SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poldat (Back to overview)

Poldat

aka: Zlib, KABOB

Actor(s): Samurai Panda, Stone Panda

There is no description at this point.

References
2016-04-15FireEyeGrady Summers
@techreport{summers:20160415:2016:3d22a6f, author = {Grady Summers}, title = {{2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH}}, date = {2016-04-15}, institution = {FireEye}, url = {http://fireeyeday.com/1604/pdf/KeyNote_2.pdf}, language = {English}, urldate = {2020-01-15} } 2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH
Poldat
2016-02-23CylanceJon Gross, Cylance SPEAR Team
@techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } Operation Dust Storm
Misdat Poldat Dust Storm
Yara Rules
[TLP:WHITE] win_poldat_auto (20230125 | Detects win.poldat.)
rule win_poldat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.poldat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d859cf9ffff 68???????? 50 e8???????? 83c40c 8d85acfdffff }
            // n = 6, score = 100
            //   8d859cf9ffff         | lea                 eax, [ebp - 0x664]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85acfdffff         | lea                 eax, [ebp - 0x254]

        $sequence_1 = { 81e1ff000000 33d2 8a91d09a4100 66ff849690040000 }
            // n = 4, score = 100
            //   81e1ff000000         | and                 ecx, 0xff
            //   33d2                 | xor                 edx, edx
            //   8a91d09a4100         | mov                 dl, byte ptr [ecx + 0x419ad0]
            //   66ff849690040000     | inc                 word ptr [esi + edx*4 + 0x490]

        $sequence_2 = { 8d8598fbffff 50 e8???????? 83c414 8d8598fbffff 6a00 50 }
            // n = 7, score = 100
            //   8d8598fbffff         | lea                 eax, [ebp - 0x468]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8d8598fbffff         | lea                 eax, [ebp - 0x468]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 85c0 0f8483000000 8b5608 8b0e }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   0f8483000000         | je                  0x89
            //   8b5608               | mov                 edx, dword ptr [esi + 8]
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_4 = { c645d62d c645d76e c645d820 c645d931 c645da26 c645db72 c645dc75 }
            // n = 7, score = 100
            //   c645d62d             | mov                 byte ptr [ebp - 0x2a], 0x2d
            //   c645d76e             | mov                 byte ptr [ebp - 0x29], 0x6e
            //   c645d820             | mov                 byte ptr [ebp - 0x28], 0x20
            //   c645d931             | mov                 byte ptr [ebp - 0x27], 0x31
            //   c645da26             | mov                 byte ptr [ebp - 0x26], 0x26
            //   c645db72             | mov                 byte ptr [ebp - 0x25], 0x72
            //   c645dc75             | mov                 byte ptr [ebp - 0x24], 0x75

        $sequence_5 = { c645e578 c645e665 c645e720 c645e822 c645e925 c645ea73 }
            // n = 6, score = 100
            //   c645e578             | mov                 byte ptr [ebp - 0x1b], 0x78
            //   c645e665             | mov                 byte ptr [ebp - 0x1a], 0x65
            //   c645e720             | mov                 byte ptr [ebp - 0x19], 0x20
            //   c645e822             | mov                 byte ptr [ebp - 0x18], 0x22
            //   c645e925             | mov                 byte ptr [ebp - 0x17], 0x25
            //   c645ea73             | mov                 byte ptr [ebp - 0x16], 0x73

        $sequence_6 = { a3???????? 50 f3a5 53 e8???????? }
            // n = 5, score = 100
            //   a3????????           |                     
            //   50                   | push                eax
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_7 = { c3 8b4720 895718 3bc2 750a c74720a0324000 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   8b4720               | mov                 eax, dword ptr [edi + 0x20]
            //   895718               | mov                 dword ptr [edi + 0x18], edx
            //   3bc2                 | cmp                 eax, edx
            //   750a                 | jne                 0xc
            //   c74720a0324000       | mov                 dword ptr [edi + 0x20], 0x4032a0

        $sequence_8 = { 8b06 40 8906 8b461c c70005000000 8b4604 }
            // n = 6, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   40                   | inc                 eax
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   c70005000000         | mov                 dword ptr [eax], 5
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_9 = { 8b461c 85c0 0f8485030000 833e00 0f847c030000 8b542418 }
            // n = 6, score = 100
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   85c0                 | test                eax, eax
            //   0f8485030000         | je                  0x38b
            //   833e00               | cmp                 dword ptr [esi], 0
            //   0f847c030000         | je                  0x382
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]

    condition:
        7 of them and filesize < 247808
}
Download all Yara Rules