Actor(s): FIN7
A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead.
rule win_rekoobew_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.rekoobew." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 337dec 337dd0 d1c7 897db8 8d8c39dcbc1b8f 894df0 89c1 } // n = 7, score = 100 // 337dec | xor edi, dword ptr [ebp - 0x14] // 337dd0 | xor edi, dword ptr [ebp - 0x30] // d1c7 | rol edi, 1 // 897db8 | mov dword ptr [ebp - 0x48], edi // 8d8c39dcbc1b8f | lea ecx, [ecx + edi - 0x70e44324] // 894df0 | mov dword ptr [ebp - 0x10], ecx // 89c1 | mov ecx, eax $sequence_1 = { 89e5 57 56 53 81ecbc000000 e8???????? 8945e0 } // n = 7, score = 100 // 89e5 | mov ebp, esp // 57 | push edi // 56 | push esi // 53 | push ebx // 81ecbc000000 | sub esp, 0xbc // e8???????? | // 8945e0 | mov dword ptr [ebp - 0x20], eax $sequence_2 = { 89df 0fb63482 c1e618 0fb65c8201 } // n = 4, score = 100 // 89df | mov edi, ebx // 0fb63482 | movzx esi, byte ptr [edx + eax*4] // c1e618 | shl esi, 0x18 // 0fb65c8201 | movzx ebx, byte ptr [edx + eax*4 + 1] $sequence_3 = { 8b1c9de0944000 c1e310 31df 8b4dd8 0fb6dd 8b1c9de0944000 c1e308 } // n = 7, score = 100 // 8b1c9de0944000 | mov ebx, dword ptr [ebx*4 + 0x4094e0] // c1e310 | shl ebx, 0x10 // 31df | xor edi, ebx // 8b4dd8 | mov ecx, dword ptr [ebp - 0x28] // 0fb6dd | movzx ebx, ch // 8b1c9de0944000 | mov ebx, dword ptr [ebx*4 + 0x4094e0] // c1e308 | shl ebx, 8 $sequence_4 = { 7409 3b7510 0f8fd3000000 0fb645e8 c1e004 89c7 b8ffffffff } // n = 7, score = 100 // 7409 | je 0xb // 3b7510 | cmp esi, dword ptr [ebp + 0x10] // 0f8fd3000000 | jg 0xd9 // 0fb645e8 | movzx eax, byte ptr [ebp - 0x18] // c1e004 | shl eax, 4 // 89c7 | mov edi, eax // b8ffffffff | mov eax, 0xffffffff $sequence_5 = { c744240808000000 89742404 891c24 e8???????? c744240804000000 897c2404 891c24 } // n = 7, score = 100 // c744240808000000 | mov dword ptr [esp + 8], 8 // 89742404 | mov dword ptr [esp + 4], esi // 891c24 | mov dword ptr [esp], ebx // e8???????? | // c744240804000000 | mov dword ptr [esp + 8], 4 // 897c2404 | mov dword ptr [esp + 4], edi // 891c24 | mov dword ptr [esp], ebx $sequence_6 = { 8b3c95e07c4000 33bb54010000 8b55f0 c1ea18 333c95e0704000 89f2 c1ea10 } // n = 7, score = 100 // 8b3c95e07c4000 | mov edi, dword ptr [edx*4 + 0x407ce0] // 33bb54010000 | xor edi, dword ptr [ebx + 0x154] // 8b55f0 | mov edx, dword ptr [ebp - 0x10] // c1ea18 | shr edx, 0x18 // 333c95e0704000 | xor edi, dword ptr [edx*4 + 0x4070e0] // 89f2 | mov edx, esi // c1ea10 | shr edx, 0x10 $sequence_7 = { 56 53 83ec5c 8b450c 0fb65003 0fb638 } // n = 6, score = 100 // 56 | push esi // 53 | push ebx // 83ec5c | sub esp, 0x5c // 8b450c | mov eax, dword ptr [ebp + 0xc] // 0fb65003 | movzx edx, byte ptr [eax + 3] // 0fb638 | movzx edi, byte ptr [eax] $sequence_8 = { 89f1 31d1 31d9 8d0c0f 89c7 c1c705 01f9 } // n = 7, score = 100 // 89f1 | mov ecx, esi // 31d1 | xor ecx, edx // 31d9 | xor ecx, ebx // 8d0c0f | lea ecx, [edi + ecx] // 89c7 | mov edi, eax // c1c705 | rol edi, 5 // 01f9 | add ecx, edi $sequence_9 = { 895008 8b500c 89d6 c1ee18 8b3cb5e0944000 89d6 } // n = 6, score = 100 // 895008 | mov dword ptr [eax + 8], edx // 8b500c | mov edx, dword ptr [eax + 0xc] // 89d6 | mov esi, edx // c1ee18 | shr esi, 0x18 // 8b3cb5e0944000 | mov edi, dword ptr [esi*4 + 0x4094e0] // 89d6 | mov esi, edx condition: 7 of them and filesize < 248832 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY