SYMBOLCOMMON_NAMEaka. SYNONYMS
win.payloadbin (Back to overview)

PayloadBIN

Actor(s): Evil Corp

VTCollection    

There is no description at this point.

References
2021-06-06Bleeping ComputerLawrence Abrams
New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
Yara Rules
[TLP:WHITE] win_payloadbin_auto (20230808 | Detects win.payloadbin.)
rule win_payloadbin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.payloadbin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb05 bb08000000 488b0d???????? 4c8bc7 33d2 ff15???????? 413bdf }
            // n = 7, score = 100
            //   eb05                 | neg                 byte ptr [esp + 0x50]
            //   bb08000000           | dec                 eax
            //   488b0d????????       |                     
            //   4c8bc7               | add                 dword ptr [esp + 0x10], 0xffe5be8d
            //   33d2                 | inc                 ecx
            //   ff15????????         |                     
            //   413bdf               | pop                 esi

        $sequence_1 = { 668930 41c0f1c1 0fb70f 488bd7 450ad1 4c8bce 66410fabca }
            // n = 7, score = 100
            //   668930               | inc                 ecx
            //   41c0f1c1             | push                esp
            //   0fb70f               | inc                 eax
            //   488bd7               | neg                 dh
            //   450ad1               | setl                bl
            //   4c8bce               | inc                 cx
            //   66410fabca           | bsr                 esi, edx

        $sequence_2 = { e9???????? 6644893c4f 660fc9 488bcf e9???????? ff15???????? e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   6644893c4f           | movzx               ecx, sp
            //   660fc9               | dec                 esp
            //   488bcf               | mov                 ecx, esi
            //   e9????????           |                     
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_3 = { f5 4803d5 e9???????? e8???????? 83c340 66413bf2 8d433f }
            // n = 7, score = 100
            //   f5                   | cmp                 ecx, edx
            //   4803d5               | jne                 0x788
            //   e9????????           |                     
            //   e8????????           |                     
            //   83c340               | cmp                 word ptr [edi + 0x42], 0x2e
            //   66413bf2             | je                  0x8a6
            //   8d433f               | dec                 eax

        $sequence_4 = { c18c2400000000bb 48f79c2400000000 0f87deb91400 488d642418 9d }
            // n = 5, score = 100
            //   c18c2400000000bb     | pushfd              
            //   48f79c2400000000     | or                  dword ptr [esp + 0x10], 0x6e750cd0
            //   0f87deb91400         | dec                 eax
            //   488d642418           | add                 dword ptr [esp], 0x74a50385
            //   9d                   | cmp                 word ptr [esp + 0x10], 0x87

        $sequence_5 = { 4433c1 664133ce 418b0c84 d2e8 23cd 66410fbcc1 660bc4 }
            // n = 7, score = 100
            //   4433c1               | inc                 ecx
            //   664133ce             | pop                 ecx
            //   418b0c84             | inc                 ecx
            //   d2e8                 | pop                 ecx
            //   23cd                 | inc                 ecx
            //   66410fbcc1           | pop                 ecx
            //   660bc4               | inc                 ecx

        $sequence_6 = { e8???????? c0a4241000000074 6873173773 48818424080000009c149337 49b90d1dba73583cde39 e8???????? 0f8867890000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c0a4241000000074     | mov                 eax, edx
            //   6873173773           | dec                 eax
            //   48818424080000009c149337     | cdq    
            //   49b90d1dba73583cde39     | ret    
            //   e8????????           |                     
            //   0f8867890000         | dec                 eax

        $sequence_7 = { 41f6c593 483bc7 e9???????? 0f8482020000 488d4330 488d4b08 e9???????? }
            // n = 7, score = 100
            //   41f6c593             | inc                 cx
            //   483bc7               | add                 eax, 0xf45760d
            //   e9????????           |                     
            //   0f8482020000         | mov                 bh, 0xc7
            //   488d4330             | inc                 ecx
            //   488d4b08             | pop                 eax
            //   e9????????           |                     

        $sequence_8 = { 8505bfcdef86 fb beae9070fe 40ad 6f }
            // n = 5, score = 100
            //   8505bfcdef86         | mov                 esi, dword ptr [esp + 0x50]
            //   fb                   | dec                 eax
            //   beae9070fe           | add                 esp, 0x20
            //   40ad                 | inc                 ecx
            //   6f                   | pop                 esi

        $sequence_9 = { 6681ac2418000000ff28 4881842408000000b8559f29 e8???????? 9c 4881842408000000157db449 66818424100000001054 50 }
            // n = 7, score = 100
            //   6681ac2418000000ff28     | dec    esp
            //   4881842408000000b8559f29     | lea    ebx, [esp + 0x48]
            //   e8????????           |                     
            //   9c                   | dec                 eax
            //   4881842408000000157db449     | lea    edx, [esp + 0x60]
            //   66818424100000001054     | inc    cx
            //   50                   | movzx               ecx, ch

    condition:
        7 of them and filesize < 3761152
}
Download all Yara Rules