win.rekoobe (Malware Family)

win.rekoobe

aka: tinyshell.win, tshd.win
Actor(s): FIN7
A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead.
References

2021-12-07 ⋅ Mandiant ⋅ Van Ta, Jake Nicastro, Rufus Brown, Nick Richard
FIN13: A Cybercriminal Threat Actor Focused on Mexico
jspRAT win.rekoobe FIN13
2020-11-30 ⋅ Yoroi ⋅ Luigi Martire, Antonio Pirozzi, Luca Mella
Shadows From The Past Threaten Italian Enterprises
Rekoobe LaZagne Responder MimiKatz win.rekoobe
Yara Rules

[TLP:WHITE] win_rekoobew_auto (20220411 | Detects win.rekoobew.)
rule win_rekoobew_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.rekoobew."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89c2 83ec04 85d2 b800000000 7413 }
            // n = 5, score = 100
            //   89c2                 | mov                 edx, eax
            //   83ec04               | sub                 esp, 4
            //   85d2                 | test                edx, edx
            //   b800000000           | mov                 eax, 0
            //   7413                 | je                  0x15

        $sequence_1 = { 8b35???????? f3a6 0f97c2 0f92c0 38c2 7415 c7442404???????? }
            // n = 7, score = 100
            //   8b35????????         |                     
            //   f3a6                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]
            //   0f97c2               | seta                dl
            //   0f92c0               | setb                al
            //   38c2                 | cmp                 dl, al
            //   7415                 | je                  0x17
            //   c7442404????????     |                     

        $sequence_2 = { 837df00c 0f8ee4010000 8d7710 8975e0 0fb6da 8b349de0904000 337710 }
            // n = 7, score = 100
            //   837df00c             | cmp                 dword ptr [ebp - 0x10], 0xc
            //   0f8ee4010000         | jle                 0x1ea
            //   8d7710               | lea                 esi, dword ptr [edi + 0x10]
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   0fb6da               | movzx               ebx, dl
            //   8b349de0904000       | mov                 esi, dword ptr [ebx*4 + 0x4090e0]
            //   337710               | xor                 esi, dword ptr [edi + 0x10]

        $sequence_3 = { 53 83ec20 c645f700 bb00000000 8d75f7 c744240c00000000 c744240801000000 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   83ec20               | sub                 esp, 0x20
            //   c645f700             | mov                 byte ptr [ebp - 9], 0
            //   bb00000000           | mov                 ebx, 0
            //   8d75f7               | lea                 esi, dword ptr [ebp - 9]
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1

        $sequence_4 = { 891c24 e8???????? 3b45d4 7568 8b55bc 8b45c4 855485e0 }
            // n = 7, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   3b45d4               | cmp                 eax, dword ptr [ebp - 0x2c]
            //   7568                 | jne                 0x6a
            //   8b55bc               | mov                 edx, dword ptr [ebp - 0x44]
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   855485e0             | test                dword ptr [ebp + eax*4 - 0x20], edx

        $sequence_5 = { b8ffffffff eb45 b8ffffffff eb3e b8ffffffff eb37 b8ffffffff }
            // n = 7, score = 100
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   eb45                 | jmp                 0x47
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   eb3e                 | jmp                 0x40
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   eb37                 | jmp                 0x39
            //   b8ffffffff           | mov                 eax, 0xffffffff

        $sequence_6 = { 335ddc 335dd4 d1c3 895dc8 8d8c19d6c162ca 894df0 89d1 }
            // n = 7, score = 100
            //   335ddc               | xor                 ebx, dword ptr [ebp - 0x24]
            //   335dd4               | xor                 ebx, dword ptr [ebp - 0x2c]
            //   d1c3                 | rol                 ebx, 1
            //   895dc8               | mov                 dword ptr [ebp - 0x38], ebx
            //   8d8c19d6c162ca       | lea                 ecx, dword ptr [ecx + ebx - 0x359d3e2a]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   89d1                 | mov                 ecx, edx

        $sequence_7 = { 83ec1c a1???????? 890424 e8???????? 8b1d???????? 890424 e8???????? }
            // n = 7, score = 100
            //   83ec1c               | sub                 esp, 0x1c
            //   a1????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_8 = { 33348de0844000 8b4ddc c1e910 0fb6c9 }
            // n = 4, score = 100
            //   33348de0844000       | xor                 esi, dword ptr [ecx*4 + 0x4084e0]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   c1e910               | shr                 ecx, 0x10
            //   0fb6c9               | movzx               ecx, cl

        $sequence_9 = { 89c7 09df 21f7 89c2 21da 09fa 0355f0 }
            // n = 7, score = 100
            //   89c7                 | mov                 edi, eax
            //   09df                 | or                  edi, ebx
            //   21f7                 | and                 edi, esi
            //   89c2                 | mov                 edx, eax
            //   21da                 | and                 edx, ebx
            //   09fa                 | or                  edx, edi
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]

    condition:
        7 of them and filesize < 248832
}
Download all Yara Rules
win.rekoobe Propose Change

References

Yara Rules

win.rekoobe
