdffff       | mov                 word ptr [ebp - 0x268], ax
            //   58                   | pop                 eax
            //   6689859afdffff       | mov                 word ptr [ebp - 0x266], ax
            //   6a30                 | push                0x30
            //   58                   | pop                 eax
            //   6689859cfdffff       | mov                 word ptr [ebp - 0x264], ax
            //   6a60                 | push                0x60

        $sequence_8 = { 8d4dfc 50 56 8d85b8fdffff e8???????? 8b45f4 83c420 }
            // n = 7, score = 300
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   50                   | push                eax
            //   56                   | push                esi
            //   8d85b8fdffff         | lea                 eax, [ebp - 0x248]
            //   e8????????           |                     
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83c420               | add                 esp, 0x20

        $sequence_9 = { 8bec 56 57 e8???????? 8bf8 33f6 }
            // n = 6, score = 300
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   33f6                 | xor                 esi, esi

    condition:
        7 of them and filesize < 710656
}
[TLP:WHITE] win_misha_w0   (20211009 | Detect the unpacked payload for win.misha.)
rule win_misha_w0 {

    meta:
        author = "Daniel Plohmann"
        description = "Detect the unpacked payload for win.misha."
        date = "20211109"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20211009"
        malpedia_hash = ""
        malpedia_version = "20211009"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        /*  @0x4252d7 - creating a heap buffer for the config
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 CE 11 01 00                push    111CEh
            50                            push    eax
            BF 40 9F 01 00                mov     edi, 19F40h
            B9 58 D8 42 00                mov     ecx, offset inner_buffer
            8B C6                         mov     eax, esi
            89 7C 24 14                   mov     [esp+18h+var_4], edi
            E8 1C D4 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            0F 85 A1 00 00 00             jnz     loc_4253A1
        */
        $config_heap_0 = {8D4424?? 68???????? 50 BF???????? B9???????? 8BC689?????? E8???????? 59 59 85C0 0F }

        /*  @0x425300 - creating a heap buffer for some x64 code
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 91 F3 00 00                push    0F391h
            50                            push    eax
            8D 86 40 9F 01 00             lea     eax, [esi+19F40h]
            B9 28 EA 43 00                mov     ecx, offset inner_buffer_2
            C7 44 24 14 80 03 02 00       mov     [esp+18h+var_4], 20380h
            E8 F0 D3 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            75 79                         jnz     short loc_4253A1
        */
        $config_heap_1 = { 8D4424?? 68???????? 50 8D86???????? B9???????? C74424?????????? E8???????? 59 59 85C0 75 }

        /*  @0x408549 - string decryption
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            F7 75 14                      div     [ebp+dwKeyLen]
            8B 45 10                      mov     eax, [ebp+szKey]
            0F B6 0C 10                   movzx   ecx, byte ptr [eax+edx]
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            BE 00 01 00 00                mov     esi, 100h
            F7 F6                         div     esi
            33 CA                         xor     ecx, edx
            8B 45 FC                      mov     eax, [ebp+var_4]
            03 45 F8                      add     eax, [ebp+var_8]
            0F B6 00                      movzx   eax, byte ptr [eax]
            33 C1                         xor     eax, ecx
            8B 4D FC                      mov     ecx, [ebp+var_4]
            03 4D F8                      add     ecx, [ebp+var_8]
            88 01                         mov     [ecx], al
            EB BF                         jmp     short loc_40853A
        */
        $string_decrypt = { 8B45?? 33D2 F7???? 8B45?? 0FB6???? 8B45?? 33D2 BE00010000 F7F6 33CA 8B45?? 0345?? 0FB6?? 33C1 8B4D?? 034D?? 8801 EB }
        
    condition:
        any of them
}
Download all Yara Rules