Sathurbot (Malware Family)

Sathurbot

There is no description at this point.
References

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06 ⋅ ESET Research ⋅ ESET Research
Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules

[TLP:WHITE] win_sathurbot_auto (20230407 | Detects win.sathurbot.)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.sathurbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b88f75023a b99c192f05 0f45c1 e9???????? 3df378fbcf 0f856afaffff a1???????? }
            // n = 7, score = 100
            //   b88f75023a           | mov                 eax, 0x3a02758f
            //   b99c192f05           | mov                 ecx, 0x52f199c
            //   0f45c1               | cmovne              eax, ecx
            //   e9????????           |                     
            //   3df378fbcf           | cmp                 eax, 0xcffb78f3
            //   0f856afaffff         | jne                 0xfffffa70
            //   a1????????           |                     

        $sequence_1 = { ebfe 8b4d08 e8???????? 8b4d10 894c2408 895c2404 890424 }
            // n = 7, score = 100
            //   ebfe                 | jmp                 0
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_2 = { b827208a05 bb07c8ab10 eb44 893c24 e8???????? 89442404 893c24 }
            // n = 7, score = 100
            //   b827208a05           | mov                 eax, 0x58a2027
            //   bb07c8ab10           | mov                 ebx, 0x10abc807
            //   eb44                 | jmp                 0x46
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   893c24               | mov                 dword ptr [esp], edi

        $sequence_3 = { e9???????? 3d0d91a13e 7f15 3d4d7a1b29 0f85cef7ffff b86d53caf5 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   3d0d91a13e           | cmp                 eax, 0x3ea1910d
            //   7f15                 | jg                  0x17
            //   3d4d7a1b29           | cmp                 eax, 0x291b7a4d
            //   0f85cef7ffff         | jne                 0xfffff7d4
            //   b86d53caf5           | mov                 eax, 0xf5ca536d
            //   e9????????           |                     

        $sequence_4 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b86cd106bb 0f45c7 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b86cd106bb           | mov                 eax, 0xbb06d16c
            //   0f45c7               | cmovne              eax, edi

        $sequence_5 = { b97567050d 0f45c1 e9???????? 3d60f249dd 7f56 3d0b2561c2 0f8546fdffff }
            // n = 7, score = 100
            //   b97567050d           | mov                 ecx, 0xd056775
            //   0f45c1               | cmovne              eax, ecx
            //   e9????????           |                     
            //   3d60f249dd           | cmp                 eax, 0xdd49f260
            //   7f56                 | jg                  0x58
            //   3d0b2561c2           | cmp                 eax, 0xc261250b
            //   0f8546fdffff         | jne                 0xfffffd4c

        $sequence_6 = { eb05 be996ba946 89f1 81f96ab77fcd 7f0c 81f9fa8d5796 89ce }
            // n = 7, score = 100
            //   eb05                 | jmp                 7
            //   be996ba946           | mov                 esi, 0x46a96b99
            //   89f1                 | mov                 ecx, esi
            //   81f96ab77fcd         | cmp                 ecx, 0xcd7fb76a
            //   7f0c                 | jg                  0xe
            //   81f9fa8d5796         | cmp                 ecx, 0x96578dfa
            //   89ce                 | mov                 esi, ecx

        $sequence_7 = { bffc8a7b7e e9???????? 81ffc3bca1b1 7f43 81fff6db27b1 ba197d6665 0f85c5f1ffff }
            // n = 7, score = 100
            //   bffc8a7b7e           | mov                 edi, 0x7e7b8afc
            //   e9????????           |                     
            //   81ffc3bca1b1         | cmp                 edi, 0xb1a1bcc3
            //   7f43                 | jg                  0x45
            //   81fff6db27b1         | cmp                 edi, 0xb127dbf6
            //   ba197d6665           | mov                 edx, 0x65667d19
            //   0f85c5f1ffff         | jne                 0xfffff1cb

        $sequence_8 = { eb18 8a4e24 8a5628 08ca f6c201 baf5981666 b914d0e19d }
            // n = 7, score = 100
            //   eb18                 | jmp                 0x1a
            //   8a4e24               | mov                 cl, byte ptr [esi + 0x24]
            //   8a5628               | mov                 dl, byte ptr [esi + 0x28]
            //   08ca                 | or                  dl, cl
            //   f6c201               | test                dl, 1
            //   baf5981666           | mov                 edx, 0x661698f5
            //   b914d0e19d           | mov                 ecx, 0x9de1d014

        $sequence_9 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 bfd15d4a71 b8c6869550 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   bfd15d4a71           | mov                 edi, 0x714a5dd1
            //   b8c6869550           | mov                 eax, 0x509586c6

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules
Sathurbot Propose Change

References

Yara Rules

Sathurbot
