SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reedbed (Back to overview)

ReedBed

There is no description at this point.

References
2025-01-25SophosAnthony Bradshaw, Colin Cowie, Daniel Souter, Hunter Neal, Mark Parsons, Sean Baird, Sean Gallagher
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
ReedBed
2025-01-23Github (PaloAltoNetworks)Brad Duncan
Cluster of Infrastructure likely used by Affiliate of Dark Scorpius (Black Basta)
ReedBed
2025-01-21Twitter (@MsftSecIntel)Microsoft Threat Intelligence
Twitter Thread describing spotting of ReedBed in a Storm-1811 campaign
ReedBed
2025-01-20Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt
Qbot is Back.Connect
ReedBed
Yara Rules
[TLP:WHITE] win_reedbed_w0 (20250218 | detects the loader for reedbed)
rule win_reedbed_w0 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/ReedBed.B!ldr"
        threat_id = "2147927915"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ReedBed"
        description = "detects the loader for reedbed"
        severity = "Critical"
        info = "ldr: loader component of a malware"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250218"
        malpedia_hash = ""
        malpedia_version = "20250218"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_1_1 = {4c 8b 71 30 41 bf 01 00 00 ?? 4c 23 f0 48 03 d9 45 2b e7 44 8b 5b 20 41 f7 d4 4c 8d 43 18 4d 0b de 48 8b f2}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
[TLP:WHITE] win_reedbed_w1 (20250218 | detects the reedbed payload)
rule win_reedbed_w1 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/ReedBed.A"
        threat_id = "2147927914"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ReedBed"
        description = "detects the reedbed payload"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250218"
        malpedia_hash = ""
        malpedia_version = "20250218"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_1_1 = "HookNtCreateUserProcess(): ok!" ascii //weight: 1
        $x_1_2 = "HookRtlExitUserProcess(): RtlExitUserProcess not found hNtdll=%#p" ascii //weight: 1
        $x_1_3 = "\\bc_ssl_client." ascii //weight: 1
        $x_1_4 = "send_pipe_ssl(): SSL_write(): SSL_ERROR_WANT_WRITE" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (2 of ($x*))
}
Download all Yara Rules