SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qadars (Back to overview)

Qadars


There is no description at this point.

References
2017-02-22PhishLabsRaashid Bhat
@online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } Dissecting the Qadars Banking Trojan
Qadars
2016-09-20SecurityIntelligenceLimor Kessem, Hanan Natan, Denis Laskov
@online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks
Qadars
2016-04-12Johannes Bader
@online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } The DGA of Qadars v3
Qadars
2015-07-23SecurityIntelligenceIgor Aronov
@online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } An Analysis of the Qadars Banking Trojan
Qadars
2013-12-18ESET ResearchJean-Ian Boutin
@online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } Qadars – a banking Trojan with the Netherlands in its sights
Qadars
Yara Rules
[TLP:WHITE] win_qadars_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b1e c7048300000000 40 3bc7 72f2 8b06 8b5d08 }
            // n = 7, score = 700
            //   8b1e                 | mov                 ebx, dword ptr [esi]
            //   c7048300000000       | mov                 dword ptr [ebx + eax*4], 0
            //   40                   | inc                 eax
            //   3bc7                 | cmp                 eax, edi
            //   72f2                 | jb                  0xfffffff4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]

        $sequence_1 = { 884f02 83fe02 760f 0fb6d0 83e23f }
            // n = 5, score = 700
            //   884f02               | mov                 byte ptr [edi + 2], cl
            //   83fe02               | cmp                 esi, 2
            //   760f                 | jbe                 0x11
            //   0fb6d0               | movzx               edx, al
            //   83e23f               | and                 edx, 0x3f

        $sequence_2 = { 33f6 33d2 85db 7410 8b45fc 8d4c150c }
            // n = 6, score = 700
            //   33f6                 | xor                 esi, esi
            //   33d2                 | xor                 edx, edx
            //   85db                 | test                ebx, ebx
            //   7410                 | je                  0x12
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8d4c150c             | lea                 ecx, [ebp + edx + 0xc]

        $sequence_3 = { 8b4514 85c0 7406 c700???????? 8b4518 85c0 }
            // n = 6, score = 700
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   c700????????         |                     
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   85c0                 | test                eax, eax

        $sequence_4 = { 8906 894808 51 8bc8 e8???????? }
            // n = 5, score = 700
            //   8906                 | mov                 dword ptr [esi], eax
            //   894808               | mov                 dword ptr [eax + 8], ecx
            //   51                   | push                ecx
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_5 = { 7540 48 894608 85c0 }
            // n = 4, score = 700
            //   7540                 | jne                 0x42
            //   48                   | dec                 eax
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c0                 | test                eax, eax

        $sequence_6 = { 3bc7 740d 897804 8938 897808 89780c eb02 }
            // n = 7, score = 700
            //   3bc7                 | cmp                 eax, edi
            //   740d                 | je                  0xf
            //   897804               | mov                 dword ptr [eax + 4], edi
            //   8938                 | mov                 dword ptr [eax], edi
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   89780c               | mov                 dword ptr [eax + 0xc], edi
            //   eb02                 | jmp                 4

        $sequence_7 = { 8b45b4 ff400c 8945e4 8b45b8 8945e8 8b45b4 }
            // n = 6, score = 700
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   ff400c               | inc                 dword ptr [eax + 0xc]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]

        $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]

        $sequence_9 = { 51 8b55f0 52 ff15???????? 83c40c }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_10 = { 52 ff15???????? 83c408 a3???????? }
            // n = 4, score = 300
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   a3????????           |                     

        $sequence_11 = { 83c40c 6805010000 8d8df8feffff 51 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   6805010000           | push                0x105
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx

        $sequence_12 = { 6a01 6a08 ff15???????? 83c408 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_13 = { 33c0 e9???????? 6a01 8b45f8 50 8b4d08 51 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   6a01                 | push                1
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx

        $sequence_14 = { 8b45f8 8b0c9500693c02 890c8500613c02 8b55f8 8b0495c0503c02 8b4df8 }
            // n = 6, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b0c9500693c02       | mov                 ecx, dword ptr [edx*4 + 0x23c6900]
            //   890c8500613c02       | mov                 dword ptr [eax*4 + 0x23c6100], ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b0495c0503c02       | mov                 eax, dword ptr [edx*4 + 0x23c50c0]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_15 = { 8d4dd0 e8???????? 8b08 894de0 8b5004 8955e4 }
            // n = 6, score = 100
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules