Sathurbot (Malware Family)

Sathurbot

There is no description at this point.
References

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06 ⋅ ESET Research ⋅ ESET Research
Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules

[TLP:WHITE] win_sathurbot_auto (20211008 | Detects win.sathurbot.)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.sathurbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9a4a49100 0f45c8 894db4 8b7d08 b85965e99b 894db0 eb08 }
            // n = 7, score = 100
            //   b9a4a49100           | mov                 ecx, 0x91a4a4
            //   0f45c8               | cmovne              ecx, eax
            //   894db4               | mov                 dword ptr [ebp - 0x4c], ecx
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   b85965e99b           | mov                 eax, 0x9be96559
            //   894db0               | mov                 dword ptr [ebp - 0x50], ecx
            //   eb08                 | jmp                 0xa

        $sequence_1 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8db26e143 b94baae2dc }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8db26e143           | mov                 eax, 0x43e126db
            //   b94baae2dc           | mov                 ecx, 0xdce2aa4b

        $sequence_2 = { e9???????? 81f90190014e bab55dc02c 0f858ef1ffff a1???????? 8d48ff 0fafc8 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81f90190014e         | cmp                 ecx, 0x4e019001
            //   bab55dc02c           | mov                 edx, 0x2cc05db5
            //   0f858ef1ffff         | jne                 0xfffff194
            //   a1????????           |                     
            //   8d48ff               | lea                 ecx, dword ptr [eax - 1]
            //   0fafc8               | imul                ecx, eax

        $sequence_3 = { e9???????? ebfe 8b45f0 83c444 5e 5f 5b }
            // n = 7, score = 100
            //   e9????????           |                     
            //   ebfe                 | jmp                 0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c444               | add                 esp, 0x44
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_4 = { ff15???????? b8d0358840 e9???????? 3dfabbd914 7f3d 3d3324f609 0f8588f8ffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   b8d0358840           | mov                 eax, 0x408835d0
            //   e9????????           |                     
            //   3dfabbd914           | cmp                 eax, 0x14d9bbfa
            //   7f3d                 | jg                  0x3f
            //   3d3324f609           | cmp                 eax, 0x9f62433
            //   0f8588f8ffff         | jne                 0xfffff88e

        $sequence_5 = { f6c101 b8e3002023 b9f7c13f20 0f45c1 e9???????? a1???????? 8d48ff }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   b8e3002023           | mov                 eax, 0x232000e3
            //   b9f7c13f20           | mov                 ecx, 0x203fc1f7
            //   0f45c1               | cmovne              eax, ecx
            //   e9????????           |                     
            //   a1????????           |                     
            //   8d48ff               | lea                 ecx, dword ptr [eax - 1]

        $sequence_6 = { e9???????? 81ff1e65df69 0f8581faffff bf8325f647 e9???????? 81ff0ae7b863 0f856bfaffff }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81ff1e65df69         | cmp                 edi, 0x69df651e
            //   0f8581faffff         | jne                 0xfffffa87
            //   bf8325f647           | mov                 edi, 0x47f62583
            //   e9????????           |                     
            //   81ff0ae7b863         | cmp                 edi, 0x63b8e70a
            //   0f856bfaffff         | jne                 0xfffffa71

        $sequence_7 = { c7460400000000 e9???????? 8a460a 8a4e0b 08c1 f6c101 b805566ea8 }
            // n = 7, score = 100
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   e9????????           |                     
            //   8a460a               | mov                 al, byte ptr [esi + 0xa]
            //   8a4e0b               | mov                 cl, byte ptr [esi + 0xb]
            //   08c1                 | or                  cl, al
            //   f6c101               | test                cl, 1
            //   b805566ea8           | mov                 eax, 0xa86e5605

        $sequence_8 = { ff15???????? 6afe 50 ff15???????? b9630cb44b e9???????? 81f984c23ef5 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   6afe                 | push                -2
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b9630cb44b           | mov                 ecx, 0x4bb40c63
            //   e9????????           |                     
            //   81f984c23ef5         | cmp                 ecx, 0xf53ec284

        $sequence_9 = { e9???????? 8a55ee 8a75ef 08d6 f6c601 bad2a204a6 bfd0494419 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8a55ee               | mov                 dl, byte ptr [ebp - 0x12]
            //   8a75ef               | mov                 dh, byte ptr [ebp - 0x11]
            //   08d6                 | or                  dh, dl
            //   f6c601               | test                dh, 1
            //   bad2a204a6           | mov                 edx, 0xa604a2d2
            //   bfd0494419           | mov                 edi, 0x194449d0

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules
Sathurbot Propose Change

References

Yara Rules

Sathurbot
