win.qadars (Back to overview)

Qadars


There is no description at this point.

References
https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan
https://www.johannesbader.ch/2016/04/the-dga-of-qadars/
https://securityintelligence.com/an-analysis-of-the-qadars-trojan/
https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/
https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/
https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf
Yara Rules
[TLP:WHITE] win_qadars_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8b4908 8bd1 c1e205 895dbc }
            // n = 4, score = 5000
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   8bd1                 | mov                 edx, ecx
            //   c1e205               | shl                 edx, 5
            //   895dbc               | mov                 dword ptr [ebp - 0x44], ebx

        $sequence_1 = { 8a02 8801 8d8d7cffffff 6a2e }
            // n = 4, score = 5000
            //   8a02                 | mov                 al, byte ptr [edx]
            //   8801                 | mov                 byte ptr [ecx], al
            //   8d8d7cffffff         | lea                 ecx, dword ptr [ebp - 0x84]
            //   6a2e                 | push                0x2e

        $sequence_2 = { 740d 90 8b0e 48 }
            // n = 4, score = 5000
            //   740d                 | je                  0x4048bc
            //   90                   | nop                 
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   48                   | dec                 eax

        $sequence_3 = { 894608 85c0 75ee eb32 }
            // n = 4, score = 5000
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c0                 | test                eax, eax
            //   75ee                 | jne                 0x404105
            //   eb32                 | jmp                 0x40414b

        $sequence_4 = { 56 33f6 57 8d4514 }
            // n = 4, score = 5000
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   8d4514               | lea                 eax, dword ptr [ebp + 0x14]

        $sequence_5 = { 83fe01 7618 83e20f 0fb6c8 }
            // n = 4, score = 5000
            //   83fe01               | cmp                 esi, 1
            //   7618                 | jbe                 0x40c265
            //   83e20f               | and                 edx, 0xf
            //   0fb6c8               | movzx               ecx, al

        $sequence_6 = { 3bf8 7207 33d2 8955fc }
            // n = 4, score = 5000
            //   3bf8                 | cmp                 edi, eax
            //   7207                 | jb                  0x403ed3
            //   33d2                 | xor                 edx, edx
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_7 = { 4a 75d4 8b45dc 8b7808 }
            // n = 4, score = 5000
            //   4a                   | dec                 edx
            //   75d4                 | jne                 0x4050d7
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8b7808               | mov                 edi, dword ptr [eax + 8]

        $sequence_8 = { 8b4e54 51 8b4b08 51 }
            // n = 4, score = 5000
            //   8b4e54               | mov                 ecx, dword ptr [esi + 0x54]
            //   51                   | push                ecx
            //   8b4b08               | mov                 ecx, dword ptr [ebx + 8]
            //   51                   | push                ecx

        $sequence_9 = { 8b4dfc 897508 c1ea08 0fb6f2 }
            // n = 4, score = 5000
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   897508               | mov                 dword ptr [ebp + 8], esi
            //   c1ea08               | shr                 edx, 8
            //   0fb6f2               | movzx               esi, dl

    condition:
        7 of them
}
Download all Yara Rules