SYMBOLCOMMON_NAMEaka. SYNONYMS
win.prometei (Back to overview)

Prometei

According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.

References
2022-02-17Twitter (@Honeymoon_IoC)Gi7w0rm
@online{gi7w0rm:20220217:tweets:a96e458, author = {Gi7w0rm}, title = {{Tweets on win.prometei caught via Cowrie}}, date = {2022-02-17}, organization = {Twitter (@Honeymoon_IoC)}, url = {https://twitter.com/honeymoon_ioc/status/1494311182550904840}, language = {English}, urldate = {2022-02-17} } Tweets on win.prometei caught via Cowrie
Prometei
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2021-04-22CybereasonLior Rochberger
@online{rochberger:20210422:prometei:c7eb590, author = {Lior Rochberger}, title = {{Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities}}, date = {2021-04-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities}, language = {English}, urldate = {2021-04-28} } Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities
Prometei Prometei
Yara Rules
[TLP:WHITE] win_prometei_auto (20230125 | Detects win.prometei.)
rule win_prometei_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.prometei."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bc7 2bd7 03f0 81c200200000 b81a191919 }
            // n = 5, score = 100
            //   2bc7                 | sub                 eax, edi
            //   2bd7                 | sub                 edx, edi
            //   03f0                 | add                 esi, eax
            //   81c200200000         | add                 edx, 0x2000
            //   b81a191919           | mov                 eax, 0x1919191a

        $sequence_1 = { 009c003dbe839a 47 fc 84b3e61c0292 }
            // n = 4, score = 100
            //   009c003dbe839a       | add                 byte ptr [eax + eax - 0x657c41c3], bl
            //   47                   | inc                 edi
            //   fc                   | cld                 
            //   84b3e61c0292         | test                byte ptr [ebx - 0x6dfde31a], dh

        $sequence_2 = { e8???????? 5f 5e 5b 8be5 5d 8be3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   8be3                 | mov                 esp, ebx

        $sequence_3 = { 10d0 00bb2d784334 2cbb 8d3b }
            // n = 4, score = 100
            //   10d0                 | adc                 al, dl
            //   00bb2d784334         | add                 byte ptr [ebx + 0x3443782d], bh
            //   2cbb                 | sub                 al, 0xbb
            //   8d3b                 | lea                 edi, [ebx]

        $sequence_4 = { 0000 004889 ec 5d }
            // n = 4, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   004889               | add                 byte ptr [eax - 0x77], cl
            //   ec                   | in                  al, dx
            //   5d                   | pop                 ebp

        $sequence_5 = { 2cbb 8d3b 61 804070a0 }
            // n = 4, score = 100
            //   2cbb                 | sub                 al, 0xbb
            //   8d3b                 | lea                 edi, [ebx]
            //   61                   | popal               
            //   804070a0             | add                 byte ptr [eax + 0x70], 0xa0

        $sequence_6 = { 81c200200000 b81a191919 2bc1 3bd0 }
            // n = 4, score = 100
            //   81c200200000         | add                 edx, 0x2000
            //   b81a191919           | mov                 eax, 0x1919191a
            //   2bc1                 | sub                 eax, ecx
            //   3bd0                 | cmp                 edx, eax

        $sequence_7 = { 68???????? 56 ff15???????? 8b3d???????? 56 }
            // n = 5, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   56                   | push                esi

        $sequence_8 = { 61 804070a0 dfb734381320 f1 a5 90 f4 }
            // n = 7, score = 100
            //   61                   | popal               
            //   804070a0             | add                 byte ptr [eax + 0x70], 0xa0
            //   dfb734381320         | fbstp               tbyte ptr [edi + 0x20133834]
            //   f1                   | int1                
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   90                   | nop                 
            //   f4                   | hlt                 

        $sequence_9 = { 004153 6a33 51 4c }
            // n = 4, score = 100
            //   004153               | add                 byte ptr [ecx + 0x53], al
            //   6a33                 | push                0x33
            //   51                   | push                ecx
            //   4c                   | dec                 esp

        $sequence_10 = { 0000 6681c1f900 f3a4 48 }
            // n = 4, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   6681c1f900           | add                 cx, 0xf9
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   48                   | dec                 eax

        $sequence_11 = { 0105???????? 3034a0 0e 300c06 }
            // n = 4, score = 100
            //   0105????????         |                     
            //   3034a0               | xor                 byte ptr [eax], dh
            //   0e                   | push                cs
            //   300c06               | xor                 byte ptr [esi + eax], cl

        $sequence_12 = { 0081bb7a3644 98 f1 35ad3298f0 }
            // n = 4, score = 100
            //   0081bb7a3644         | add                 byte ptr [ecx + 0x44367abb], al
            //   98                   | cwde                
            //   f1                   | int1                
            //   35ad3298f0           | xor                 eax, 0xf09832ad

        $sequence_13 = { 0037 c0880b44e15bef 44 27 }
            // n = 4, score = 100
            //   0037                 | add                 byte ptr [edi], dh
            //   c0880b44e15bef       | ror                 byte ptr [eax + 0x5be1440b], 0xef
            //   44                   | inc                 esp
            //   27                   | daa                 

        $sequence_14 = { b9???????? 8ac2 0245f0 3001 85d2 740f }
            // n = 6, score = 100
            //   b9????????           |                     
            //   8ac2                 | mov                 al, dl
            //   0245f0               | add                 al, byte ptr [ebp - 0x10]
            //   3001                 | xor                 byte ptr [ecx], al
            //   85d2                 | test                edx, edx
            //   740f                 | je                  0x11

        $sequence_15 = { 009ec024c023 c028e0 1d2a0a41ba a6 }
            // n = 4, score = 100
            //   009ec024c023         | add                 byte ptr [esi + 0x23c024c0], bl
            //   c028e0               | shr                 byte ptr [eax], 0xe0
            //   1d2a0a41ba           | sbb                 eax, 0xba410a2a
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]

    condition:
        7 of them and filesize < 51014656
}
Download all Yara Rules