SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pslogger (Back to overview)

PSLogger

aka: ECCENTRICBANDWAGON

Actor(s): Lazarus Group

There is no description at this point.

References
2020-08-26CISACISA
@online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON
PSLogger
2019-08-11Twitter (@KevinPerlow)Kevin Perlow
@online{perlow:20190811:updated:b23bfc9, author = {Kevin Perlow}, title = {{Updated #Lazarus Keylogger (uploaded June)}}, date = {2019-08-11}, organization = {Twitter (@KevinPerlow)}, url = {https://twitter.com/KevinPerlow/status/1160766519615381504}, language = {English}, urldate = {2022-11-21} } Updated #Lazarus Keylogger (uploaded June)
PSLogger
2019-01-22One Night in NorfolkNorfolk
@online{norfolk:20190122:lazarus:74b5983, author = {Norfolk}, title = {{A Lazarus Keylogger- PSLogger}}, date = {2019-01-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/}, language = {English}, urldate = {2020-01-10} } A Lazarus Keylogger- PSLogger
PSLogger
Yara Rules
[TLP:WHITE] win_pslogger_auto (20230715 | Detects win.pslogger.)
rule win_pslogger_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pslogger."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33d2 41b8b80b0000 498bcc }
            // n = 4, score = 400
            //   e8????????           |                     
            //   33d2                 | dec                 eax
            //   41b8b80b0000         | cmp                 ecx, eax
            //   498bcc               | je                  0x17

        $sequence_1 = { 488b19 488bf9 483b5908 7418 488b0b }
            // n = 5, score = 400
            //   488b19               | dec                 eax
            //   488bf9               | mov                 ebx, dword ptr [ecx]
            //   483b5908             | dec                 eax
            //   7418                 | mov                 edi, ecx
            //   488b0b               | dec                 eax

        $sequence_2 = { 488b0e 483bc8 740e 4885c9 }
            // n = 4, score = 400
            //   488b0e               | dec                 eax
            //   483bc8               | sub                 esp, 0x28
            //   740e                 | jne                 0x17
            //   4885c9               | nop                 dword ptr [eax]

        $sequence_3 = { 4883ec28 803d????????00 7511 0f1f00 e8???????? 803d????????00 74f2 }
            // n = 7, score = 400
            //   4883ec28             | mov                 ecx, dword ptr [ebx]
            //   803d????????00       |                     
            //   7511                 | test                ax, ax
            //   0f1f00               | jns                 0x15
            //   e8????????           |                     
            //   803d????????00       |                     
            //   74f2                 | mov                 ecx, 0x14

        $sequence_4 = { ff15???????? b801000000 488b8c2488000000 4833cc }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   b801000000           | mov                 dword ptr [esi], ebx
            //   488b8c2488000000     | jne                 0x13
            //   4833cc               | nop                 dword ptr [eax]

        $sequence_5 = { e8???????? 8bc8 e8???????? 85c0 743b 4863f0 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8bc8                 | je                  0xfffffff4
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   743b                 | mov                 ecx, dword ptr [esi]
            //   4863f0               | dec                 eax

        $sequence_6 = { 4885c0 7463 488bc8 e8???????? 8bc8 }
            // n = 5, score = 400
            //   4885c0               | jns                 0x12
            //   7463                 | mov                 ecx, 0x14
            //   488bc8               | jne                 0x13
            //   e8????????           |                     
            //   8bc8                 | nop                 dword ptr [eax]

        $sequence_7 = { ff15???????? 6685c0 7910 b914000000 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   6685c0               | cmp                 ebx, dword ptr [ecx + 8]
            //   7910                 | je                  0x1a
            //   b914000000           | dec                 eax

        $sequence_8 = { 2bca c705????????00000000 890d???????? 8bce 8d5101 }
            // n = 5, score = 100
            //   2bca                 | je                  0x2c
            //   c705????????00000000     |     
            //   890d????????         |                     
            //   8bce                 | dec                 eax
            //   8d5101               | test                ecx, ecx

        $sequence_9 = { 757f 8b7c2438 8b35???????? ff442424 53 }
            // n = 5, score = 100
            //   757f                 | je                  0xfffffff7
            //   8b7c2438             | xor                 eax, eax
            //   8b35????????         |                     
            //   ff442424             | int3                
            //   53                   | dec                 eax

        $sequence_10 = { 751f c7431400000002 b800000002 5f 5e 5b 8b4dfc }
            // n = 7, score = 100
            //   751f                 | dec                 eax
            //   c7431400000002       | test                eax, eax
            //   b800000002           | je                  0x74
            //   5f                   | dec                 eax
            //   5e                   | mov                 ecx, eax
            //   5b                   | mov                 ecx, eax
            //   8b4dfc               | dec                 eax

        $sequence_11 = { c745f8ffffffff 53 56 33f6 8945fc 0fb75002 57 }
            // n = 7, score = 100
            //   c745f8ffffffff       | test                ecx, ecx
            //   53                   | je                  0x13
            //   56                   | dec                 eax
            //   33f6                 | sub                 esp, 0x20
            //   8945fc               | dec                 eax
            //   0fb75002             | mov                 ebx, dword ptr [ecx]
            //   57                   | dec                 eax

        $sequence_12 = { 8bbde4feffff 8bcf e8???????? 53 }
            // n = 4, score = 100
            //   8bbde4feffff         | mov                 ecx, dword ptr [esi]
            //   8bcf                 | dec                 eax
            //   e8????????           |                     
            //   53                   | cmp                 ecx, eax

        $sequence_13 = { 8bf1 c745ec00000000 c745fc00000000 c745f000000000 c645fc01 8d4dd4 }
            // n = 6, score = 100
            //   8bf1                 | mov                 ecx, dword ptr [ebx]
            //   c745ec00000000       | dec                 eax
            //   c745fc00000000       | cmp                 ecx, eax
            //   c745f000000000       | je                  0x17
            //   c645fc01             | dec                 eax
            //   8d4dd4               | test                ecx, ecx

        $sequence_14 = { 8b049d88b14200 8b4de0 f644082801 7515 e8???????? c70009000000 }
            // n = 6, score = 100
            //   8b049d88b14200       | mov                 ecx, dword ptr [esi]
            //   8b4de0               | dec                 eax
            //   f644082801           | cmp                 ecx, eax
            //   7515                 | je                  0x16
            //   e8????????           |                     
            //   c70009000000         | dec                 eax

        $sequence_15 = { 46 897508 83e801 7597 5f }
            // n = 5, score = 100
            //   46                   | je                  0x29
            //   897508               | dec                 eax
            //   83e801               | mov                 dword ptr [esi], ebx
            //   7597                 | jne                 0x13
            //   5f                   | nop                 dword ptr [eax]

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules