SYMBOLCOMMON_NAMEaka. SYNONYMS
win.misha (Back to overview)

Misha


Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".

References
2022-11-26BushidoToken BlogBushidoToken
@online{bushidotoken:20221126:detecting:e5cee52, author = {BushidoToken}, title = {{Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms}}, date = {2022-11-26}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html}, language = {English}, urldate = {2022-11-28} } Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms
CollectorGoomba Misha TitanStealer
2021-11-04MalwareBazaarabuse.ch
@online{abusech:20211104:malwarebazaar:27b4390, author = {abuse.ch}, title = {{MalwareBazaar Report for Misha sample}}, date = {2021-11-04}, organization = {MalwareBazaar}, url = {https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/}, language = {English}, urldate = {2021-11-09} } MalwareBazaar Report for Misha sample
Misha
Yara Rules
[TLP:WHITE] win_misha_auto (20230125 | Detects win.misha.)
rule win_misha_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.misha."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45cc 034514 8945ec 8b45ec 83e80c 8945e4 }
            // n = 6, score = 300
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   034514               | add                 eax, dword ptr [ebp + 0x14]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   83e80c               | sub                 eax, 0xc
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_1 = { 32c0 eb3f 8a16 80fa2a 750d 46 }
            // n = 6, score = 300
            //   32c0                 | xor                 al, al
            //   eb3f                 | jmp                 0x41
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   80fa2a               | cmp                 dl, 0x2a
            //   750d                 | jne                 0xf
            //   46                   | inc                 esi

        $sequence_2 = { 0f8460020000 6a01 6a10 8d8578ffffff 50 e8???????? 83c40c }
            // n = 7, score = 300
            //   0f8460020000         | je                  0x266
            //   6a01                 | push                1
            //   6a10                 | push                0x10
            //   8d8578ffffff         | lea                 eax, [ebp - 0x88]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 8945f8 8d7dfc e8???????? 8b45f8 5f c9 c3 }
            // n = 7, score = 300
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d7dfc               | lea                 edi, [ebp - 4]
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5f                   | pop                 edi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_4 = { 6a00 6880000000 6a01 6a05 ff75d0 ff75e0 8b4308 }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a01                 | push                1
            //   6a05                 | push                5
            //   ff75d0               | push                dword ptr [ebp - 0x30]
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]

        $sequence_5 = { ebde 8b45b8 8945b4 e9???????? 8b45b4 8b4df0 8b09 }
            // n = 7, score = 300
            //   ebde                 | jmp                 0xffffffe0
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   e9????????           |                     
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_6 = { eb41 8b45f4 8b4004 83c810 8b4df4 894104 8b45ec }
            // n = 7, score = 300
            //   eb41                 | jmp                 0x43
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   83c810               | or                  eax, 0x10
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_7 = { e8???????? 83c428 84c0 7455 33c0 385d10 53 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28
            //   84c0                 | test                al, al
            //   7455                 | je                  0x57
            //   33c0                 | xor                 eax, eax
            //   385d10               | cmp                 byte ptr [ebp + 0x10], bl
            //   53                   | push                ebx

        $sequence_8 = { c1ea08 0bc2 c3 8bc1 8bd1 c1e210 2500ff0000 }
            // n = 7, score = 300
            //   c1ea08               | shr                 edx, 8
            //   0bc2                 | or                  eax, edx
            //   c3                   | ret                 
            //   8bc1                 | mov                 eax, ecx
            //   8bd1                 | mov                 edx, ecx
            //   c1e210               | shl                 edx, 0x10
            //   2500ff0000           | and                 eax, 0xff00

        $sequence_9 = { c3 53 8b5c240c 56 57 8bf0 8d3c1b }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   8d3c1b               | lea                 edi, [ebx + ebx]

    condition:
        7 of them and filesize < 710656
}
[TLP:WHITE] win_misha_w0   (20211009 | Detect the unpacked payload for win.misha.)
rule win_misha_w0 {

    meta:
        author = "Daniel Plohmann"
        description = "Detect the unpacked payload for win.misha."
        date = "20211109"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha"
        malpedia_rule_date = "20211009"
        malpedia_hash = ""
        malpedia_version = "20211009"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        /*  @0x4252d7 - creating a heap buffer for the config
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 CE 11 01 00                push    111CEh
            50                            push    eax
            BF 40 9F 01 00                mov     edi, 19F40h
            B9 58 D8 42 00                mov     ecx, offset inner_buffer
            8B C6                         mov     eax, esi
            89 7C 24 14                   mov     [esp+18h+var_4], edi
            E8 1C D4 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            0F 85 A1 00 00 00             jnz     loc_4253A1
        */
        $config_heap_0 = {8D4424?? 68???????? 50 BF???????? B9???????? 8BC689?????? E8???????? 59 59 85C0 0F }

        /*  @0x425300 - creating a heap buffer for some x64 code
            8D 44 24 0C                   lea     eax, [esp+10h+var_4]
            68 91 F3 00 00                push    0F391h
            50                            push    eax
            8D 86 40 9F 01 00             lea     eax, [esi+19F40h]
            B9 28 EA 43 00                mov     ecx, offset inner_buffer_2
            C7 44 24 14 80 03 02 00       mov     [esp+18h+var_4], 20380h
            E8 F0 D3 FF FF                call    sub_422712
            59                            pop     ecx
            59                            pop     ecx
            85 C0                         test    eax, eax
            75 79                         jnz     short loc_4253A1
        */
        $config_heap_1 = { 8D4424?? 68???????? 50 8D86???????? B9???????? C74424?????????? E8???????? 59 59 85C0 75 }

        /*  @0x408549 - string decryption
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            F7 75 14                      div     [ebp+dwKeyLen]
            8B 45 10                      mov     eax, [ebp+szKey]
            0F B6 0C 10                   movzx   ecx, byte ptr [eax+edx]
            8B 45 F8                      mov     eax, [ebp+var_8]
            33 D2                         xor     edx, edx
            BE 00 01 00 00                mov     esi, 100h
            F7 F6                         div     esi
            33 CA                         xor     ecx, edx
            8B 45 FC                      mov     eax, [ebp+var_4]
            03 45 F8                      add     eax, [ebp+var_8]
            0F B6 00                      movzx   eax, byte ptr [eax]
            33 C1                         xor     eax, ecx
            8B 4D FC                      mov     ecx, [ebp+var_4]
            03 4D F8                      add     ecx, [ebp+var_8]
            88 01                         mov     [ecx], al
            EB BF                         jmp     short loc_40853A
        */
        $string_decrypt = { 8B45?? 33D2 F7???? 8B45?? 0FB6???? 8B45?? 33D2 BE00010000 F7F6 33CA 8B45?? 0345?? 0FB6?? 33C1 8B4D?? 034D?? 8801 EB }
        
    condition:
        any of them
}
Download all Yara Rules