SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qadars (Back to overview)

Qadars

VTCollection    

There is no description at this point.

References
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-02-22PhishLabsRaashid Bhat
Dissecting the Qadars Banking Trojan
Qadars
2016-09-20SecurityIntelligenceDenis Laskov, Hanan Natan, Limor Kessem
Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks
Qadars
2016-04-12Johannes Bader
The DGA of Qadars v3
Qadars
2015-07-23SecurityIntelligenceIgor Aronov
An Analysis of the Qadars Banking Trojan
Qadars
2013-12-18ESET ResearchJean-Ian Boutin
Qadars – a banking Trojan with the Netherlands in its sights
Qadars
Yara Rules
[TLP:WHITE] win_qadars_auto (20230808 | Detects win.qadars.)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.qadars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48 c7048100000000 75f4 8b06 }
            // n = 4, score = 700
            //   48                   | dec                 eax
            //   c7048100000000       | mov                 dword ptr [ecx + eax*4], 0
            //   75f4                 | jne                 0xfffffff6
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_1 = { 8b4d10 8939 5f 8bc6 5e 5b }
            // n = 6, score = 700
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8939                 | mov                 dword ptr [ecx], edi
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_2 = { 747a 8b45fc 3b4604 7650 33c9 }
            // n = 5, score = 700
            //   747a                 | je                  0x7c
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3b4604               | cmp                 eax, dword ptr [esi + 4]
            //   7650                 | jbe                 0x52
            //   33c9                 | xor                 ecx, ecx

        $sequence_3 = { 33c9 8908 894804 53 8b5d0c 8b4308 56 }
            // n = 7, score = 700
            //   33c9                 | xor                 ecx, ecx
            //   8908                 | mov                 dword ptr [eax], ecx
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   53                   | push                ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   56                   | push                esi

        $sequence_4 = { 83e940 0f8589040000 bb???????? 8b701c }
            // n = 4, score = 700
            //   83e940               | sub                 ecx, 0x40
            //   0f8589040000         | jne                 0x48f
            //   bb????????           |                     
            //   8b701c               | mov                 esi, dword ptr [eax + 0x1c]

        $sequence_5 = { 33c0 6808020000 50 8d8de6fdffff 51 668985e4fdffff e8???????? }
            // n = 7, score = 700
            //   33c0                 | xor                 eax, eax
            //   6808020000           | push                0x208
            //   50                   | push                eax
            //   8d8de6fdffff         | lea                 ecx, [ebp - 0x21a]
            //   51                   | push                ecx
            //   668985e4fdffff       | mov                 word ptr [ebp - 0x21c], ax
            //   e8????????           |                     

        $sequence_6 = { 894608 85c0 75ee eb32 85db }
            // n = 5, score = 700
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c0                 | test                eax, eax
            //   75ee                 | jne                 0xfffffff0
            //   eb32                 | jmp                 0x34
            //   85db                 | test                ebx, ebx

        $sequence_7 = { ff470c 8d4dc4 8955d0 e8???????? 8b75f4 }
            // n = 5, score = 700
            //   ff470c               | inc                 dword ptr [edi + 0xc]
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]
            //   8955d0               | mov                 dword ptr [ebp - 0x30], edx
            //   e8????????           |                     
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]

        $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]

        $sequence_9 = { 6a01 6a08 ff15???????? 83c408 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_10 = { 6a01 8b55fc 52 ff15???????? 83c408 }
            // n = 5, score = 300
            //   6a01                 | push                1
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_11 = { 83c40c 6805010000 8d8df8feffff 51 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   6805010000           | push                0x105
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx

        $sequence_12 = { 51 8b55f0 52 ff15???????? 83c40c }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_13 = { 83c408 6a09 8d4dc4 51 8b5518 }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   6a09                 | push                9
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]
            //   51                   | push                ecx
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]

        $sequence_14 = { 83c408 837de000 740c 8b4de0 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   837de000             | cmp                 dword ptr [ebp - 0x20], 0
            //   740c                 | je                  0xe
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_15 = { 83c408 837df800 747f 8b4df8 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   747f                 | je                  0x81
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules