SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pseudo_manuscrypt (Back to overview)

PseudoManuscrypt

There is no description at this point.

References
2022-02-18AhnLabASEC Analysis Team
@online{team:20220218:pseudomanuscrypt:4aa75d9, author = {ASEC Analysis Team}, title = {{PseudoManuscrypt Being Distributed in the Same Method as Cryptbot}}, date = {2022-02-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31683/}, language = {English}, urldate = {2022-02-19} } PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-16Kaspersky Lab ICS CERT
@online{cert:20211216:pseudomanuscrypt:808ef18, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, url = {https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/}, language = {English}, urldate = {2021-12-23} } PseudoManuscrypt: a mass-scale spyware attack campaign
PseudoManuscrypt
Yara Rules
[TLP:WHITE] win_pseudo_manuscrypt_auto (20220808 | Detects win.pseudo_manuscrypt.)
rule win_pseudo_manuscrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.pseudo_manuscrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4604 3b781c 72db 8b7dd4 6a64 ff15???????? ffd3 }
            // n = 7, score = 100
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   3b781c               | cmp                 edi, dword ptr [eax + 0x1c]
            //   72db                 | jb                  0xffffffdd
            //   8b7dd4               | mov                 edi, dword ptr [ebp - 0x2c]
            //   6a64                 | push                0x64
            //   ff15????????         |                     
            //   ffd3                 | call                ebx

        $sequence_1 = { 55 8bec 83ec28 a1???????? 33c5 8945fc 837d08ff }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec28               | sub                 esp, 0x28
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1

        $sequence_2 = { c745f000000000 668945e0 663907 7504 33c9 eb14 8bcf }
            // n = 7, score = 100
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   668945e0             | mov                 word ptr [ebp - 0x20], ax
            //   663907               | cmp                 word ptr [edi], ax
            //   7504                 | jne                 6
            //   33c9                 | xor                 ecx, ecx
            //   eb14                 | jmp                 0x16
            //   8bcf                 | mov                 ecx, edi

        $sequence_3 = { ff15???????? 8bf0 8b45f4 894614 8d4638 897e24 894620 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   8d4638               | lea                 eax, [esi + 0x38]
            //   897e24               | mov                 dword ptr [esi + 0x24], edi
            //   894620               | mov                 dword ptr [esi + 0x20], eax

        $sequence_4 = { 0f84f5fdffff 0fb607 8bce d3e0 4b 03d0 895df4 }
            // n = 7, score = 100
            //   0f84f5fdffff         | je                  0xfffffdfb
            //   0fb607               | movzx               eax, byte ptr [edi]
            //   8bce                 | mov                 ecx, esi
            //   d3e0                 | shl                 eax, cl
            //   4b                   | dec                 ebx
            //   03d0                 | add                 edx, eax
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx

        $sequence_5 = { e8???????? 83c404 8d8424a80a0000 8d942498060000 8d8c2488020000 50 8d8424a4080000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d8424a80a0000       | lea                 eax, [esp + 0xaa8]
            //   8d942498060000       | lea                 edx, [esp + 0x698]
            //   8d8c2488020000       | lea                 ecx, [esp + 0x288]
            //   50                   | push                eax
            //   8d8424a4080000       | lea                 eax, [esp + 0x8a4]

        $sequence_6 = { e8???????? ff4f60 83c404 8b55fc 8bc6 3bf3 75b8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ff4f60               | dec                 dword ptr [edi + 0x60]
            //   83c404               | add                 esp, 4
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8bc6                 | mov                 eax, esi
            //   3bf3                 | cmp                 esi, ebx
            //   75b8                 | jne                 0xffffffba

        $sequence_7 = { 8b0d???????? 8d47e8 894308 8b83b4000000 897b04 50 85c9 }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   8d47e8               | lea                 eax, [edi - 0x18]
            //   894308               | mov                 dword ptr [ebx + 8], eax
            //   8b83b4000000         | mov                 eax, dword ptr [ebx + 0xb4]
            //   897b04               | mov                 dword ptr [ebx + 4], edi
            //   50                   | push                eax
            //   85c9                 | test                ecx, ecx

        $sequence_8 = { 83ec08 57 8b7d08 894df8 c745fc00000000 85ff 0f84bf000000 }
            // n = 7, score = 100
            //   83ec08               | sub                 esp, 8
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   85ff                 | test                edi, edi
            //   0f84bf000000         | je                  0xc5

        $sequence_9 = { 8b02 83c204 8945fc 8955e8 8d4de4 e8???????? 8d4de4 }
            // n = 7, score = 100
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   83c204               | add                 edx, 4
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   e8????????           |                     
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]

    condition:
        7 of them and filesize < 748544
}
Download all Yara Rules