SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mulcom (Back to overview)

MulCom

There is no description at this point.

References
2022-03-22Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Holman
@online{camastra:20220322:operation:05d8831, author = {Luigino Camastra and Igor Morgenstern and Jan Holman}, title = {{Operation Dragon Castling: APT group targeting betting companies}}, date = {2022-03-22}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies}, language = {English}, urldate = {2022-08-26} } Operation Dragon Castling: APT group targeting betting companies
FormerFirstRAT MulCom TianWu
Yara Rules
[TLP:WHITE] win_mulcom_auto (20230125 | Detects win.mulcom.)
rule win_mulcom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.mulcom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883e2fc 483bd7 721c 4883c227 4c8b41f8 492bc8 488d41f8 }
            // n = 7, score = 100
            //   4883e2fc             | lea                 edx, [0x466a4]
            //   483bd7               | add                 ebx, 9
            //   721c                 | inc                 esp
            //   4883c227             | mov                 eax, ebx
            //   4c8b41f8             | dec                 eax
            //   492bc8               | lea                 edx, [ebp + 0x40]
            //   488d41f8             | dec                 ecx

        $sequence_1 = { 488b41f0 48635004 488d0569950400 4889440af0 488b41f0 48635004 448d42f0 }
            // n = 7, score = 100
            //   488b41f0             | dec                 esp
            //   48635004             | lea                 eax, [ebp - 0x48]
            //   488d0569950400       | dec                 eax
            //   4889440af0           | cmp                 dword ptr [ebp - 0x30], 0x10
            //   488b41f0             | dec                 esp
            //   48635004             | cmovae              eax, dword ptr [ebp - 0x48]
            //   448d42f0             | inc                 eax

        $sequence_2 = { 33d2 41b8d8020000 488d4df0 e8???????? 4c8b4310 488bd3 48837b1808 }
            // n = 7, score = 100
            //   33d2                 | jne                 0xe26
            //   41b8d8020000         | dec                 eax
            //   488d4df0             | mov                 dword ptr [ebx + 0x10], edx
            //   e8????????           |                     
            //   4c8b4310             | dec                 eax
            //   488bd3               | lea                 edi, [0x4b856]
            //   48837b1808           | mov                 esi, 6

        $sequence_3 = { 85c9 7e2d 483bd8 488beb 498bd6 498bc9 480f4de8 }
            // n = 7, score = 100
            //   85c9                 | dec                 eax
            //   7e2d                 | mov                 edi, dword ptr [esp + 0x40]
            //   483bd8               | dec                 eax
            //   488beb               | add                 esp, 0x20
            //   498bd6               | inc                 ecx
            //   498bc9               | pop                 edi
            //   480f4de8             | dec                 eax

        $sequence_4 = { c7811807000080000000 488d0dc65a0400 ff15???????? 408ac6 488b4c2440 }
            // n = 5, score = 100
            //   c7811807000080000000     | dec    eax
            //   488d0dc65a0400       | lea                 ecx, [0x2e065]
            //   ff15????????         |                     
            //   408ac6               | dec                 eax
            //   488b4c2440           | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_5 = { 488b5d88 4885db 0f846b060000 4885c0 0f8462060000 33c0 }
            // n = 6, score = 100
            //   488b5d88             | dec                 ecx
            //   4885db               | dec                 esi
            //   0f846b060000         | call                dword ptr [eax + 0x18]
            //   4885c0               | inc                 esp
            //   0f8462060000         | movzx               eax, ax
            //   33c0                 | inc                 bp

        $sequence_6 = { 488d15a0570200 488bcb 488905???????? ff15???????? 483305???????? 488d15a2570200 488bcb }
            // n = 7, score = 100
            //   488d15a0570200       | lea                 eax, [ecx + 0x10]
            //   488bcb               | movups              xmmword ptr [ecx], xmm0
            //   488905????????       |                     
            //   ff15????????         |                     
            //   483305????????       |                     
            //   488d15a2570200       | mov                 eax, dword ptr [ebp - 0x31]
            //   488bcb               | mov                 dword ptr [ecx + 0x10], eax

        $sequence_7 = { 4c8be8 4d85f6 741b 498b16 498bce ff5210 4885c0 }
            // n = 7, score = 100
            //   4c8be8               | mov                 ecx, dword ptr [ebp + 0x160]
            //   4d85f6               | dec                 eax
            //   741b                 | mov                 eax, ecx
            //   498b16               | inc                 ecx
            //   498bce               | mov                 esp, 1
            //   ff5210               | dec                 esp
            //   4885c0               | lea                 edi, [0x15dcd]

        $sequence_8 = { 4983e901 75e7 33c9 85c9 740f 4883c002 eba5 }
            // n = 7, score = 100
            //   4983e901             | mov                 ebx, ecx
            //   75e7                 | dec                 esp
            //   33c9                 | lea                 ecx, [0x231c1]
            //   85c9                 | mov                 ecx, 2
            //   740f                 | dec                 esp
            //   4883c002             | lea                 eax, [0x231ad]
            //   eba5                 | dec                 eax

        $sequence_9 = { 55 56 4881ec90000000 418bd9 4d8bd8 488bf2 488be9 }
            // n = 7, score = 100
            //   55                   | inc                 esp
            //   56                   | mov                 dh, al
            //   4881ec90000000       | mov                 al, byte ptr [edi]
            //   418bd9               | jmp                 0x107
            //   4d8bd8               | test                al, al
            //   488bf2               | jle                 0x10b
            //   488be9               | dec                 eax

    condition:
        7 of them and filesize < 867328
}
Download all Yara Rules