SYMBOLCOMMON_NAMEaka. SYNONYMS
win.payloadbin (Back to overview)

PayloadBIN

Actor(s): Evil Corp


There is no description at this point.

References
2021-06-06Bleeping ComputerLawrence Abrams
@online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
Yara Rules
[TLP:WHITE] win_payloadbin_auto (20221125 | Detects win.payloadbin.)
rule win_payloadbin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.payloadbin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6842410000000f4 68e024f219 6821328c06 488d642408 4150 9c 81ac24100000000914be68 }
            // n = 7, score = 100
            //   c6842410000000f4     | movzx               edi, si
            //   68e024f219           | inc                 eax
            //   6821328c06           | xchg                bh, bh
            //   488d642408           | dec                 eax
            //   4150                 | mov                 edi, ecx
            //   9c                   | dec                 eax
            //   81ac24100000000914be68     | lea    edx, [eax - 0x18]

        $sequence_1 = { 0fcb 418bdb e9???????? e9???????? 8bc8 e9???????? ff15???????? }
            // n = 7, score = 100
            //   0fcb                 | push                0x281d592f
            //   418bdb               | pushfd              
            //   e9????????           |                     
            //   e9????????           |                     
            //   8bc8                 | dec                 eax
            //   e9????????           |                     
            //   ff15????????         |                     

        $sequence_2 = { 4157 660facd813 41c0ce0b 6625a075 4883ec58 664587f6 41c0ee7e }
            // n = 7, score = 100
            //   4157                 | dec                 eax
            //   660facd813           | neg                 eax
            //   41c0ce0b             | rol                 dl, cl
            //   6625a075             | push                ebx
            //   4883ec58             | dec                 ebp
            //   664587f6             | cmp                 esi, eax
            //   41c0ee7e             | dec                 eax

        $sequence_3 = { f8 66410fc9 4c8bc9 85ff 0f848b000000 4885d2 e9???????? }
            // n = 7, score = 100
            //   f8                   | btc                 bx, ax
            //   66410fc9             | dec                 eax
            //   4c8bc9               | arpl                cx, di
            //   85ff                 | not                 ebp
            //   0f848b000000         | nop                 
            //   4885d2               | sub                 ebp, 0x78f95279
            //   e9????????           |                     

        $sequence_4 = { 6699 4112d0 488d542430 4881c993371b39 f8 664133c8 4533c9 }
            // n = 7, score = 100
            //   6699                 | sub                 esp, 0x30
            //   4112d0               | xchg                bp, di
            //   488d542430           | dec                 eax
            //   4881c993371b39       | mov                 ebp, dword ptr [0xffe4abba]
            //   f8                   | dec                 ebp
            //   664133c8             | movzx               esp, bx
            //   4533c9               | inc                 bp

        $sequence_5 = { e9???????? 0f84b0fcffff e9???????? 4983ccff f6d2 488d9424b0000000 4863c8 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   0f84b0fcffff         | pushfd              
            //   e9????????           |                     
            //   4983ccff             | dec                 ecx
            //   f6d2                 | mov                 esi, 0x4a5e79cf
            //   488d9424b0000000     | and                 byte ptr fs:[esi], dh
            //   4863c8               | dec                 ebp

        $sequence_6 = { d3c9 458bc4 66453bf4 480fbcc9 660fbbd1 33d2 }
            // n = 6, score = 100
            //   d3c9                 | add                 dh, byte ptr [edi + 0x75]
            //   458bc4               | jns                 0x204
            //   66453bf4             | aaa                 
            //   480fbcc9             | inc                 esi
            //   660fbbd1             | and                 al, byte ptr [ecx + 0x50]
            //   33d2                 | push                0x31384026

        $sequence_7 = { 488d542430 660fbae194 0f94c5 02ce 4533c9 660fa3e1 66410fbecc }
            // n = 7, score = 100
            //   488d542430           | or                  bh, byte ptr [edi - 0xb79ad8b]
            //   660fbae194           | mov                 edi, 0xf68f0b79
            //   0f94c5               | mov                 esi, 0xf3218646
            //   02ce                 | inc                 eax
            //   4533c9               | xchg                eax, edi
            //   660fa3e1             | lodsb               al, byte ptr [esi]
            //   66410fbecc           | in                  eax, 0xe

        $sequence_8 = { 33c0 440fb7f7 4c8bea 4863d1 418af7 4c8bf9 }
            // n = 6, score = 100
            //   33c0                 | dec                 eax
            //   440fb7f7             | add                 edi, 2
            //   4c8bea               | inc                 cx
            //   4863d1               | cmp                 ebp, ebx
            //   418af7               | cmc                 
            //   4c8bf9               | stc                 

        $sequence_9 = { 66450fbbe0 4c8b842490000000 66400fb6c4 0be8 410fc8 6641bb757f }
            // n = 6, score = 100
            //   66450fbbe0           | inc                 ecx
            //   4c8b842490000000     | mov                 ch, 0xdb
            //   66400fb6c4           | inc                 ecx
            //   0be8                 | bswap               esi
            //   410fc8               | dec                 eax
            //   6641bb757f           | sub                 esp, 0x30

    condition:
        7 of them and filesize < 3761152
}
Download all Yara Rules