Actor(s): BlackTech
PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.
rule win_plead_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.plead." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 85c0 750c c745fcfcffffff e9???????? 395d18 } // n = 6, score = 900 // ff15???????? | // 85c0 | test eax, eax // 750c | jne 0xe // c745fcfcffffff | mov dword ptr [ebp - 4], 0xfffffffc // e9???????? | // 395d18 | cmp dword ptr [ebp + 0x18], ebx $sequence_1 = { ebda 33f6 c745fcf8ffffff 3bf7 } // n = 4, score = 900 // ebda | jmp 0xffffffdc // 33f6 | xor esi, esi // c745fcf8ffffff | mov dword ptr [ebp - 4], 0xfffffff8 // 3bf7 | cmp esi, edi $sequence_2 = { bf00800000 57 53 56 897d14 } // n = 5, score = 900 // bf00800000 | mov edi, 0x8000 // 57 | push edi // 53 | push ebx // 56 | push esi // 897d14 | mov dword ptr [ebp + 0x14], edi $sequence_3 = { e8???????? 817d14e8030000 53 56 } // n = 4, score = 900 // e8???????? | // 817d14e8030000 | cmp dword ptr [ebp + 0x14], 0x3e8 // 53 | push ebx // 56 | push esi $sequence_4 = { 59 5e c20400 8b4c2404 56 } // n = 5, score = 900 // 59 | pop ecx // 5e | pop esi // c20400 | ret 4 // 8b4c2404 | mov ecx, dword ptr [esp + 4] // 56 | push esi $sequence_5 = { 50 ff15???????? 6a3f 33c0 59 } // n = 5, score = 900 // 50 | push eax // ff15???????? | // 6a3f | push 0x3f // 33c0 | xor eax, eax // 59 | pop ecx $sequence_6 = { 8d4dfc 51 8d4dd8 51 } // n = 4, score = 900 // 8d4dfc | lea ecx, [ebp - 4] // 51 | push ecx // 8d4dd8 | lea ecx, [ebp - 0x28] // 51 | push ecx $sequence_7 = { 8d4514 53 50 56 53 6a05 } // n = 6, score = 900 // 8d4514 | lea eax, [ebp + 0x14] // 53 | push ebx // 50 | push eax // 56 | push esi // 53 | push ebx // 6a05 | push 5 $sequence_8 = { ff15???????? 50 ff15???????? 33c0 81c418020000 } // n = 5, score = 600 // ff15???????? | // 50 | push eax // ff15???????? | // 33c0 | xor eax, eax // 81c418020000 | add esp, 0x218 $sequence_9 = { 5e 5b 33c0 81c418020000 c21000 8b84241c020000 } // n = 6, score = 600 // 5e | pop esi // 5b | pop ebx // 33c0 | xor eax, eax // 81c418020000 | add esp, 0x218 // c21000 | ret 0x10 // 8b84241c020000 | mov eax, dword ptr [esp + 0x21c] $sequence_10 = { 7cf1 ffd3 8b35???????? 2bc7 3de8030000 } // n = 5, score = 600 // 7cf1 | jl 0xfffffff3 // ffd3 | call ebx // 8b35???????? | // 2bc7 | sub eax, edi // 3de8030000 | cmp eax, 0x3e8 $sequence_11 = { 8b5508 52 ff15???????? 6aff a1???????? 50 ff15???????? } // n = 7, score = 600 // 8b5508 | mov edx, dword ptr [ebp + 8] // 52 | push edx // ff15???????? | // 6aff | push -1 // a1???????? | // 50 | push eax // ff15???????? | $sequence_12 = { 50 8b1d???????? ffd3 85c0 743b } // n = 5, score = 600 // 50 | push eax // 8b1d???????? | // ffd3 | call ebx // 85c0 | test eax, eax // 743b | je 0x3d $sequence_13 = { 8b8c241c020000 68???????? 51 ff15???????? } // n = 4, score = 600 // 8b8c241c020000 | mov ecx, dword ptr [esp + 0x21c] // 68???????? | // 51 | push ecx // ff15???????? | $sequence_14 = { 5d 8a44341c 32c2 8844341c 46 3bf1 } // n = 6, score = 600 // 5d | pop ebp // 8a44341c | mov al, byte ptr [esp + esi + 0x1c] // 32c2 | xor al, dl // 8844341c | mov byte ptr [esp + esi + 0x1c], al // 46 | inc esi // 3bf1 | cmp esi, ecx $sequence_15 = { c705????????01000000 ff15???????? 8b1d???????? ffd3 8bf8 33f6 8bcf } // n = 7, score = 600 // c705????????01000000 | // ff15???????? | // 8b1d???????? | // ffd3 | call ebx // 8bf8 | mov edi, eax // 33f6 | xor esi, esi // 8bcf | mov ecx, edi $sequence_16 = { 648b1530000000 8b520c 8b521c 8b5a08 } // n = 4, score = 200 // 648b1530000000 | mov edx, dword ptr fs:[0x30] // 8b520c | mov edx, dword ptr [edx + 0xc] // 8b521c | mov edx, dword ptr [edx + 0x1c] // 8b5a08 | mov ebx, dword ptr [edx + 8] $sequence_17 = { 8b430c 034510 6a04 6800100000 51 50 } // n = 6, score = 100 // 8b430c | mov eax, dword ptr [ebx + 0xc] // 034510 | add eax, dword ptr [ebp + 0x10] // 6a04 | push 4 // 6800100000 | push 0x1000 // 51 | push ecx // 50 | push eax $sequence_18 = { 8d7a08 e8???????? 52 e8???????? e9???????? 0fb755e0 83fa08 } // n = 7, score = 100 // 8d7a08 | lea edi, [edx + 8] // e8???????? | // 52 | push edx // e8???????? | // e9???????? | // 0fb755e0 | movzx edx, word ptr [ebp - 0x20] // 83fa08 | cmp edx, 8 $sequence_19 = { e8???????? b02c aa 8b4510 85c0 } // n = 5, score = 100 // e8???????? | // b02c | mov al, 0x2c // aa | stosb byte ptr es:[edi], al // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 85c0 | test eax, eax $sequence_20 = { 33c0 f3aa eb10 e8???????? 8b4314 034508 } // n = 6, score = 100 // 33c0 | xor eax, eax // f3aa | rep stosb byte ptr es:[edi], al // eb10 | jmp 0x12 // e8???????? | // 8b4314 | mov eax, dword ptr [ebx + 0x14] // 034508 | add eax, dword ptr [ebp + 8] $sequence_21 = { 8b5324 f7c200000002 7412 6800400000 8b4310 50 } // n = 6, score = 100 // 8b5324 | mov edx, dword ptr [ebx + 0x24] // f7c200000002 | test edx, 0x2000000 // 7412 | je 0x14 // 6800400000 | push 0x4000 // 8b4310 | mov eax, dword ptr [ebx + 0x10] // 50 | push eax $sequence_22 = { e8???????? 0fb64de2 8b55ec 8b7df0 8b07 } // n = 5, score = 100 // e8???????? | // 0fb64de2 | movzx ecx, byte ptr [ebp - 0x1e] // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 8b7df0 | mov edi, dword ptr [ebp - 0x10] // 8b07 | mov eax, dword ptr [edi] $sequence_23 = { b940000000 50 e2fd 56 394510 747e } // n = 6, score = 100 // b940000000 | mov ecx, 0x40 // 50 | push eax // e2fd | loop 0xffffffff // 56 | push esi // 394510 | cmp dword ptr [ebp + 0x10], eax // 747e | je 0x80 condition: 7 of them and filesize < 8224768 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY