SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qadars (Back to overview)

Qadars

There is no description at this point.

References
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-02-22PhishLabsRaashid Bhat
@online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } Dissecting the Qadars Banking Trojan
Qadars
2016-09-20SecurityIntelligenceLimor Kessem, Hanan Natan, Denis Laskov
@online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks
Qadars
2016-04-12Johannes Bader
@online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } The DGA of Qadars v3
Qadars
2015-07-23SecurityIntelligenceIgor Aronov
@online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } An Analysis of the Qadars Banking Trojan
Qadars
2013-12-18ESET ResearchJean-Ian Boutin
@online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } Qadars – a banking Trojan with the Netherlands in its sights
Qadars
Yara Rules
[TLP:WHITE] win_qadars_auto (20230125 | Detects win.qadars.)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.qadars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e11f 33ff 8945f4 894d08 397e08 0f86c5000000 8d0c8500000000 }
            // n = 7, score = 700
            //   83e11f               | and                 ecx, 0x1f
            //   33ff                 | xor                 edi, edi
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   397e08               | cmp                 dword ptr [esi + 8], edi
            //   0f86c5000000         | jbe                 0xcb
            //   8d0c8500000000       | lea                 ecx, [eax*4]

        $sequence_1 = { 51 50 e8???????? 83c414 894708 8307ff }
            // n = 6, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   8307ff               | add                 dword ptr [edi], -1

        $sequence_2 = { 51 50 e8???????? 83c408 33f6 894508 }
            // n = 6, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33f6                 | xor                 esi, esi
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_3 = { 33d2 eb05 8b11 8b1482 }
            // n = 4, score = 700
            //   33d2                 | xor                 edx, edx
            //   eb05                 | jmp                 7
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b1482               | mov                 edx, dword ptr [edx + eax*4]

        $sequence_4 = { 5f 885e0f 884e0c 88560d 88460e 5e }
            // n = 6, score = 700
            //   5f                   | pop                 edi
            //   885e0f               | mov                 byte ptr [esi + 0xf], bl
            //   884e0c               | mov                 byte ptr [esi + 0xc], cl
            //   88560d               | mov                 byte ptr [esi + 0xd], dl
            //   88460e               | mov                 byte ptr [esi + 0xe], al
            //   5e                   | pop                 esi

        $sequence_5 = { 83e11f ba01000000 d3e2 85d0 740f }
            // n = 5, score = 700
            //   83e11f               | and                 ecx, 0x1f
            //   ba01000000           | mov                 edx, 1
            //   d3e2                 | shl                 edx, cl
            //   85d0                 | test                eax, edx
            //   740f                 | je                  0x11

        $sequence_6 = { 83e11f 5f 7410 8b06 ba01000000 d3e2 8d4498fc }
            // n = 7, score = 700
            //   83e11f               | and                 ecx, 0x1f
            //   5f                   | pop                 edi
            //   7410                 | je                  0x12
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ba01000000           | mov                 edx, 1
            //   d3e2                 | shl                 edx, cl
            //   8d4498fc             | lea                 eax, [eax + ebx*4 - 4]

        $sequence_7 = { 33d2 eb05 8b13 8b1482 }
            // n = 4, score = 700
            //   33d2                 | xor                 edx, edx
            //   eb05                 | jmp                 7
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b1482               | mov                 edx, dword ptr [edx + eax*4]

        $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]

        $sequence_9 = { 6a01 6a08 ff15???????? 83c408 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_10 = { 51 8b55f0 52 ff15???????? 83c40c }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_11 = { 83c40c 6805010000 8d8df8feffff 51 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   6805010000           | push                0x105
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx

        $sequence_12 = { 6a01 8b55fc 52 ff15???????? 83c408 }
            // n = 5, score = 300
            //   6a01                 | push                1
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_13 = { 83c408 6a04 6a00 8d8dd8ecffff }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   8d8dd8ecffff         | lea                 ecx, [ebp - 0x1328]

        $sequence_14 = { 83c408 6a04 8d4de0 51 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   6a04                 | push                4
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   51                   | push                ecx

        $sequence_15 = { 83c408 6a01 8b95407effff 52 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   6a01                 | push                1
            //   8b95407effff         | mov                 edx, dword ptr [ebp - 0x81c0]
            //   52                   | push                edx

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules