SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pitou (Back to overview)

Pitou

VTCollection    

According to TG Soft, Pitou has beeen released on April 2014. It maybe an evolution of the rootkit "Srzizbi" developed on 2008. Pitou is a spambot, the main goal is send spam form the computer of victim.

References
2019-07-08Johannes Bader
The DGA of Pitou
Pitou
2019-06-25SANSBrad Duncan
Rig Exploit Kit sends Pitou.B Trojan
Pitou
2018-01-15VirITGianfranco Tonello
Bootkits are not dead. Pitou is back!
Pitou
2014-09-04F-SecureF-Secure Labs
PITOU: The "silent" resurrection of the notorious Srizbi kernel spambot
Pitou
Yara Rules
[TLP:WHITE] win_pitou_auto (20230808 | Detects win.pitou.)
rule win_pitou_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.pitou."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bda c1e305 03c3 8bda }
            // n = 4, score = 700
            //   8bda                 | lea                 ecx, [edi + 0x17]
            //   c1e305               | and                 ecx, 0xfffffffc
            //   03c3                 | mov                 dword ptr [edi + 4], ecx
            //   8bda                 | mov                 eax, dword ptr [ebp + 8]

        $sequence_1 = { ac 8bda c1e305 03c3 8bda c1eb02 03c3 }
            // n = 7, score = 700
            //   ac                   | mov                 ebx, ecx
            //   8bda                 | mov                 ecx, dword ptr [ebx + 0x38]
            //   c1e305               | cmp                 edi, ecx
            //   03c3                 | js                  0xffffe245
            //   8bda                 | inc                 esp
            //   c1eb02               | mov                 ecx, dword ptr [ebx + 0x3c]
            //   03c3                 | mov                 eax, edi

        $sequence_2 = { c1e305 03c3 8bda c1eb02 }
            // n = 4, score = 700
            //   c1e305               | lea                 eax, [esi + 0x3fc4]
            //   03c3                 | push                esi
            //   8bda                 | mov                 ebx, 0x28
            //   c1eb02               | lea                 eax, [esi + 0x80ec]

        $sequence_3 = { 8a6201 80f457 8acc 80e103 }
            // n = 4, score = 700
            //   8a6201               | test                ecx, ecx
            //   80f457               | je                  0xffffa8cf
            //   8acc                 | test                byte ptr [edi + 0x29], 2
            //   80e103               | je                  0xfffef506

        $sequence_4 = { 8bda c1e305 03c3 8bda c1eb02 03c3 33d0 }
            // n = 7, score = 700
            //   8bda                 | jns                 0xffff94b1
            //   c1e305               | dec                 esi
            //   03c3                 | mov                 byte ptr [ebp + esi - 8], dl
            //   8bda                 | inc                 esi
            //   c1eb02               | inc                 edi
            //   03c3                 | inc                 ecx
            //   33d0                 | and                 esi, 0x80000003

        $sequence_5 = { 8a12 80f257 8ada c0eb02 }
            // n = 4, score = 700
            //   8a12                 | mov                 dword ptr [esp + 0x48], edi
            //   80f257               | test                eax, eax
            //   8ada                 | js                  0xfffee173
            //   c0eb02               | mov                 ecx, dword ptr [esp + 0xc]

        $sequence_6 = { c1e305 03c3 8bda c1eb02 03c3 33d0 }
            // n = 6, score = 700
            //   c1e305               | mov                 eax, dword ptr [ebp + 0xc]
            //   03c3                 | test                eax, eax
            //   8bda                 | mov                 ebp, esp
            //   c1eb02               | sub                 esp, 0x1c
            //   03c3                 | push                ebx
            //   33d0                 | xor                 ebx, ebx

        $sequence_7 = { 53 80ef18 80ff10 5b }
            // n = 4, score = 700
            //   53                   | dec                 eax
            //   80ef18               | mov                 esi, edx
            //   80ff10               | inc                 esp
            //   5b                   | movzx               ebp, cl

        $sequence_8 = { 80f457 8acc 80e103 8aec }
            // n = 4, score = 700
            //   80f457               | push                edi
            //   8acc                 | movzx               edi, ax
            //   80e103               | mov                 dword ptr [ebp - 0xc], edi
            //   8aec                 | add                 ax, ax

        $sequence_9 = { ac 8bda c1e305 03c3 8bda }
            // n = 5, score = 700
            //   ac                   | push                ecx
            //   8bda                 | jne                 0x79a0
            //   c1e305               | push                ebx
            //   03c3                 | mov                 ebp, esp
            //   8bda                 | push                ecx

    condition:
        7 of them and filesize < 1106944
}
Download all Yara Rules