SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rekoobew (Back to overview)

win.rekoobe

aka: tinyshell.win, tshd.win

Actor(s): FIN7


A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead.

References
2021-12-07MandiantVan Ta, Jake Nicastro, Rufus Brown, Nick Richard
@online{ta:20211207:fin13:e5e2255, author = {Van Ta and Jake Nicastro and Rufus Brown and Nick Richard}, title = {{FIN13: A Cybercriminal Threat Actor Focused on Mexico}}, date = {2021-12-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/fin13-cybercriminal-mexico}, language = {English}, urldate = {2021-12-08} } FIN13: A Cybercriminal Threat Actor Focused on Mexico
jspRAT win.rekoobe FIN13
2020-11-30YoroiLuigi Martire, Antonio Pirozzi, Luca Mella
@online{martire:20201130:shadows:2ef4813, author = {Luigi Martire and Antonio Pirozzi and Luca Mella}, title = {{Shadows From The Past Threaten Italian Enterprises}}, date = {2020-11-30}, organization = {Yoroi}, url = {https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/}, language = {English}, urldate = {2021-06-16} } Shadows From The Past Threaten Italian Enterprises
Rekoobe LaZagne Responder MimiKatz win.rekoobe
Yara Rules
[TLP:WHITE] win_rekoobew_auto (20221125 | Detects win.rekoobew.)
rule win_rekoobew_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.rekoobew."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 337db8 d1c7 897dc4 8d943aa1ebd96e 8955f0 89ca }
            // n = 6, score = 100
            //   337db8               | xor                 edi, dword ptr [ebp - 0x48]
            //   d1c7                 | rol                 edi, 1
            //   897dc4               | mov                 dword ptr [ebp - 0x3c], edi
            //   8d943aa1ebd96e       | lea                 edx, [edx + edi + 0x6ed9eba1]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   89ca                 | mov                 edx, ecx

        $sequence_1 = { 8b5b14 895da0 8b7508 8b7618 89759c c1c005 8d84069979825a }
            // n = 7, score = 100
            //   8b5b14               | mov                 ebx, dword ptr [ebx + 0x14]
            //   895da0               | mov                 dword ptr [ebp - 0x60], ebx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b7618               | mov                 esi, dword ptr [esi + 0x18]
            //   89759c               | mov                 dword ptr [ebp - 0x64], esi
            //   c1c005               | rol                 eax, 5
            //   8d84069979825a       | lea                 eax, [esi + eax + 0x5a827999]

        $sequence_2 = { 09f8 8b7d08 8807 83c701 897d08 80f93d }
            // n = 6, score = 100
            //   09f8                 | or                  eax, edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8807                 | mov                 byte ptr [edi], al
            //   83c701               | add                 edi, 1
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   80f93d               | cmp                 cl, 0x3d

        $sequence_3 = { c1eb10 0fb6db 33349de0884000 0fb6de 8b1c9de08c4000 31f3 895de4 }
            // n = 7, score = 100
            //   c1eb10               | shr                 ebx, 0x10
            //   0fb6db               | movzx               ebx, bl
            //   33349de0884000       | xor                 esi, dword ptr [ebx*4 + 0x4088e0]
            //   0fb6de               | movzx               ebx, dh
            //   8b1c9de08c4000       | mov                 ebx, dword ptr [ebx*4 + 0x408ce0]
            //   31f3                 | xor                 ebx, esi
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx

        $sequence_4 = { 31df 8b55d8 0fb6de 8b1c9de0804000 }
            // n = 4, score = 100
            //   31df                 | xor                 edi, ebx
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   0fb6de               | movzx               ebx, dh
            //   8b1c9de0804000       | mov                 ebx, dword ptr [ebx*4 + 0x4080e0]

        $sequence_5 = { ba00000000 83c710 8b47fc 8b3495e0984000 3377f0 0fb6d8 8b1c9de0944000 }
            // n = 7, score = 100
            //   ba00000000           | mov                 edx, 0
            //   83c710               | add                 edi, 0x10
            //   8b47fc               | mov                 eax, dword ptr [edi - 4]
            //   8b3495e0984000       | mov                 esi, dword ptr [edx*4 + 0x4098e0]
            //   3377f0               | xor                 esi, dword ptr [edi - 0x10]
            //   0fb6d8               | movzx               ebx, al
            //   8b1c9de0944000       | mov                 ebx, dword ptr [ebx*4 + 0x4094e0]

        $sequence_6 = { c1e918 33348de0704000 89d1 c1e910 0fb6c9 33348de0744000 }
            // n = 6, score = 100
            //   c1e918               | shr                 ecx, 0x18
            //   33348de0704000       | xor                 esi, dword ptr [ecx*4 + 0x4070e0]
            //   89d1                 | mov                 ecx, edx
            //   c1e910               | shr                 ecx, 0x10
            //   0fb6c9               | movzx               ecx, cl
            //   33348de0744000       | xor                 esi, dword ptr [ecx*4 + 0x4074e0]

        $sequence_7 = { 8b7dc0 337db0 337de4 337dc8 d1c7 897db0 8db43ed6c162ca }
            // n = 7, score = 100
            //   8b7dc0               | mov                 edi, dword ptr [ebp - 0x40]
            //   337db0               | xor                 edi, dword ptr [ebp - 0x50]
            //   337de4               | xor                 edi, dword ptr [ebp - 0x1c]
            //   337dc8               | xor                 edi, dword ptr [ebp - 0x38]
            //   d1c7                 | rol                 edi, 1
            //   897db0               | mov                 dword ptr [ebp - 0x50], edi
            //   8db43ed6c162ca       | lea                 esi, [esi + edi - 0x359d3e2a]

        $sequence_8 = { 89cf c1ef10 81e7ff000000 3334bde0884000 8b55ec }
            // n = 5, score = 100
            //   89cf                 | mov                 edi, ecx
            //   c1ef10               | shr                 edi, 0x10
            //   81e7ff000000         | and                 edi, 0xff
            //   3334bde0884000       | xor                 esi, dword ptr [edi*4 + 0x4088e0]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_9 = { 897db4 8d8438a1ebd96e 8945f0 89d0 31d8 31f0 0345f0 }
            // n = 7, score = 100
            //   897db4               | mov                 dword ptr [ebp - 0x4c], edi
            //   8d8438a1ebd96e       | lea                 eax, [eax + edi + 0x6ed9eba1]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   89d0                 | mov                 eax, edx
            //   31d8                 | xor                 eax, ebx
            //   31f0                 | xor                 eax, esi
            //   0345f0               | add                 eax, dword ptr [ebp - 0x10]

    condition:
        7 of them and filesize < 248832
}
Download all Yara Rules