SYMBOLCOMMON_NAMEaka. SYNONYMS
win.misha (Back to overview)

Misha


Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".

References
2021-11-04MalwareBazaarabuse.ch
@online{abusech:20211104:malwarebazaar:27b4390, author = {abuse.ch}, title = {{MalwareBazaar Report for Misha sample}}, date = {2021-11-04}, organization = {MalwareBazaar}, url = {https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/}, language = {English}, urldate = {2021-11-09} } MalwareBazaar Report for Misha sample
Misha
Yara Rules
[TLP:WHITE] win_misha_auto (20220808 | Detects win.misha.)
rule win_misha_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.misha."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4dbc d3e8 8945a8 8b45ac 40 8945ac 8b45a4 }
            // n = 7, score = 300
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   d3e8                 | shr                 eax, cl
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]
            //   40                   | inc                 eax
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]

        $sequence_1 = { 034dd4 0fb649ff 2bc1 f7d8 1bc0 40 7410 }
            // n = 7, score = 300
            //   034dd4               | add                 ecx, dword ptr [ebp - 0x2c]
            //   0fb649ff             | movzx               ecx, byte ptr [ecx - 1]
            //   2bc1                 | sub                 eax, ecx
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   40                   | inc                 eax
            //   7410                 | je                  0x12

        $sequence_2 = { 0f8496000000 8d45f4 50 6a64 6a02 0fb74518 }
            // n = 6, score = 300
            //   0f8496000000         | je                  0x9c
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   6a64                 | push                0x64
            //   6a02                 | push                2
            //   0fb74518             | movzx               eax, word ptr [ebp + 0x18]

        $sequence_3 = { 8945b8 8b4510 8945c0 8b45c0 034518 8945f0 c745bc06000000 }
            // n = 7, score = 300
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   034518               | add                 eax, dword ptr [ebp + 0x18]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   c745bc06000000       | mov                 dword ptr [ebp - 0x44], 6

        $sequence_4 = { b9ff000000 f7f9 8b4d08 8d440110 8945fc 8b45fc }
            // n = 6, score = 300
            //   b9ff000000           | mov                 ecx, 0xff
            //   f7f9                 | idiv                ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d440110             | lea                 eax, [ecx + eax + 0x10]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_5 = { 8b430c 0500030000 50 ff7318 e8???????? }
            // n = 5, score = 300
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   0500030000           | add                 eax, 0x300
            //   50                   | push                eax
            //   ff7318               | push                dword ptr [ebx + 0x18]
            //   e8????????           |                     

        $sequence_6 = { eb2e 6a0e 8945fc 6a08 8d45f8 50 8d45f0 }
            // n = 7, score = 300
            //   eb2e                 | jmp                 0x30
            //   6a0e                 | push                0xe
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6a08                 | push                8
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_7 = { 47 3bfe 76e0 ebd7 8bc7 ebd5 55 }
            // n = 7, score = 300
            //   47                   | inc                 edi
            //   3bfe                 | cmp                 edi, esi
            //   76e0                 | jbe                 0xffffffe2
            //   ebd7                 | jmp                 0xffffffd9
            //   8bc7                 | mov                 eax, edi
            //   ebd5                 | jmp                 0xffffffd7
            //   55                   | push                ebp

        $sequence_8 = { e8???????? 59 8b45b4 034580 8945b4 8b4590 83c004 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   034580               | add                 eax, dword ptr [ebp - 0x80]
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   83c004               | add                 eax, 4

        $sequence_9 = { 83ec1c 817d1c01020000 7416 817d1c07020000 740d 817d1c04020000 }
            // n = 6, score = 300
            //   83ec1c               | sub                 esp, 0x1c
            //   817d1c01020000       | cmp                 dword ptr [ebp + 0x1c], 0x201
            //   7416                 | je                  0x18
            //   817d1c07020000       | cmp                 dword ptr [ebp + 0x1c], 0x207
            //   740d                 | je                  0xf
            //   817d1c04020000       | cmp                 dword ptr [ebp + 0x1c], 0x204

    condition:
        7 of them and filesize < 710656
}
[TLP:WHITE] win_misha_w0   (20211009 | Detect the unpacked payload for win.misha.)
rule win_misha_w0 {

    meta:
        author = "Daniel Plohmann"
        description = "Detect the unpacked payload for win.misha."
        date = "20211109"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20211009"
        malpedia_hash = ""
        malpedia_version = "20211009"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        /*  @0x4252d7 - creating a heap buffer for the config
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 CE 11 01 00                push    111CEh
            50                            push    eax
            BF 40 9F 01 00                mov     edi, 19F40h
            B9 58 D8 42 00                mov     ecx, offset inner_buffer
            8B C6                         mov     eax, esi
            89 7C 24 14                   mov     [esp+18h+var_4], edi
            E8 1C D4 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            0F 85 A1 00 00 00             jnz     loc_4253A1
        */
        $config_heap_0 = {8D4424?? 68???????? 50 BF???????? B9???????? 8BC689?????? E8???????? 59 59 85C0 0F }

        /*  @0x425300 - creating a heap buffer for some x64 code
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 91 F3 00 00                push    0F391h
            50                            push    eax
            8D 86 40 9F 01 00             lea     eax, [esi+19F40h]
            B9 28 EA 43 00                mov     ecx, offset inner_buffer_2
            C7 44 24 14 80 03 02 00       mov     [esp+18h+var_4], 20380h
            E8 F0 D3 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            75 79                         jnz     short loc_4253A1
        */
        $config_heap_1 = { 8D4424?? 68???????? 50 8D86???????? B9???????? C74424?????????? E8???????? 59 59 85C0 75 }

        /*  @0x408549 - string decryption
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            F7 75 14                      div     [ebp+dwKeyLen]
            8B 45 10                      mov     eax, [ebp+szKey]
            0F B6 0C 10                   movzx   ecx, byte ptr [eax+edx]
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            BE 00 01 00 00                mov     esi, 100h
            F7 F6                         div     esi
            33 CA                         xor     ecx, edx
            8B 45 FC                      mov     eax, [ebp+var_4]
            03 45 F8                      add     eax, [ebp+var_8]
            0F B6 00                      movzx   eax, byte ptr [eax]
            33 C1                         xor     eax, ecx
            8B 4D FC                      mov     ecx, [ebp+var_4]
            03 4D F8                      add     ecx, [ebp+var_8]
            88 01                         mov     [ecx], al
            EB BF                         jmp     short loc_40853A
        */
        $string_decrypt = { 8B45?? 33D2 F7???? 8B45?? 0FB6???? 8B45?? 33D2 BE00010000 F7F6 33CA 8B45?? 0345?? 0FB6?? 33C1 8B4D?? 034D?? 8801 EB }
        
    condition:
        any of them
}
Download all Yara Rules