SYMBOLCOMMON_NAMEaka. SYNONYMS
win.prometei (Back to overview)

Prometei


According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.

References
2022-02-17Twitter (@Honeymoon_IoC)Gi7w0rm
@online{gi7w0rm:20220217:tweets:a96e458, author = {Gi7w0rm}, title = {{Tweets on win.prometei caught via Cowrie}}, date = {2022-02-17}, organization = {Twitter (@Honeymoon_IoC)}, url = {https://twitter.com/honeymoon_ioc/status/1494311182550904840}, language = {English}, urldate = {2022-02-17} } Tweets on win.prometei caught via Cowrie
Prometei
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2021-04-22CybereasonLior Rochberger
@online{rochberger:20210422:prometei:c7eb590, author = {Lior Rochberger}, title = {{Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities}}, date = {2021-04-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities}, language = {English}, urldate = {2021-04-28} } Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities
Prometei Prometei
Yara Rules
[TLP:WHITE] win_prometei_auto (20221125 | Detects win.prometei.)
rule win_prometei_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.prometei."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d45d8 2bca 50 51 68???????? 56 }
            // n = 6, score = 100
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   2bca                 | sub                 ecx, edx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_1 = { 009c003dbe839a 47 fc 84b3e61c0292 }
            // n = 4, score = 100
            //   009c003dbe839a       | add                 byte ptr [eax + eax - 0x657c41c3], bl
            //   47                   | inc                 edi
            //   fc                   | cld                 
            //   84b3e61c0292         | test                byte ptr [ebx - 0x6dfde31a], dh

        $sequence_2 = { 60 6d b470 2b5194 306090 cf }
            // n = 6, score = 100
            //   60                   | pushal              
            //   6d                   | insd                dword ptr es:[edi], dx
            //   b470                 | mov                 ah, 0x70
            //   2b5194               | sub                 edx, dword ptr [ecx - 0x6c]
            //   306090               | xor                 byte ptr [eax - 0x70], ah
            //   cf                   | iretd               

        $sequence_3 = { 0000 6681c1f900 f3a4 48 }
            // n = 4, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   6681c1f900           | add                 cx, 0xf9
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   48                   | dec                 eax

        $sequence_4 = { bb8c132400 4a af e8???????? 1401 d000 3060c0 }
            // n = 7, score = 100
            //   bb8c132400           | mov                 ebx, 0x24138c
            //   4a                   | dec                 edx
            //   af                   | scasd               eax, dword ptr es:[edi]
            //   e8????????           |                     
            //   1401                 | adc                 al, 1
            //   d000                 | rol                 byte ptr [eax], 1
            //   3060c0               | xor                 byte ptr [eax - 0x40], ah

        $sequence_5 = { 0000 004889 ec 5d }
            // n = 4, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   004889               | add                 byte ptr [eax - 0x77], cl
            //   ec                   | in                  al, dx
            //   5d                   | pop                 ebp

        $sequence_6 = { 741f 6a00 8d45d8 50 }
            // n = 4, score = 100
            //   741f                 | je                  0x21
            //   6a00                 | push                0
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax

        $sequence_7 = { 8bfa 85ff 7e1f b9???????? }
            // n = 4, score = 100
            //   8bfa                 | mov                 edi, edx
            //   85ff                 | test                edi, edi
            //   7e1f                 | jle                 0x21
            //   b9????????           |                     

        $sequence_8 = { ff15???????? 56 ffd7 6a01 68???????? 68???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   6a01                 | push                1
            //   68????????           |                     
            //   68????????           |                     

        $sequence_9 = { 004153 6a33 51 4c }
            // n = 4, score = 100
            //   004153               | add                 byte ptr [ecx + 0x53], al
            //   6a33                 | push                0x33
            //   51                   | push                ecx
            //   4c                   | dec                 esp

        $sequence_10 = { 0037 c0880b44e15bef 44 27 }
            // n = 4, score = 100
            //   0037                 | add                 byte ptr [edi], dh
            //   c0880b44e15bef       | ror                 byte ptr [eax + 0x5be1440b], 0xef
            //   44                   | inc                 esp
            //   27                   | daa                 

        $sequence_11 = { 0105???????? 3034a0 0e 300c06 }
            // n = 4, score = 100
            //   0105????????         |                     
            //   3034a0               | xor                 byte ptr [eax], dh
            //   0e                   | push                cs
            //   300c06               | xor                 byte ptr [esi + eax], cl

        $sequence_12 = { 009ec024c023 c028e0 1d2a0a41ba a6 }
            // n = 4, score = 100
            //   009ec024c023         | add                 byte ptr [esi + 0x23c024c0], bl
            //   c028e0               | shr                 byte ptr [eax], 0xe0
            //   1d2a0a41ba           | sbb                 eax, 0xba410a2a
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]

        $sequence_13 = { 61 804070a0 dfb734381320 f1 a5 }
            // n = 5, score = 100
            //   61                   | popal               
            //   804070a0             | add                 byte ptr [eax + 0x70], 0xa0
            //   dfb734381320         | fbstp               tbyte ptr [edi + 0x20133834]
            //   f1                   | int1                
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_14 = { 0081bb7a3644 98 f1 35ad3298f0 }
            // n = 4, score = 100
            //   0081bb7a3644         | add                 byte ptr [ecx + 0x44367abb], al
            //   98                   | cwde                
            //   f1                   | int1                
            //   35ad3298f0           | xor                 eax, 0xf09832ad

        $sequence_15 = { 8bf0 83feff 7427 b9???????? 8d5101 8a01 }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7427                 | je                  0x29
            //   b9????????           |                     
            //   8d5101               | lea                 edx, [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]

    condition:
        7 of them and filesize < 51014656
}
Download all Yara Rules