SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qadars (Back to overview)

Qadars


There is no description at this point.

References
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-02-22PhishLabsRaashid Bhat
@online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } Dissecting the Qadars Banking Trojan
Qadars
2016-09-20SecurityIntelligenceLimor Kessem, Hanan Natan, Denis Laskov
@online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks
Qadars
2016-04-12Johannes Bader
@online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } The DGA of Qadars v3
Qadars
2015-07-23SecurityIntelligenceIgor Aronov
@online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } An Analysis of the Qadars Banking Trojan
Qadars
2013-12-18ESET ResearchJean-Ian Boutin
@online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } Qadars – a banking Trojan with the Netherlands in its sights
Qadars
Yara Rules
[TLP:WHITE] win_qadars_auto (20220516 | Detects win.qadars.)
rule win_qadars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.qadars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 51 8d9608010000 57 }
            // n = 4, score = 700
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8d9608010000         | lea                 edx, [esi + 0x108]
            //   57                   | push                edi

        $sequence_1 = { 33d2 eb05 8b11 8b1482 }
            // n = 4, score = 700
            //   33d2                 | xor                 edx, edx
            //   eb05                 | jmp                 7
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b1482               | mov                 edx, dword ptr [edx + eax*4]

        $sequence_2 = { 33d2 eb05 8b13 8b1482 }
            // n = 4, score = 700
            //   33d2                 | xor                 edx, edx
            //   eb05                 | jmp                 7
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b1482               | mov                 edx, dword ptr [edx + eax*4]

        $sequence_3 = { 51 52 50 57 8945e8 }
            // n = 5, score = 700
            //   51                   | push                ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_4 = { 51 50 e8???????? 83c414 8bd8 85ff }
            // n = 6, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8bd8                 | mov                 ebx, eax
            //   85ff                 | test                edi, edi

        $sequence_5 = { 83cfff 8b75f0 837e0c00 7405 017e0c eb24 8b4604 }
            // n = 7, score = 700
            //   83cfff               | or                  edi, 0xffffffff
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   837e0c00             | cmp                 dword ptr [esi + 0xc], 0
            //   7405                 | je                  7
            //   017e0c               | add                 dword ptr [esi + 0xc], edi
            //   eb24                 | jmp                 0x26
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_6 = { 51 50 e8???????? 8bc8 33d2 83c410 }
            // n = 6, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   33d2                 | xor                 edx, edx
            //   83c410               | add                 esp, 0x10

        $sequence_7 = { 5f 7410 8b06 ba01000000 d3e2 8d4498fc }
            // n = 6, score = 700
            //   5f                   | pop                 edi
            //   7410                 | je                  0x12
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ba01000000           | mov                 edx, 1
            //   d3e2                 | shl                 edx, cl
            //   8d4498fc             | lea                 eax, [eax + ebx*4 - 4]

        $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   8d55f8               | lea                 edx, [ebp - 8]

        $sequence_9 = { 6a01 6a08 ff15???????? 83c408 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_10 = { 83c40c 6805010000 8d8df8feffff 51 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   6805010000           | push                0x105
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx

        $sequence_11 = { 51 8b55f0 52 ff15???????? 83c40c }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_12 = { 6a01 8b55fc 52 ff15???????? 83c408 }
            // n = 5, score = 300
            //   6a01                 | push                1
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_13 = { 83c404 e8???????? b801000000 8be5 }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   b801000000           | mov                 eax, 1
            //   8be5                 | mov                 esp, ebp

        $sequence_14 = { 83c404 e8???????? 8d95e8feffff 52 }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   8d95e8feffff         | lea                 edx, [ebp - 0x118]
            //   52                   | push                edx

        $sequence_15 = { 83c404 e8???????? 85c0 7402 eb14 }
            // n = 5, score = 100
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   eb14                 | jmp                 0x16

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules