SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poslurp (Back to overview)

PoSlurp

aka: PUNCHTRACK

Actor(s): FIN8

VTCollection    

There is no description at this point.

References
2019-12-31One Night in NorfolkNorfolk
Fuel Pumps II – PoSlurp.B
PoSlurp
2019-08-15Twitter (@just_windex)Windex
Tweet on PoSlurp.B
PoSlurp
2019-07-23GigamonEd Miles, Justin Warner, Kristina Savelesky
ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling
PoSlurp Powersniff
2017-06-19root9broot9b
SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry
PoSlurp FIN8
Yara Rules
[TLP:WHITE] win_poslurp_auto (20230808 | Detects win.poslurp.)
rule win_poslurp_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.poslurp."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f87fd000000 668378203d 0f85f2000000 498bce }
            // n = 4, score = 100
            //   0f87fd000000         | je                  0xfa
            //   668378203d           | mov                 ecx, eax
            //   0f85f2000000         | sub                 ecx, ebp
            //   498bce               | add                 ecx, -0x24

        $sequence_1 = { cc 33c9 ff15???????? cc 488bac2440010000 }
            // n = 5, score = 100
            //   cc                   | mov                 dword ptr [esp + 0x38], 1
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   cc                   | mov                 dword ptr [esp + 0x98], esi
            //   488bac2440010000     | dec                 eax

        $sequence_2 = { 488bf5 498bfc f3a4 498bcc e8???????? }
            // n = 5, score = 100
            //   488bf5               | mov                 edi, ebx
            //   498bfc               | jae                 0x1b1
            //   f3a4                 | inc                 ecx
            //   498bcc               | mov                 ecx, 0x30
            //   e8????????           |                     

        $sequence_3 = { ff15???????? 4c8be8 4885c0 0f84c2000000 4863453c }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   4c8be8               | dec                 eax
            //   4885c0               | mov                 ecx, edi
            //   0f84c2000000         | dec                 eax
            //   4863453c             | mov                 ebp, dword ptr [esp + 0x140]

        $sequence_4 = { 488d15a9100000 41b93f000f00 4533c0 48c7c102000080 }
            // n = 4, score = 100
            //   488d15a9100000       | jb                  0x149
            //   41b93f000f00         | dec                 eax
            //   4533c0               | add                 esp, 0x50
            //   48c7c102000080       | pop                 edi

        $sequence_5 = { 418bc1 41ffc0 486bc022 4803c2 48ffc2 }
            // n = 5, score = 100
            //   418bc1               | sub                 ecx, 0x11
            //   41ffc0               | je                  0x19e
            //   486bc022             | nop                 word ptr [eax + eax]
            //   4803c2               | movsx               eax, byte ptr [esi]
            //   48ffc2               | sub                 edx, 1

        $sequence_6 = { 0f8301010000 418bd6 498bcf 8bfb 412bd7 }
            // n = 5, score = 100
            //   0f8301010000         | mov                 ecx, esi
            //   418bd6               | xor                 edx, edx
            //   498bcf               | cmp                 word ptr [ebx + 0x38], 0x18
            //   8bfb                 | je                  0x157
            //   412bd7               | nop                 dword ptr [eax]

        $sequence_7 = { 0f84ae000000 80393d 0f85a5000000 418bd6 }
            // n = 4, score = 100
            //   0f84ae000000         | je                  0xfffffc70
            //   80393d               | dec                 eax
            //   0f85a5000000         | lea                 edi, [esp + 0x20]
            //   418bd6               | dec                 eax

        $sequence_8 = { 418bc8 ffce 488bd5 2bcd 8bfb }
            // n = 5, score = 100
            //   418bc8               | ja                  0x199
            //   ffce                 | dec                 ebp
            //   488bd5               | test                esp, esp
            //   2bcd                 | je                  0x199
            //   8bfb                 | cmp                 eax, 5

        $sequence_9 = { 488bd8 4883f8ff 0f84c8010000 448b05???????? 4889ac24a0020000 4889b424a8020000 4889bc24b0020000 }
            // n = 7, score = 100
            //   488bd8               | lea                 eax, [0xfffff90b]
            //   4883f8ff             | dec                 eax
            //   0f84c8010000         | mov                 dword ptr [esp + 0x40], ecx
            //   448b05????????       |                     
            //   4889ac24a0020000     | dec                 eax
            //   4889b424a8020000     | mov                 dword ptr [esp + 0x38], ebx
            //   4889bc24b0020000     | dec                 eax

    condition:
        7 of them and filesize < 50176
}
Download all Yara Rules