SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pseudo_manuscrypt (Back to overview)

PseudoManuscrypt


There is no description at this point.

References
2022-02-18AhnLabASEC Analysis Team
@online{team:20220218:pseudomanuscrypt:4aa75d9, author = {ASEC Analysis Team}, title = {{PseudoManuscrypt Being Distributed in the Same Method as Cryptbot}}, date = {2022-02-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31683/}, language = {English}, urldate = {2022-02-19} } PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-16Kaspersky Lab ICS CERT
@online{cert:20211216:pseudomanuscrypt:808ef18, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, url = {https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/}, language = {English}, urldate = {2021-12-23} } PseudoManuscrypt: a mass-scale spyware attack campaign
PseudoManuscrypt
Yara Rules
[TLP:WHITE] win_pseudo_manuscrypt_auto (20220411 | Detects win.pseudo_manuscrypt.)
rule win_pseudo_manuscrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.pseudo_manuscrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1ca0b 03d7 0bc2 8995f8feffff 33c7 03850cffffff 03f0 }
            // n = 7, score = 100
            //   c1ca0b               | ror                 edx, 0xb
            //   03d7                 | add                 edx, edi
            //   0bc2                 | or                  eax, edx
            //   8995f8feffff         | mov                 dword ptr [ebp - 0x108], edx
            //   33c7                 | xor                 eax, edi
            //   03850cffffff         | add                 eax, dword ptr [ebp - 0xf4]
            //   03f0                 | add                 esi, eax

        $sequence_1 = { 83ec0c 8d5e68 8bcb e8???????? 6a00 8d864c010000 c7864801000000000000 }
            // n = 7, score = 100
            //   83ec0c               | sub                 esp, 0xc
            //   8d5e68               | lea                 ebx, dword ptr [esi + 0x68]
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d864c010000         | lea                 eax, dword ptr [esi + 0x14c]
            //   c7864801000000000000     | mov    dword ptr [esi + 0x148], 0

        $sequence_2 = { ff750c ff7004 8b4e48 56 8b11 ff5210 5e }
            // n = 7, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7004               | push                dword ptr [eax + 4]
            //   8b4e48               | mov                 ecx, dword ptr [esi + 0x48]
            //   56                   | push                esi
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   ff5210               | call                dword ptr [edx + 0x10]
            //   5e                   | pop                 esi

        $sequence_3 = { 8945dc be???????? 0f45f1 33c0 8bce 668945e0 }
            // n = 6, score = 100
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   be????????           |                     
            //   0f45f1               | cmovne              esi, ecx
            //   33c0                 | xor                 eax, eax
            //   8bce                 | mov                 ecx, esi
            //   668945e0             | mov                 word ptr [ebp - 0x20], ax

        $sequence_4 = { c745e800000000 8b3e 8b1d???????? ffd3 50 8bce ff97c4000000 }
            // n = 7, score = 100
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   8b1d????????         |                     
            //   ffd3                 | call                ebx
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   ff97c4000000         | call                dword ptr [edi + 0xc4]

        $sequence_5 = { 7409 51 e8???????? 83c404 8b54240c 8b5204 8b0a }
            // n = 7, score = 100
            //   7409                 | je                  0xb
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   8b5204               | mov                 edx, dword ptr [edx + 4]
            //   8b0a                 | mov                 ecx, dword ptr [edx]

        $sequence_6 = { 741d 8bcf 8d4101 8945d8 0f1f00 8a01 41 }
            // n = 7, score = 100
            //   741d                 | je                  0x1f
            //   8bcf                 | mov                 ecx, edi
            //   8d4101               | lea                 eax, dword ptr [ecx + 1]
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   0f1f00               | nop                 dword ptr [eax]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx

        $sequence_7 = { 56 50 57 e8???????? 83c414 85c0 7414 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16

        $sequence_8 = { 33c0 8d95a4fdffff 66898435a4fdffff 8bf3 8bc2 2bf0 0fb70a }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8d95a4fdffff         | lea                 edx, dword ptr [ebp - 0x25c]
            //   66898435a4fdffff     | mov                 word ptr [ebp + esi - 0x25c], ax
            //   8bf3                 | mov                 esi, ebx
            //   8bc2                 | mov                 eax, edx
            //   2bf0                 | sub                 esi, eax
            //   0fb70a               | movzx               ecx, word ptr [edx]

        $sequence_9 = { 42 83c12c 8995a0f3ffff 898dc4f3ffff 8d0447 8985a8f3ffff 3b95a4f3ffff }
            // n = 7, score = 100
            //   42                   | inc                 edx
            //   83c12c               | add                 ecx, 0x2c
            //   8995a0f3ffff         | mov                 dword ptr [ebp - 0xc60], edx
            //   898dc4f3ffff         | mov                 dword ptr [ebp - 0xc3c], ecx
            //   8d0447               | lea                 eax, dword ptr [edi + eax*2]
            //   8985a8f3ffff         | mov                 dword ptr [ebp - 0xc58], eax
            //   3b95a4f3ffff         | cmp                 edx, dword ptr [ebp - 0xc5c]

    condition:
        7 of them and filesize < 748544
}
Download all Yara Rules