SYMBOLCOMMON_NAMEaka. SYNONYMS
win.prometei (Back to overview)

Prometei


According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.

References
2022-02-17Twitter (@Honeymoon_IoC)Gi7w0rm
@online{gi7w0rm:20220217:tweets:a96e458, author = {Gi7w0rm}, title = {{Tweets on win.prometei caught via Cowrie}}, date = {2022-02-17}, organization = {Twitter (@Honeymoon_IoC)}, url = {https://twitter.com/honeymoon_ioc/status/1494311182550904840}, language = {English}, urldate = {2022-02-17} } Tweets on win.prometei caught via Cowrie
Prometei
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2021-04-22CybereasonLior Rochberger
@online{rochberger:20210422:prometei:c7eb590, author = {Lior Rochberger}, title = {{Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities}}, date = {2021-04-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities}, language = {English}, urldate = {2021-04-28} } Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities
Prometei Prometei
Yara Rules
[TLP:WHITE] win_prometei_auto (20220516 | Detects win.prometei.)
rule win_prometei_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.prometei."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 47 f5 1c10 40 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   47                   | inc                 edi
            //   f5                   | cmc                 
            //   1c10                 | sbb                 al, 0x10
            //   40                   | inc                 eax

        $sequence_1 = { 68???????? 56 ff15???????? 8b3d???????? 56 }
            // n = 5, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   56                   | push                esi

        $sequence_2 = { 011d???????? 03c8 8b5de4 a1???????? }
            // n = 4, score = 100
            //   011d????????         |                     
            //   03c8                 | add                 ecx, eax
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   a1????????           |                     

        $sequence_3 = { 013d???????? 8b04b5c8054400 0500080000 3bc8 }
            // n = 4, score = 100
            //   013d????????         |                     
            //   8b04b5c8054400       | mov                 eax, dword ptr [esi*4 + 0x4405c8]
            //   0500080000           | add                 eax, 0x800
            //   3bc8                 | cmp                 ecx, eax

        $sequence_4 = { 33c9 53 0fa2 5b }
            // n = 4, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   53                   | push                ebx
            //   0fa2                 | cpuid               
            //   5b                   | pop                 ebx

        $sequence_5 = { 014368 81434400020000 c7434000000000 83534800 }
            // n = 4, score = 100
            //   014368               | add                 dword ptr [ebx + 0x68], eax
            //   81434400020000       | add                 dword ptr [ebx + 0x44], 0x200
            //   c7434000000000       | mov                 dword ptr [ebx + 0x40], 0
            //   83534800             | adc                 dword ptr [ebx + 0x48], 0

        $sequence_6 = { 6a00 ff15???????? 6afe ff15???????? e8???????? 5f 5e }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6afe                 | push                -2
            //   ff15????????         |                     
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { 014360 8b45f4 014364 8b45e4 }
            // n = 4, score = 100
            //   014360               | add                 dword ptr [ebx + 0x60], eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   014364               | add                 dword ptr [ebx + 0x64], eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_8 = { a3???????? 14c3 9e a4 a3???????? }
            // n = 5, score = 100
            //   a3????????           |                     
            //   14c3                 | adc                 al, 0xc3
            //   9e                   | sahf                
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   a3????????           |                     

        $sequence_9 = { 8bf3 5b 8d7db0 8907 }
            // n = 4, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   5b                   | pop                 ebx
            //   8d7db0               | lea                 edi, [ebp - 0x50]
            //   8907                 | mov                 dword ptr [edi], eax

        $sequence_10 = { 014364 8b45e4 014368 5b }
            // n = 4, score = 100
            //   014364               | add                 dword ptr [ebx + 0x64], eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   014368               | add                 dword ptr [ebx + 0x68], eax
            //   5b                   | pop                 ebx

        $sequence_11 = { 01435c 8b45fc 014360 8b45f4 }
            // n = 4, score = 100
            //   01435c               | add                 dword ptr [ebx + 0x5c], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   014360               | add                 dword ptr [ebx + 0x60], eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_12 = { 014358 8b45f0 01435c 8b45fc }
            // n = 4, score = 100
            //   014358               | add                 dword ptr [ebx + 0x58], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   01435c               | add                 dword ptr [ebx + 0x5c], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_13 = { 8a01 41 84c0 75f9 6a00 8d45d8 }
            // n = 6, score = 100
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   6a00                 | push                0
            //   8d45d8               | lea                 eax, [ebp - 0x28]

        $sequence_14 = { 014354 8b45e8 014358 8b45f0 }
            // n = 4, score = 100
            //   014354               | add                 dword ptr [ebx + 0x54], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   014358               | add                 dword ptr [ebx + 0x58], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_15 = { 6a03 6a00 6a00 6800000080 68???????? c745d800000000 }
            // n = 6, score = 100
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6800000080           | push                0x80000000
            //   68????????           |                     
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0

    condition:
        7 of them and filesize < 51014656
}
Download all Yara Rules