SYMBOLCOMMON_NAMEaka. SYNONYMS
win.payloadbin (Back to overview)

PayloadBIN

Actor(s): Evil Corp

There is no description at this point.

References
2021-06-06Bleeping ComputerLawrence Abrams
@online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
Yara Rules
[TLP:WHITE] win_payloadbin_auto (20230715 | Detects win.payloadbin.)
rule win_payloadbin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.payloadbin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 448bc2 f8 f9 6683ff20 0f840d000000 4103f1 4122f8 }
            // n = 7, score = 100
            //   448bc2               | inc                 ecx
            //   f8                   | sub                 ecx, 0x7722348a
            //   f9                   | clc                 
            //   6683ff20             | inc                 ecx
            //   0f840d000000         | ror                 ecx, 1
            //   4103f1               | inc                 ecx
            //   4122f8               | ror                 bl, cl

        $sequence_1 = { 0fa4ee8a 4881ec80000000 66450fa3e7 0fb3ff 410f97c4 448b252eb7e4ff 4080d6a3 }
            // n = 7, score = 100
            //   0fa4ee8a             | inc                 ecx
            //   4881ec80000000       | push                edx
            //   66450fa3e7           | dec                 eax
            //   0fb3ff               | mov                 ebx, dword ptr [esp + 0x10]
            //   410f97c4             | dec                 eax
            //   448b252eb7e4ff       | mov                 dword ptr [esp + 0x10], 0xa637d708
            //   4080d6a3             | dec                 ecx

        $sequence_2 = { f8 664181e6c17e 4d0fbdf9 4883ec50 6641d3e5 4898 664181e5df5d }
            // n = 7, score = 100
            //   f8                   | mov                 ebp, dword ptr [esp + 0x58]
            //   664181e6c17e         | mov                 edi, 8
            //   4d0fbdf9             | inc                 sp
            //   4883ec50             | mov                 edi, edi
            //   6641d3e5             | cwde                
            //   4898                 | dec                 esp
            //   664181e5df5d         | lea                 ebx, [esp + 0x50]

        $sequence_3 = { 4112da 4c63f6 4c8d35e1d6e3ff 660fb3db 480fbfd9 8bd8 }
            // n = 6, score = 100
            //   4112da               | dec                 eax
            //   4c63f6               | cmp                 edi, 0x6b947285
            //   4c8d35e1d6e3ff       | dec                 ebp
            //   660fb3db             | cmp                 ecx, ecx
            //   480fbfd9             | dec                 eax
            //   8bd8                 | mov                 dword ptr [esp + 0x28], edi

        $sequence_4 = { 4433d7 4084cc 4181c20c7cff4d 41c1c202 f8 f5 f9 }
            // n = 7, score = 100
            //   4433d7               | shr                 dword ptr [esp + 0x20], cl
            //   4084cc               | and                 byte ptr [esp + ecx*2 - 0x3257ffd8], 0xd
            //   4181c20c7cff4d       | jb                  0x2b2
            //   41c1c202             | inc                 ecx
            //   f8                   | push                ebx
            //   f5                   | inc                 ecx
            //   f9                   | sar                 ah, 8

        $sequence_5 = { f5 81c11f459829 f7d9 663be1 f5 81e9b632c121 }
            // n = 6, score = 100
            //   f5                   | cmc                 
            //   81c11f459829         | je                  0x867
            //   f7d9                 | cmp                 word ptr [ebx], 0x3f
            //   663be1               | je                  0x867
            //   f5                   | dec                 ecx
            //   81e9b632c121         | mov                 edx, ecx

        $sequence_6 = { 66443be1 4181e8b34d2179 f9 f8 41c1c803 f9 f8 }
            // n = 7, score = 100
            //   66443be1             | pop                 edx
            //   4181e8b34d2179       | pop                 esi
            //   f9                   | pop                 ebp
            //   f8                   | mov                 bh, dh
            //   41c1c803             | dec                 eax
            //   f9                   | arpl                bp, bx
            //   f8                   | pop                 ebx

        $sequence_7 = { 41f6c593 483bc7 e9???????? 0f8482020000 488d4330 488d4b08 e9???????? }
            // n = 7, score = 100
            //   41f6c593             | movsx               ebx, cx
            //   483bc7               | inc                 cx
            //   e9????????           |                     
            //   0f8482020000         | not                 ebx
            //   488d4330             | inc                 eax
            //   488d4b08             | mov                 dh, 0x48
            //   e9????????           |                     

        $sequence_8 = { f9 488b842408000000 c1a4240800000005 4410842410000000 f79c2400000000 f7db e8???????? }
            // n = 7, score = 100
            //   f9                   | mov                 eax, dword ptr [esp + 0x40]
            //   488b842408000000     | movzx               ecx, word ptr [ebp + 0x16]
            //   c1a4240800000005     | btr                 edx, 0xaa
            //   4410842410000000     | cmc                 
            //   f79c2400000000       | inc                 esp
            //   f7db                 | cmp                 cl, ah
            //   e8????????           |                     

        $sequence_9 = { e9???????? bb08000000 e9???????? e9???????? 488bce e9???????? e8???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   bb08000000           | mov                 ebp, dword ptr [esp + 0x38]
            //   e9????????           |                     
            //   e9????????           |                     
            //   488bce               | bts                 esi, eax
            //   e9????????           |                     
            //   e8????????           |                     

    condition:
        7 of them and filesize < 3761152
}
Download all Yara Rules