Rover (Malware Family)

Rover

There is no description at this point.
References

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2016-02-29 ⋅ Palo Alto Networks Unit 42 ⋅ Vicky Ray, Kaoru Hayashi
New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan
Rover
Yara Rules

[TLP:WHITE] win_rover_auto (20210616 | Detects win.rover.)
rule win_rover_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.rover."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895704 8b4500 c78088010000e0684300 8b4d00 8b9140010000 895708 }
            // n = 6, score = 100
            //   895704               | mov                 dword ptr [edi + 4], edx
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   c78088010000e0684300     | mov    dword ptr [eax + 0x188], 0x4368e0
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   8b9140010000         | mov                 edx, dword ptr [ecx + 0x140]
            //   895708               | mov                 dword ptr [edi + 8], edx

        $sequence_1 = { 8b4610 2b460c 83c40c d1fb d1f8 7502 ffd5 }
            // n = 7, score = 100
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   2b460c               | sub                 eax, dword ptr [esi + 0xc]
            //   83c40c               | add                 esp, 0xc
            //   d1fb                 | sar                 ebx, 1
            //   d1f8                 | sar                 eax, 1
            //   7502                 | jne                 4
            //   ffd5                 | call                ebp

        $sequence_2 = { 83c40c 8bc8 ff15???????? 8b15???????? 52 51 8b0d???????? }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8bc8                 | mov                 ecx, eax
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   52                   | push                edx
            //   51                   | push                ecx
            //   8b0d????????         |                     

        $sequence_3 = { 68???????? e8???????? 83c408 8906 85c0 752d ff15???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8906                 | mov                 dword ptr [esi], eax
            //   85c0                 | test                eax, eax
            //   752d                 | jne                 0x2f
            //   ff15????????         |                     

        $sequence_4 = { 3c27 7737 0fb6c0 8d48e8 83f90f 771d 0fb68948524200 }
            // n = 7, score = 100
            //   3c27                 | cmp                 al, 0x27
            //   7737                 | ja                  0x39
            //   0fb6c0               | movzx               eax, al
            //   8d48e8               | lea                 ecx, dword ptr [eax - 0x18]
            //   83f90f               | cmp                 ecx, 0xf
            //   771d                 | ja                  0x1f
            //   0fb68948524200       | movzx               ecx, byte ptr [ecx + 0x425248]

        $sequence_5 = { 8902 85c0 743a c7442418ffffffff 83f851 7510 }
            // n = 6, score = 100
            //   8902                 | mov                 dword ptr [edx], eax
            //   85c0                 | test                eax, eax
            //   743a                 | je                  0x3c
            //   c7442418ffffffff     | mov                 dword ptr [esp + 0x18], 0xffffffff
            //   83f851               | cmp                 eax, 0x51
            //   7510                 | jne                 0x12

        $sequence_6 = { 7307 b841000000 eb14 8bc6 8d5001 8d9b00000000 }
            // n = 6, score = 100
            //   7307                 | jae                 9
            //   b841000000           | mov                 eax, 0x41
            //   eb14                 | jmp                 0x16
            //   8bc6                 | mov                 eax, esi
            //   8d5001               | lea                 edx, dword ptr [eax + 1]
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]

        $sequence_7 = { 896e28 e8???????? 8b6c2428 83c40c 8b5628 8b4630 52 }
            // n = 7, score = 100
            //   896e28               | mov                 dword ptr [esi + 0x28], ebp
            //   e8????????           |                     
            //   8b6c2428             | mov                 ebp, dword ptr [esp + 0x28]
            //   83c40c               | add                 esp, 0xc
            //   8b5628               | mov                 edx, dword ptr [esi + 0x28]
            //   8b4630               | mov                 eax, dword ptr [esi + 0x30]
            //   52                   | push                edx

        $sequence_8 = { 5b 8b4c2430 33cc e8???????? 83c434 c3 8b83a8040000 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   33cc                 | xor                 ecx, esp
            //   e8????????           |                     
            //   83c434               | add                 esp, 0x34
            //   c3                   | ret                 
            //   8b83a8040000         | mov                 eax, dword ptr [ebx + 0x4a8]

        $sequence_9 = { 682b4e0000 56 c744241801000000 e8???????? 83c40c 57 6811270000 }
            // n = 7, score = 100
            //   682b4e0000           | push                0x4e2b
            //   56                   | push                esi
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   57                   | push                edi
            //   6811270000           | push                0x2711

    condition:
        7 of them and filesize < 704512
}
Download all Yara Rules
Rover Propose Change

References

Yara Rules

Rover
