SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netrepser_keylogger (Back to overview)

Netrepser


There is no description at this point.

References
2017-05-05BitdefenderBogdan Botezatu, Alexandru Maximciuc, Cristina Vatamanu, Adrian Schipur
@online{botezatu:20170505:inside:0cff0e6, author = {Bogdan Botezatu and Alexandru Maximciuc and Cristina Vatamanu and Adrian Schipur}, title = {{Inside Netrepser – a JavaScript-based Targeted Attack}}, date = {2017-05-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/}, language = {English}, urldate = {2020-01-08} } Inside Netrepser – a JavaScript-based Targeted Attack
Netrepser
Yara Rules
[TLP:WHITE] win_netrepser_keylogger_auto (20221125 | Detects win.netrepser_keylogger.)
rule win_netrepser_keylogger_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.netrepser_keylogger."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4df4 6bc90c 8d540dac 8955dc ebaf }
            // n = 5, score = 200
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   6bc90c               | imul                ecx, ecx, 0xc
            //   8d540dac             | lea                 edx, [ebp + ecx - 0x54]
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   ebaf                 | jmp                 0xffffffb1

        $sequence_1 = { c645e752 c645e833 c645e932 c645ea2e c645eb64 }
            // n = 5, score = 200
            //   c645e752             | mov                 byte ptr [ebp - 0x19], 0x52
            //   c645e833             | mov                 byte ptr [ebp - 0x18], 0x33
            //   c645e932             | mov                 byte ptr [ebp - 0x17], 0x32
            //   c645ea2e             | mov                 byte ptr [ebp - 0x16], 0x2e
            //   c645eb64             | mov                 byte ptr [ebp - 0x15], 0x64

        $sequence_2 = { 817dfc12030900 7408 8b45fc e9???????? 837df000 747c }
            // n = 6, score = 200
            //   817dfc12030900       | cmp                 dword ptr [ebp - 4], 0x90312
            //   7408                 | je                  0xa
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e9????????           |                     
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0
            //   747c                 | je                  0x7e

        $sequence_3 = { 8a5405dc 88940d70ffffff 8a45f3 0401 8845f3 }
            // n = 5, score = 200
            //   8a5405dc             | mov                 dl, byte ptr [ebp + eax - 0x24]
            //   88940d70ffffff       | mov                 byte ptr [ebp + ecx - 0x90], dl
            //   8a45f3               | mov                 al, byte ptr [ebp - 0xd]
            //   0401                 | add                 al, 1
            //   8845f3               | mov                 byte ptr [ebp - 0xd], al

        $sequence_4 = { e8???????? 83c404 50 e8???????? a3???????? 8b5524 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   e8????????           |                     
            //   a3????????           |                     
            //   8b5524               | mov                 edx, dword ptr [ebp + 0x24]

        $sequence_5 = { 8a450c 8845f7 0fb64df7 83e961 884df7 }
            // n = 5, score = 200
            //   8a450c               | mov                 al, byte ptr [ebp + 0xc]
            //   8845f7               | mov                 byte ptr [ebp - 9], al
            //   0fb64df7             | movzx               ecx, byte ptr [ebp - 9]
            //   83e961               | sub                 ecx, 0x61
            //   884df7               | mov                 byte ptr [ebp - 9], cl

        $sequence_6 = { 8d45e4 50 8d4dd8 51 e8???????? 83c404 50 }
            // n = 7, score = 200
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax

        $sequence_7 = { 753a 83bd5cfeffff04 7531 8b0d???????? }
            // n = 4, score = 200
            //   753a                 | jne                 0x3c
            //   83bd5cfeffff04       | cmp                 dword ptr [ebp - 0x1a4], 4
            //   7531                 | jne                 0x33
            //   8b0d????????         |                     

        $sequence_8 = { 6683f809 7505 bd02000000 5b e8???????? 5f }
            // n = 6, score = 100
            //   6683f809             | cmp                 ax, 9
            //   7505                 | jne                 7
            //   bd02000000           | mov                 ebp, 2
            //   5b                   | pop                 ebx
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_9 = { 83ec28 55 56 50 bd01000000 e8???????? 8bf0 }
            // n = 7, score = 100
            //   83ec28               | sub                 esp, 0x28
            //   55                   | push                ebp
            //   56                   | push                esi
            //   50                   | push                eax
            //   bd01000000           | mov                 ebp, 1
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_10 = { 5f 8b0d???????? 8d0424 50 }
            // n = 4, score = 100
            //   5f                   | pop                 edi
            //   8b0d????????         |                     
            //   8d0424               | lea                 eax, [esp]
            //   50                   | push                eax

        $sequence_11 = { 7320 90 0fb7c2 8d0c80 8d04cf 8b480c 3bf1 }
            // n = 7, score = 100
            //   7320                 | jae                 0x22
            //   90                   | nop                 
            //   0fb7c2               | movzx               eax, dx
            //   8d0c80               | lea                 ecx, [eax + eax*4]
            //   8d04cf               | lea                 eax, [edi + ecx*8]
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   3bf1                 | cmp                 esi, ecx

        $sequence_12 = { 8b4510 8b4df0 64890d00000000 59 5f 5e }
            // n = 6, score = 100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_13 = { 885e14 e8???????? 6a04 8d4c245c 51 8d561a 52 }
            // n = 7, score = 100
            //   885e14               | mov                 byte ptr [esi + 0x14], bl
            //   e8????????           |                     
            //   6a04                 | push                4
            //   8d4c245c             | lea                 ecx, [esp + 0x5c]
            //   51                   | push                ecx
            //   8d561a               | lea                 edx, [esi + 0x1a]
            //   52                   | push                edx

        $sequence_14 = { 55 6a00 6a00 53 6800001000 6a00 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   6800001000           | push                0x100000
            //   6a00                 | push                0

        $sequence_15 = { 8d0424 50 51 c74424084f70656e c744240c50726f63 }
            // n = 5, score = 100
            //   8d0424               | lea                 eax, [esp]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   c74424084f70656e     | mov                 dword ptr [esp + 8], 0x6e65704f
            //   c744240c50726f63     | mov                 dword ptr [esp + 0xc], 0x636f7250

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules