SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mole (Back to overview)

Mole


There is no description at this point.

References
2017-06-20ProofpointKafeine
@online{kafeine:20170620:adgholas:8ca8d57, author = {Kafeine}, title = {{AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware}}, date = {2017-06-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware}, language = {English}, urldate = {2019-12-20} } AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware
Mole
2017-05-30CERT.PLJarosław Jedynak
@online{jedynak:20170530:mole:868f8ea, author = {Jarosław Jedynak}, title = {{Mole ransomware: analysis and decryptor}}, date = {2017-05-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/}, language = {English}, urldate = {2019-12-17} } Mole ransomware: analysis and decryptor
Mole
Yara Rules
[TLP:WHITE] win_mole_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mole_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8b8df0fdffff 81e94468d005 898df0fdffff 83bdf0fdffff14 0f8757800000 8b95f0fdffff }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8df0fdffff         | mov                 ecx, dword ptr [ebp - 0x210]
            //   81e94468d005         | sub                 ecx, 0x5d06844
            //   898df0fdffff         | mov                 dword ptr [ebp - 0x210], ecx
            //   83bdf0fdffff14       | cmp                 dword ptr [ebp - 0x210], 0x14
            //   0f8757800000         | ja                  0x805d
            //   8b95f0fdffff         | mov                 edx, dword ptr [ebp - 0x210]

        $sequence_1 = { 0f84143e0000 81bdf0fdffffc3e9d505 0f8432380000 81bdf0fdffffc4e9d505 0f84f82a0000 81bdf0fdffffc8e9d505 0f847c280000 }
            // n = 7, score = 100
            //   0f84143e0000         | je                  0x3e1a
            //   81bdf0fdffffc3e9d505     | cmp    dword ptr [ebp - 0x210], 0x5d5e9c3
            //   0f8432380000         | je                  0x3838
            //   81bdf0fdffffc4e9d505     | cmp    dword ptr [ebp - 0x210], 0x5d5e9c4
            //   0f84f82a0000         | je                  0x2afe
            //   81bdf0fdffffc8e9d505     | cmp    dword ptr [ebp - 0x210], 0x5d5e9c8
            //   0f847c280000         | je                  0x2882

        $sequence_2 = { e9???????? 81bdf0fdffffd321d405 7745 81bdf0fdffffd321d405 0f840c530000 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   81bdf0fdffffd321d405     | cmp    dword ptr [ebp - 0x210], 0x5d421d3
            //   7745                 | ja                  0x47
            //   81bdf0fdffffd321d405     | cmp    dword ptr [ebp - 0x210], 0x5d421d3
            //   0f840c530000         | je                  0x5312

        $sequence_3 = { 83c414 8d8ddcf7ffff 51 e8???????? 83c404 0fb6d0 85d2 }
            // n = 7, score = 100
            //   83c414               | add                 esp, 0x14
            //   8d8ddcf7ffff         | lea                 ecx, [ebp - 0x824]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   0fb6d0               | movzx               edx, al
            //   85d2                 | test                edx, edx

        $sequence_4 = { 6a00 8d8578e4ffff 50 8b8dbce4ffff 51 8b95b4e4ffff }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   8d8578e4ffff         | lea                 eax, [ebp - 0x1b88]
            //   50                   | push                eax
            //   8b8dbce4ffff         | mov                 ecx, dword ptr [ebp - 0x1b44]
            //   51                   | push                ecx
            //   8b95b4e4ffff         | mov                 edx, dword ptr [ebp - 0x1b4c]

        $sequence_5 = { 81bdf0fdffff262436b4 0f8472150000 81bdf0fdffff412d11b7 0f84ce210000 e9???????? 81bdf0fdffff57d310ba 0f847d170000 }
            // n = 7, score = 100
            //   81bdf0fdffff262436b4     | cmp    dword ptr [ebp - 0x210], 0xb4362426
            //   0f8472150000         | je                  0x1578
            //   81bdf0fdffff412d11b7     | cmp    dword ptr [ebp - 0x210], 0xb7112d41
            //   0f84ce210000         | je                  0x21d4
            //   e9????????           |                     
            //   81bdf0fdffff57d310ba     | cmp    dword ptr [ebp - 0x210], 0xba10d357
            //   0f847d170000         | je                  0x1783

        $sequence_6 = { e9???????? 81bdf0fdffff44dad005 0f8482540000 81bdf0fdffffcce0d005 0f844c570000 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   81bdf0fdffff44dad005     | cmp    dword ptr [ebp - 0x210], 0x5d0da44
            //   0f8482540000         | je                  0x5488
            //   81bdf0fdffffcce0d005     | cmp    dword ptr [ebp - 0x210], 0x5d0e0cc
            //   0f844c570000         | je                  0x5752

        $sequence_7 = { 7766 81bdf0fdffff44a9d005 0f84614f0000 81bdf0fdffffcba7d005 7735 81bdf0fdffffcba7d005 0f84077d0000 }
            // n = 7, score = 100
            //   7766                 | ja                  0x68
            //   81bdf0fdffff44a9d005     | cmp    dword ptr [ebp - 0x210], 0x5d0a944
            //   0f84614f0000         | je                  0x4f67
            //   81bdf0fdffffcba7d005     | cmp    dword ptr [ebp - 0x210], 0x5d0a7cb
            //   7735                 | ja                  0x37
            //   81bdf0fdffffcba7d005     | cmp    dword ptr [ebp - 0x210], 0x5d0a7cb
            //   0f84077d0000         | je                  0x7d0d

        $sequence_8 = { 8d85b8e4ffff 50 8b8d88e4ffff 51 8b9574e4ffff 52 8b85c0e4ffff }
            // n = 7, score = 100
            //   8d85b8e4ffff         | lea                 eax, [ebp - 0x1b48]
            //   50                   | push                eax
            //   8b8d88e4ffff         | mov                 ecx, dword ptr [ebp - 0x1b78]
            //   51                   | push                ecx
            //   8b9574e4ffff         | mov                 edx, dword ptr [ebp - 0x1b8c]
            //   52                   | push                edx
            //   8b85c0e4ffff         | mov                 eax, dword ptr [ebp - 0x1b40]

        $sequence_9 = { 81bdf0fdffff566c91ea 0f84e2070000 81bdf0fdffffcd6675ea 0f8420280000 81bdf0fdffffd8a375ea 0f84a6230000 e9???????? }
            // n = 7, score = 100
            //   81bdf0fdffff566c91ea     | cmp    dword ptr [ebp - 0x210], 0xea916c56
            //   0f84e2070000         | je                  0x7e8
            //   81bdf0fdffffcd6675ea     | cmp    dword ptr [ebp - 0x210], 0xea7566cd
            //   0f8420280000         | je                  0x2826
            //   81bdf0fdffffd8a375ea     | cmp    dword ptr [ebp - 0x210], 0xea75a3d8
            //   0f84a6230000         | je                  0x23ac
            //   e9????????           |                     

    condition:
        7 of them and filesize < 297984
}
Download all Yara Rules