SYMBOLCOMMON_NAMEaka. SYNONYMS
win.prometei (Back to overview)

Prometei

According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.

References
2023-03-09Talos IntelligenceAndrew Windsor, Vanja Svajcer
@online{windsor:20230309:prometei:37546c2, author = {Andrew Windsor and Vanja Svajcer}, title = {{Prometei botnet improves modules and exhibits new capabilities in recent updates}}, date = {2023-03-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/prometei-botnet-improves/}, language = {English}, urldate = {2023-04-08} } Prometei botnet improves modules and exhibits new capabilities in recent updates
Prometei
2022-02-17Twitter (@Honeymoon_IoC)Gi7w0rm
@online{gi7w0rm:20220217:tweets:a96e458, author = {Gi7w0rm}, title = {{Tweets on win.prometei caught via Cowrie}}, date = {2022-02-17}, organization = {Twitter (@Honeymoon_IoC)}, url = {https://twitter.com/honeymoon_ioc/status/1494311182550904840}, language = {English}, urldate = {2022-02-17} } Tweets on win.prometei caught via Cowrie
Prometei
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2021-04-22CybereasonLior Rochberger
@online{rochberger:20210422:prometei:c7eb590, author = {Lior Rochberger}, title = {{Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities}}, date = {2021-04-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities}, language = {English}, urldate = {2021-04-28} } Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities
Prometei Prometei
Yara Rules
[TLP:WHITE] win_prometei_auto (20230715 | Detects win.prometei.)
rule win_prometei_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.prometei."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745c000000000 53 0fa2 0f57c0 8bf3 660f7f45b0 }
            // n = 6, score = 100
            //   c745c000000000       | mov                 dword ptr [ebp - 0x40], 0
            //   53                   | push                ebx
            //   0fa2                 | cpuid               
            //   0f57c0               | xorps               xmm0, xmm0
            //   8bf3                 | mov                 esi, ebx
            //   660f7f45b0           | movdqa              xmmword ptr [ebp - 0x50], xmm0

        $sequence_1 = { 014360 8b45f4 014364 8b45e4 }
            // n = 4, score = 100
            //   014360               | add                 dword ptr [ebx + 0x60], eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   014364               | add                 dword ptr [ebx + 0x64], eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_2 = { 011d???????? 03c8 8b5de4 a1???????? }
            // n = 4, score = 100
            //   011d????????         |                     
            //   03c8                 | add                 ecx, eax
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   a1????????           |                     

        $sequence_3 = { 3001 85d2 740f 0175f0 }
            // n = 4, score = 100
            //   3001                 | xor                 byte ptr [ecx], al
            //   85d2                 | test                edx, edx
            //   740f                 | je                  0x11
            //   0175f0               | add                 dword ptr [ebp - 0x10], esi

        $sequence_4 = { 013d???????? 8b04b5c8054400 0500080000 3bc8 }
            // n = 4, score = 100
            //   013d????????         |                     
            //   8b04b5c8054400       | mov                 eax, dword ptr [esi*4 + 0x4405c8]
            //   0500080000           | add                 eax, 0x800
            //   3bc8                 | cmp                 ecx, eax

        $sequence_5 = { 014364 8b45e4 014368 5b }
            // n = 4, score = 100
            //   014364               | add                 dword ptr [ebx + 0x64], eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   014368               | add                 dword ptr [ebx + 0x68], eax
            //   5b                   | pop                 ebx

        $sequence_6 = { 014354 8b45e8 014358 8b45f0 }
            // n = 4, score = 100
            //   014354               | add                 dword ptr [ebx + 0x54], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   014358               | add                 dword ptr [ebx + 0x58], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_7 = { 014358 8b45f0 01435c 8b45fc }
            // n = 4, score = 100
            //   014358               | add                 dword ptr [ebx + 0x58], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   01435c               | add                 dword ptr [ebx + 0x5c], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_8 = { 8bd1 0f44f8 8bc1 2bc7 2bd7 }
            // n = 5, score = 100
            //   8bd1                 | mov                 edx, ecx
            //   0f44f8               | cmove               edi, eax
            //   8bc1                 | mov                 eax, ecx
            //   2bc7                 | sub                 eax, edi
            //   2bd7                 | sub                 edx, edi

        $sequence_9 = { 01435c 8b45fc 014360 8b45f4 }
            // n = 4, score = 100
            //   01435c               | add                 dword ptr [ebx + 0x5c], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   014360               | add                 dword ptr [ebx + 0x60], eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_10 = { c4b093ae74d2 c18b315b92b5e0 a3???????? 14c3 9e }
            // n = 5, score = 100
            //   c4b093ae74d2         | les                 esi, ptr [eax - 0x2d8b516d]
            //   c18b315b92b5e0       | ror                 dword ptr [ebx - 0x4a6da4cf], 0xe0
            //   a3????????           |                     
            //   14c3                 | adc                 al, 0xc3
            //   9e                   | sahf                

        $sequence_11 = { 6a00 c745e073686c70 8b45e0 a3???????? 660fd605???????? c745e464613332 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   c745e073686c70       | mov                 dword ptr [ebp - 0x20], 0x706c6873
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   a3????????           |                     
            //   660fd605????????     |                     
            //   c745e464613332       | mov                 dword ptr [ebp - 0x1c], 0x32336164

        $sequence_12 = { 0fbe5405b8 0fb60e 3bca 7513 40 }
            // n = 5, score = 100
            //   0fbe5405b8           | movsx               edx, byte ptr [ebp + eax - 0x48]
            //   0fb60e               | movzx               ecx, byte ptr [esi]
            //   3bca                 | cmp                 ecx, edx
            //   7513                 | jne                 0x15
            //   40                   | inc                 eax

        $sequence_13 = { 3460 90 c0f0e6 16 88b027564c70 }
            // n = 5, score = 100
            //   3460                 | xor                 al, 0x60
            //   90                   | nop                 
            //   c0f0e6               | sal                 al, 0xe6
            //   16                   | push                ss
            //   88b027564c70         | mov                 byte ptr [eax + 0x704c5627], dh

        $sequence_14 = { 014368 81434400020000 c7434000000000 83534800 }
            // n = 4, score = 100
            //   014368               | add                 dword ptr [ebx + 0x68], eax
            //   81434400020000       | add                 dword ptr [ebx + 0x44], 0x200
            //   c7434000000000       | mov                 dword ptr [ebx + 0x40], 0
            //   83534800             | adc                 dword ptr [ebx + 0x48], 0

        $sequence_15 = { 8b75fc 8b45f8 85c0 7410 0175f4 42 }
            // n = 6, score = 100
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   0175f4               | add                 dword ptr [ebp - 0xc], esi
            //   42                   | inc                 edx

    condition:
        7 of them and filesize < 51014656
}
Download all Yara Rules