SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mulcom (Back to overview)

MulCom


There is no description at this point.

References
2022-03-22Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Holman
@online{camastra:20220322:operation:05d8831, author = {Luigino Camastra and Igor Morgenstern and Jan Holman}, title = {{Operation Dragon Castling: APT group targeting betting companies}}, date = {2022-03-22}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies}, language = {English}, urldate = {2022-08-26} } Operation Dragon Castling: APT group targeting betting companies
FormerFirstRAT MulCom TianWu
Yara Rules
[TLP:WHITE] win_mulcom_auto (20230715 | Detects win.mulcom.)
rule win_mulcom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.mulcom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41ffc5 443b6c2468 7320 8b9c24c8000000 8b542464 4c8bbc24d8000000 4c8b9c24c0000000 }
            // n = 7, score = 100
            //   41ffc5               | mov                 edx, ebp
            //   443b6c2468           | dec                 ecx
            //   7320                 | mov                 ecx, dword ptr [esi + 0x10]
            //   8b9c24c8000000       | dec                 eax
            //   8b542464             | lea                 esi, [edx + 1]
            //   4c8bbc24d8000000     | dec                 ecx
            //   4c8b9c24c0000000     | sub                 ecx, dword ptr [esi]

        $sequence_1 = { 448bc5 896c2470 4889542420 eb0d 448b942480000000 488b542420 8d8700680100 }
            // n = 7, score = 100
            //   448bc5               | lea                 eax, [esp + 0x50]
            //   896c2470             | inc                 ecx
            //   4889542420           | mov                 ecx, 0x218
            //   eb0d                 | dec                 ecx
            //   448b942480000000     | mov                 edx, edi
            //   488b542420           | dec                 esp
            //   8d8700680100         | mov                 ecx, edi

        $sequence_2 = { ffc9 d222 4d85ff 7422 448b4508 }
            // n = 5, score = 100
            //   ffc9                 | dec                 eax
            //   d222                 | mov                 dword ptr [ebp - 0x78], edi
            //   4d85ff               | dec                 eax
            //   7422                 | mov                 dword ptr [ebp - 0x70], eax
            //   448b4508             | mov                 word ptr [esp + 0x78], di

        $sequence_3 = { 75e8 8bc7 eb07 1bc0 83e0fe ffc0 85c0 }
            // n = 7, score = 100
            //   75e8                 | dec                 eax
            //   8bc7                 | mov                 edx, edi
            //   eb07                 | dec                 ebp
            //   1bc0                 | mov                 eax, esp
            //   83e0fe               | dec                 ecx
            //   ffc0                 | sub                 edx, esp
            //   85c0                 | dec                 eax

        $sequence_4 = { 4883781808 7203 488b00 488d9590000000 488bc8 ff15???????? 4c8be0 }
            // n = 7, score = 100
            //   4883781808           | cmp                 dword ptr [ecx + 0x18], 0x10
            //   7203                 | jb                  0x1af5
            //   488b00               | dec                 ebp
            //   488d9590000000       | mov                 ecx, dword ptr [ecx]
            //   488bc8               | dec                 esp
            //   ff15????????         |                     
            //   4c8be0               | lea                 eax, [edi + 0x120]

        $sequence_5 = { 895320 488903 40887b24 488911 885108 488d15fd600200 e8???????? }
            // n = 7, score = 100
            //   895320               | mov                 ebp, dword ptr [ebx + 0x10]
            //   488903               | dec                 eax
            //   40887b24             | and                 dword ptr [esi + 0xe0], 0
            //   488911               | dec                 eax
            //   885108               | cmp                 ecx, dword ptr [esi + 0xd8]
            //   488d15fd600200       | je                  0x81
            //   e8????????           |                     

        $sequence_6 = { 4969c4d0000000 4803c7 48894608 488b442420 4803c7 48894610 488b06 }
            // n = 7, score = 100
            //   4969c4d0000000       | dec                 eax
            //   4803c7               | add                 ebx, 0x20
            //   48894608             | xor                 edx, edx
            //   488b442420           | inc                 ecx
            //   4803c7               | mov                 eax, 0x2d8
            //   48894610             | dec                 eax
            //   488b06               | lea                 ecx, [ebp - 0x20]

        $sequence_7 = { 4885c9 744f 498b4050 486310 4803d1 483bca 7304 }
            // n = 7, score = 100
            //   4885c9               | je                  0x3d2
            //   744f                 | cmp                 esi, 0x7d00
            //   498b4050             | jl                  0x3c3
            //   486310               | inc                 ecx
            //   4803d1               | cmp                 esp, 3
            //   483bca               | jl                  0x3c9
            //   7304                 | inc                 ecx

        $sequence_8 = { 66c745600401 0fb74e58 ff15???????? 66894562 488d0dd9610400 ff15???????? 894564 }
            // n = 7, score = 100
            //   66c745600401         | dec                 ecx
            //   0fb74e58             | lea                 ecx, [edi + 0x80]
            //   ff15????????         |                     
            //   66894562             | dec                 eax
            //   488d0dd9610400       | mov                 edx, eax
            //   ff15????????         |                     
            //   894564               | inc                 esp

        $sequence_9 = { e8???????? 3b470c 753f 4c8b4c2448 8b5710 4c39ca 7732 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   3b470c               | mov                 dword ptr [esp + 0x20], eax
            //   753f                 | dec                 ecx
            //   4c8b4c2448           | mov                 edx, esp
            //   8b5710               | dec                 eax
            //   4c39ca               | lea                 ecx, [ebp + 0x180]
            //   7732                 | inc                 ecx

    condition:
        7 of them and filesize < 867328
}
Download all Yara Rules