SYMBOLCOMMON_NAMEaka. SYNONYMS
win.misha (Back to overview)

Misha


Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".

References
2021-11-04MalwareBazaarabuse.ch
@online{abusech:20211104:malwarebazaar:27b4390, author = {abuse.ch}, title = {{MalwareBazaar Report for Misha sample}}, date = {2021-11-04}, organization = {MalwareBazaar}, url = {https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/}, language = {English}, urldate = {2021-11-09} } MalwareBazaar Report for Misha sample
Misha
Yara Rules
[TLP:WHITE] win_misha_auto (20220411 | Detects win.misha.)
rule win_misha_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.misha."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7310 8d45e0 e8???????? 83c40c 0fb6c0 }
            // n = 5, score = 300
            //   ff7310               | push                dword ptr [ebx + 0x10]
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   0fb6c0               | movzx               eax, al

        $sequence_1 = { 2b4508 f7d8 48 e9???????? 8b4590 83c004 8b4d0c }
            // n = 7, score = 300
            //   2b4508               | sub                 eax, dword ptr [ebp + 8]
            //   f7d8                 | neg                 eax
            //   48                   | dec                 eax
            //   e9????????           |                     
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   83c004               | add                 eax, 4
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_2 = { 8bc2 eb13 8b450c 8945f4 8b4508 8b4df4 0fb70441 }
            // n = 7, score = 300
            //   8bc2                 | mov                 eax, edx
            //   eb13                 | jmp                 0x15
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   0fb70441             | movzx               eax, word ptr [ecx + eax*2]

        $sequence_3 = { 53 56 8bf0 57 8dbe84020000 8d5e20 57 }
            // n = 7, score = 300
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf0                 | mov                 esi, eax
            //   57                   | push                edi
            //   8dbe84020000         | lea                 edi, dword ptr [esi + 0x284]
            //   8d5e20               | lea                 ebx, dword ptr [esi + 0x20]
            //   57                   | push                edi

        $sequence_4 = { 50 6a00 6802000080 ff730c ff7308 e8???????? }
            // n = 6, score = 300
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6802000080           | push                0x80000002
            //   ff730c               | push                dword ptr [ebx + 0xc]
            //   ff7308               | push                dword ptr [ebx + 8]
            //   e8????????           |                     

        $sequence_5 = { 7546 8b460c 385804 743e 8365fc00 8d580c }
            // n = 6, score = 300
            //   7546                 | jne                 0x48
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   385804               | cmp                 byte ptr [eax + 4], bl
            //   743e                 | je                  0x40
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d580c               | lea                 ebx, dword ptr [eax + 0xc]

        $sequence_6 = { 83c40c 8d85e8feffff 50 6a00 8d85e8feffff 50 }
            // n = 6, score = 300
            //   83c40c               | add                 esp, 0xc
            //   8d85e8feffff         | lea                 eax, dword ptr [ebp - 0x118]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   8d85e8feffff         | lea                 eax, dword ptr [ebp - 0x118]
            //   50                   | push                eax

        $sequence_7 = { 8b45f8 03c3 8945dc 0f8496000000 8b7d08 56 e8???????? }
            // n = 7, score = 300
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   03c3                 | add                 eax, ebx
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   0f8496000000         | je                  0x9c
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_8 = { c3 56 ff742408 8bf0 56 e8???????? ff742410 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   56                   | push                esi
            //   ff742408             | push                dword ptr [esp + 8]
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   ff742410             | push                dword ptr [esp + 0x10]

        $sequence_9 = { ff5008 59 85c0 0f85e0010000 8b430c 0528020000 ff7310 }
            // n = 7, score = 300
            //   ff5008               | call                dword ptr [eax + 8]
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f85e0010000         | jne                 0x1e6
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   0528020000           | add                 eax, 0x228
            //   ff7310               | push                dword ptr [ebx + 0x10]

    condition:
        7 of them and filesize < 710656
}
[TLP:WHITE] win_misha_w0   (20211009 | Detect the unpacked payload for win.misha.)
rule win_misha_w0 {

    meta:
        author = "Daniel Plohmann"
        description = "Detect the unpacked payload for win.misha."
        date = "20211109"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20211009"
        malpedia_hash = ""
        malpedia_version = "20211009"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        /*  @0x4252d7 - creating a heap buffer for the config
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 CE 11 01 00                push    111CEh
            50                            push    eax
            BF 40 9F 01 00                mov     edi, 19F40h
            B9 58 D8 42 00                mov     ecx, offset inner_buffer
            8B C6                         mov     eax, esi
            89 7C 24 14                   mov     [esp+18h+var_4], edi
            E8 1C D4 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            0F 85 A1 00 00 00             jnz     loc_4253A1
        */
        $config_heap_0 = {8D4424?? 68???????? 50 BF???????? B9???????? 8BC689?????? E8???????? 59 59 85C0 0F }

        /*  @0x425300 - creating a heap buffer for some x64 code
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 91 F3 00 00                push    0F391h
            50                            push    eax
            8D 86 40 9F 01 00             lea     eax, [esi+19F40h]
            B9 28 EA 43 00                mov     ecx, offset inner_buffer_2
            C7 44 24 14 80 03 02 00       mov     [esp+18h+var_4], 20380h
            E8 F0 D3 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            75 79                         jnz     short loc_4253A1
        */
        $config_heap_1 = { 8D4424?? 68???????? 50 8D86???????? B9???????? C74424?????????? E8???????? 59 59 85C0 75 }

        /*  @0x408549 - string decryption
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            F7 75 14                      div     [ebp+dwKeyLen]
            8B 45 10                      mov     eax, [ebp+szKey]
            0F B6 0C 10                   movzx   ecx, byte ptr [eax+edx]
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            BE 00 01 00 00                mov     esi, 100h
            F7 F6                         div     esi
            33 CA                         xor     ecx, edx
            8B 45 FC                      mov     eax, [ebp+var_4]
            03 45 F8                      add     eax, [ebp+var_8]
            0F B6 00                      movzx   eax, byte ptr [eax]
            33 C1                         xor     eax, ecx
            8B 4D FC                      mov     ecx, [ebp+var_4]
            03 4D F8                      add     ecx, [ebp+var_8]
            88 01                         mov     [ecx], al
            EB BF                         jmp     short loc_40853A
        */
        $string_decrypt = { 8B45?? 33D2 F7???? 8B45?? 0FB6???? 8B45?? 33D2 BE00010000 F7F6 33CA 8B45?? 0345?? 0FB6?? 33C1 8B4D?? 034D?? 8801 EB }
        
    condition:
        any of them
}
Download all Yara Rules