SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nvisospit (Back to overview)

NVISOSPIT


There is no description at this point.

References
2019-06-01Twitter (@Bank_Security)Bank_Security
@online{banksecurity:20190601:new:3ddfbf1, author = {Bank_Security}, title = {{New ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@Bank_Security)}, url = {https://twitter.com/Bank_Security/status/1134850646413385728}, language = {English}, urldate = {2019-11-17} } New ATM Malware NVISOSPIT
NVISOSPIT
2019-06-01Twitter (@r3c0nst)Frank Boldewin
@online{boldewin:20190601:atm:7c1d0c2, author = {Frank Boldewin}, title = {{Tweet on ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1135606944427905025}, language = {English}, urldate = {2019-11-26} } Tweet on ATM Malware NVISOSPIT
NVISOSPIT
2014nvisoErik Van Buggenhout
@techreport{buggenhout:2014:history:049d4d1, author = {Erik Van Buggenhout}, title = {{A history of ATM violence}}, date = {2014}, institution = {nviso}, url = {http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf}, language = {English}, urldate = {2020-01-08} } A history of ATM violence
NVISOSPIT
Yara Rules
[TLP:WHITE] win_nvisospit_auto (20220411 | Detects win.nvisospit.)
rule win_nvisospit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.nvisospit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b800000000 eb25 8b4514 8944240c }
            // n = 4, score = 100
            //   b800000000           | mov                 eax, 0
            //   eb25                 | jmp                 0x27
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax

        $sequence_1 = { 89d8 5b c3 c7042408000000 e8???????? a1???????? }
            // n = 6, score = 100
            //   89d8                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   c7042408000000       | mov                 dword ptr [esp], 8
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_2 = { 8d959cf9ffff 89542408 c744240400000000 890424 e8???????? }
            // n = 5, score = 100
            //   8d959cf9ffff         | lea                 edx, dword ptr [ebp - 0x664]
            //   89542408             | mov                 dword ptr [esp + 8], edx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_3 = { 8945c4 0f849d000000 83fb20 0f8480000000 83fb08 743b }
            // n = 6, score = 100
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   0f849d000000         | je                  0xa3
            //   83fb20               | cmp                 ebx, 0x20
            //   0f8480000000         | je                  0x86
            //   83fb08               | cmp                 ebx, 8
            //   743b                 | je                  0x3d

        $sequence_4 = { 034f08 39c8 0f8281000000 83c301 83c20c 39f3 75e2 }
            // n = 7, score = 100
            //   034f08               | add                 ecx, dword ptr [edi + 8]
            //   39c8                 | cmp                 eax, ecx
            //   0f8281000000         | jb                  0x87
            //   83c301               | add                 ebx, 1
            //   83c20c               | add                 edx, 0xc
            //   39f3                 | cmp                 ebx, esi
            //   75e2                 | jne                 0xffffffe4

        $sequence_5 = { c705????????01000000 a1???????? 83f801 0f8411020000 85db }
            // n = 5, score = 100
            //   c705????????01000000     |     
            //   a1????????           |                     
            //   83f801               | cmp                 eax, 1
            //   0f8411020000         | je                  0x217
            //   85db                 | test                ebx, ebx

        $sequence_6 = { 51 81ecfc060000 89cb e8???????? c745e400000000 c745e000000000 c745dc00000000 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   81ecfc060000         | sub                 esp, 0x6fc
            //   89cb                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c745dc00000000       | mov                 dword ptr [ebp - 0x24], 0

        $sequence_7 = { 890424 e8???????? 83ec08 8945bc 8b45bc }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]

        $sequence_8 = { 890424 ff15???????? 83ec10 85c0 75c0 ff15???????? c70424???????? }
            // n = 7, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   ff15????????         |                     
            //   83ec10               | sub                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   75c0                 | jne                 0xffffffc2
            //   ff15????????         |                     
            //   c70424????????       |                     

        $sequence_9 = { c70000000000 e8???????? 03470c 8b15???????? 89441a04 8d542414 c74424081c000000 }
            // n = 7, score = 100
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   e8????????           |                     
            //   03470c               | add                 eax, dword ptr [edi + 0xc]
            //   8b15????????         |                     
            //   89441a04             | mov                 dword ptr [edx + ebx + 4], eax
            //   8d542414             | lea                 edx, dword ptr [esp + 0x14]
            //   c74424081c000000     | mov                 dword ptr [esp + 8], 0x1c

    condition:
        7 of them and filesize < 66560
}
Download all Yara Rules