Sathurbot (Malware Family)

Sathurbot

There is no description at this point.
References

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06 ⋅ ESET Research ⋅ ESET Research
Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules

[TLP:WHITE] win_sathurbot_auto (20220808 | Detects win.sathurbot.)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.sathurbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f6c701 bb3b54bf89 0f45de 89df 81ffbe66420b 89c3 74f4 }
            // n = 7, score = 100
            //   f6c701               | test                bh, 1
            //   bb3b54bf89           | mov                 ebx, 0x89bf543b
            //   0f45de               | cmovne              ebx, esi
            //   89df                 | mov                 edi, ebx
            //   81ffbe66420b         | cmp                 edi, 0xb4266be
            //   89c3                 | mov                 ebx, eax
            //   74f4                 | je                  0xfffffff6

        $sequence_1 = { 8d842438010000 890424 c7442408???????? e8???????? 8b8c2454020000 8d842438010000 890424 }
            // n = 7, score = 100
            //   8d842438010000       | lea                 eax, [esp + 0x138]
            //   890424               | mov                 dword ptr [esp], eax
            //   c7442408????????     |                     
            //   e8????????           |                     
            //   8b8c2454020000       | mov                 ecx, dword ptr [esp + 0x254]
            //   8d842438010000       | lea                 eax, [esp + 0x138]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_2 = { ba85e2c756 b8281744f9 e9???????? 3d63fd01d2 7f3d 3db2fb6fc3 0f85a4feffff }
            // n = 7, score = 100
            //   ba85e2c756           | mov                 edx, 0x56c7e285
            //   b8281744f9           | mov                 eax, 0xf9441728
            //   e9????????           |                     
            //   3d63fd01d2           | cmp                 eax, 0xd201fd63
            //   7f3d                 | jg                  0x3f
            //   3db2fb6fc3           | cmp                 eax, 0xc36ffbb2
            //   0f85a4feffff         | jne                 0xfffffeaa

        $sequence_3 = { b9e63c0e83 0f45c1 e9???????? 3ddb2eaf7d 0f8f3d010000 3dcff44a7d 0f8f6e010000 }
            // n = 7, score = 100
            //   b9e63c0e83           | mov                 ecx, 0x830e3ce6
            //   0f45c1               | cmovne              eax, ecx
            //   e9????????           |                     
            //   3ddb2eaf7d           | cmp                 eax, 0x7daf2edb
            //   0f8f3d010000         | jg                  0x143
            //   3dcff44a7d           | cmp                 eax, 0x7d4af4cf
            //   0f8f6e010000         | jg                  0x174

        $sequence_4 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b89708822b 0f45c2 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b89708822b           | mov                 eax, 0x2b820897
            //   0f45c2               | cmovne              eax, edx

        $sequence_5 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b85ce5d43b b95e7def9a }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b85ce5d43b           | mov                 eax, 0x3bd4e55c
            //   b95e7def9a           | mov                 ecx, 0x9aef7d5e

        $sequence_6 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b83533becb b903a97f82 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b83533becb           | mov                 eax, 0xcbbe3335
            //   b903a97f82           | mov                 ecx, 0x827fa903

        $sequence_7 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8dc72fa79 b9bb18adba }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8dc72fa79           | mov                 eax, 0x79fa72dc
            //   b9bb18adba           | mov                 ecx, 0xbaad18bb

        $sequence_8 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8185fd724 b9f21b22e7 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8185fd724           | mov                 eax, 0x24d75f18
            //   b9f21b22e7           | mov                 ecx, 0xe7221bf2

        $sequence_9 = { e9???????? 81fe855f4d39 0f85bffeffff 8b4d08 e8???????? ba57ddd0e7 8945ec }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81fe855f4d39         | cmp                 esi, 0x394d5f85
            //   0f85bffeffff         | jne                 0xfffffec5
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ba57ddd0e7           | mov                 edx, 0xe7d0dd57
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules
Sathurbot Propose Change

References

Yara Rules

Sathurbot
