Sathurbot (Malware Family)

Sathurbot

There is no description at this point.
References

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06 ⋅ ESET Research ⋅ ESET Research
Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules

[TLP:WHITE] win_sathurbot_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ebc8 3d344832b5 7f0c 3d125afaa1 75ba e9???????? 3d7fbc867d }
            // n = 7, score = 100
            //   ebc8                 | jmp                 0xffffffca
            //   3d344832b5           | cmp                 eax, 0xb5324834
            //   7f0c                 | jg                  0xe
            //   3d125afaa1           | cmp                 eax, 0xa1fa5a12
            //   75ba                 | jne                 0xffffffbc
            //   e9????????           |                     
            //   3d7fbc867d           | cmp                 eax, 0x7d86bc7f

        $sequence_1 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b816c8d90b 0f45c3 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b816c8d90b           | mov                 eax, 0xbd9c816
            //   0f45c3               | cmovne              eax, ebx

        $sequence_2 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b856521cc7 b90e2f6aa5 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b856521cc7           | mov                 eax, 0xc71c5256
            //   b90e2f6aa5           | mov                 ecx, 0xa56a2f0e

        $sequence_3 = { e9???????? 81fb00647d02 7f43 81fb33c3bdff bae82c8662 0f852cd1ffff a1???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81fb00647d02         | cmp                 ebx, 0x27d6400
            //   7f43                 | jg                  0x45
            //   81fb33c3bdff         | cmp                 ebx, 0xffbdc333
            //   bae82c8662           | mov                 edx, 0x62862ce8
            //   0f852cd1ffff         | jne                 0xffffd132
            //   a1????????           |                     

        $sequence_4 = { e9???????? 81f9301b73c6 0f852efeffff 8b0d???????? 8d51ff 0fafd1 f6c201 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81f9301b73c6         | cmp                 ecx, 0xc6731b30
            //   0f852efeffff         | jne                 0xfffffe34
            //   8b0d????????         |                     
            //   8d51ff               | lea                 edx, [ecx - 1]
            //   0fafd1               | imul                edx, ecx
            //   f6c201               | test                dl, 1

        $sequence_5 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b879f4f199 b9bd8f5265 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b879f4f199           | mov                 eax, 0x99f1f479
            //   b9bd8f5265           | mov                 ecx, 0x65528fbd

        $sequence_6 = { eb9f 81fb521eac49 7597 89c3 eb93 81fba3ec7840 758b }
            // n = 7, score = 100
            //   eb9f                 | jmp                 0xffffffa1
            //   81fb521eac49         | cmp                 ebx, 0x49ac1e52
            //   7597                 | jne                 0xffffff99
            //   89c3                 | mov                 ebx, eax
            //   eb93                 | jmp                 0xffffff95
            //   81fba3ec7840         | cmp                 ebx, 0x4078eca3
            //   758b                 | jne                 0xffffff8d

        $sequence_7 = { e9???????? 8a4df0 8a55f1 08ca f6c201 bafd7c4908 0f45d6 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8a4df0               | mov                 cl, byte ptr [ebp - 0x10]
            //   8a55f1               | mov                 dl, byte ptr [ebp - 0xf]
            //   08ca                 | or                  dl, cl
            //   f6c201               | test                dl, 1
            //   bafd7c4908           | mov                 edx, 0x8497cfd
            //   0f45d6               | cmovne              edx, esi

        $sequence_8 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8492f1501 b97615a673 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8492f1501           | mov                 eax, 0x1152f49
            //   b97615a673           | mov                 ecx, 0x73a61576

        $sequence_9 = { eb94 3d058f7291 7f22 3d31f40a90 7586 8b463c 50 }
            // n = 7, score = 100
            //   eb94                 | jmp                 0xffffff96
            //   3d058f7291           | cmp                 eax, 0x91728f05
            //   7f22                 | jg                  0x24
            //   3d31f40a90           | cmp                 eax, 0x900af431
            //   7586                 | jne                 0xffffff88
            //   8b463c               | mov                 eax, dword ptr [esi + 0x3c]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules
Sathurbot Propose Change

References

Yara Rules

Sathurbot
