SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qadars (Back to overview)

Qadars


There is no description at this point.

References
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-02-22PhishLabsRaashid Bhat
@online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } Dissecting the Qadars Banking Trojan
Qadars
2016-09-20SecurityIntelligenceLimor Kessem, Hanan Natan, Denis Laskov
@online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks
Qadars
2016-04-12Johannes Bader
@online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } The DGA of Qadars v3
Qadars
2015-07-23SecurityIntelligenceIgor Aronov
@online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } An Analysis of the Qadars Banking Trojan
Qadars
2013-12-18ESET ResearchJean-Ian Boutin
@online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } Qadars – a banking Trojan with the Netherlands in its sights
Qadars
Yara Rules
[TLP:WHITE] win_qadars_auto (20230715 | Detects win.qadars.)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.qadars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 56 8b7df0 48 8b75e4 b940000000 8bc1 }
            // n = 7, score = 700
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   48                   | dec                 eax
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   b940000000           | mov                 ecx, 0x40
            //   8bc1                 | mov                 eax, ecx

        $sequence_1 = { 57 56 6802000080 e8???????? 83c434 8945ec 895df0 }
            // n = 7, score = 700
            //   57                   | push                edi
            //   56                   | push                esi
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   83c434               | add                 esp, 0x34
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx

        $sequence_2 = { 57 57 57 8d4de8 51 57 57 }
            // n = 7, score = 700
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   57                   | push                edi
            //   57                   | push                edi

        $sequence_3 = { 57 56 e8???????? 837e0c00 8bf8 7409 ff4e0c }
            // n = 7, score = 700
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   837e0c00             | cmp                 dword ptr [esi + 0xc], 0
            //   8bf8                 | mov                 edi, eax
            //   7409                 | je                  0xb
            //   ff4e0c               | dec                 dword ptr [esi + 0xc]

        $sequence_4 = { 57 56 8b7dd8 48 8b75a4 b916000000 8bc1 }
            // n = 7, score = 700
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b7dd8               | mov                 edi, dword ptr [ebp - 0x28]
            //   48                   | dec                 eax
            //   8b75a4               | mov                 esi, dword ptr [ebp - 0x5c]
            //   b916000000           | mov                 ecx, 0x16
            //   8bc1                 | mov                 eax, ecx

        $sequence_5 = { 57 57 57 8d45f8 50 57 57 }
            // n = 7, score = 700
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   57                   | push                edi
            //   57                   | push                edi

        $sequence_6 = { 57 57 895dfc 897df8 e8???????? }
            // n = 5, score = 700
            //   57                   | push                edi
            //   57                   | push                edi
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   e8????????           |                     

        $sequence_7 = { 57 56 e8???????? 83c404 52 50 e8???????? }
            // n = 7, score = 700
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 52 }
            // n = 6, score = 600
            //   6a00                 | push                0
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   52                   | push                edx

        $sequence_9 = { 6a01 8b55fc 52 ff15???????? 83c408 }
            // n = 5, score = 300
            //   6a01                 | push                1
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_10 = { 83c40c 6805010000 8d8df8feffff 51 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   6805010000           | push                0x105
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx

        $sequence_11 = { 6a01 6a08 ff15???????? 83c408 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_12 = { 51 8b55f0 52 ff15???????? 83c40c }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_13 = { 83c408 68???????? 6a01 e8???????? 83c408 8b4dfc }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   68????????           |                     
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_14 = { 83c408 6804010000 6a00 8b55fc 81c280180000 }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   6804010000           | push                0x104
            //   6a00                 | push                0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   81c280180000         | add                 edx, 0x1880

        $sequence_15 = { 83c408 6808020000 6a00 8d8de8fbffff }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   8d8de8fbffff         | lea                 ecx, [ebp - 0x418]

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules