SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qadars (Back to overview)

Qadars


There is no description at this point.

References
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-02-22PhishLabsRaashid Bhat
@online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } Dissecting the Qadars Banking Trojan
Qadars
2016-09-20SecurityIntelligenceLimor Kessem, Hanan Natan, Denis Laskov
@online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks
Qadars
2016-04-12Johannes Bader
@online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } The DGA of Qadars v3
Qadars
2015-07-23SecurityIntelligenceIgor Aronov
@online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } An Analysis of the Qadars Banking Trojan
Qadars
2013-12-18ESET ResearchJean-Ian Boutin
@online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } Qadars – a banking Trojan with the Netherlands in its sights
Qadars
Yara Rules
[TLP:WHITE] win_qadars_auto (20221125 | Detects win.qadars.)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.qadars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83cfff 8b75f0 837e0c00 7405 017e0c eb24 }
            // n = 6, score = 700
            //   83cfff               | or                  edi, 0xffffffff
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   837e0c00             | cmp                 dword ptr [esi + 0xc], 0
            //   7405                 | je                  7
            //   017e0c               | add                 dword ptr [esi + 0xc], edi
            //   eb24                 | jmp                 0x26

        $sequence_1 = { 51 50 57 52 6a00 e8???????? }
            // n = 6, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   57                   | push                edi
            //   52                   | push                edx
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_2 = { 51 50 56 e8???????? 83c418 85c0 0f841cffffff }
            // n = 7, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   0f841cffffff         | je                  0xffffff22

        $sequence_3 = { 51 50 57 e8???????? 83c40c 85c0 7504 }
            // n = 7, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6

        $sequence_4 = { 33d2 83c410 894df0 8955f8 }
            // n = 4, score = 700
            //   33d2                 | xor                 edx, edx
            //   83c410               | add                 esp, 0x10
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx

        $sequence_5 = { 5e b801000000 5b 5d c3 8d5918 }
            // n = 6, score = 700
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d5918               | lea                 ebx, [ecx + 0x18]

        $sequence_6 = { 33d2 83c410 8945f0 8955f4 3b8614020000 }
            // n = 5, score = 700
            //   33d2                 | xor                 edx, edx
            //   83c410               | add                 esp, 0x10
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   3b8614020000         | cmp                 eax, dword ptr [esi + 0x214]

        $sequence_7 = { 51 13d3 52 50 56 }
            // n = 5, score = 700
            //   51                   | push                ecx
            //   13d3                 | adc                 edx, ebx
            //   52                   | push                edx
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 52 }
            // n = 6, score = 600
            //   6a00                 | push                0
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   52                   | push                edx

        $sequence_9 = { 6a01 6a08 ff15???????? 83c408 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_10 = { 6a01 8b55fc 52 ff15???????? 83c408 }
            // n = 5, score = 300
            //   6a01                 | push                1
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_11 = { 83c40c 6805010000 8d8df8feffff 51 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   6805010000           | push                0x105
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx

        $sequence_12 = { 51 8b55f0 52 ff15???????? 83c40c }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_13 = { 83c408 6804010000 6a00 8b45fc 0560250000 50 }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   6804010000           | push                0x104
            //   6a00                 | push                0
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0560250000           | add                 eax, 0x2560
            //   50                   | push                eax

        $sequence_14 = { 83c408 6804010000 6a00 8b55fc 81c280180000 52 }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   6804010000           | push                0x104
            //   6a00                 | push                0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   81c280180000         | add                 edx, 0x1880
            //   52                   | push                edx

        $sequence_15 = { 83c408 6804010000 6a00 8b4dfc 81c164260000 51 }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   6804010000           | push                0x104
            //   6a00                 | push                0
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   81c164260000         | add                 ecx, 0x2664
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules