Sathurbot (Malware Family)

Sathurbot

There is no description at this point.
References

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06 ⋅ ESET Research ⋅ ESET Research
Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules

[TLP:WHITE] win_sathurbot_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8b4308 894708 f20f1003 f20f1107 8b45e8 890424 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   f20f1003             | movsd               xmm0, qword ptr [ebx]
            //   f20f1107             | movsd               qword ptr [edi], xmm0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_1 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b894cad4e2 b9293d574a }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b894cad4e2           | mov                 eax, 0xe2d4ca94
            //   b9293d574a           | mov                 ecx, 0x4a573d29

        $sequence_2 = { e9???????? 80e301 0fb6c3 83c438 5e 5f 5b }
            // n = 7, score = 100
            //   e9????????           |                     
            //   80e301               | and                 bl, 1
            //   0fb6c3               | movzx               eax, bl
            //   83c438               | add                 esp, 0x38
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_3 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8e401c701 0f45c7 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8e401c701           | mov                 eax, 0x1c701e4
            //   0f45c7               | cmovne              eax, edi

        $sequence_4 = { eb93 3db145e7a3 750c 89f0 83c408 5e 5f }
            // n = 7, score = 100
            //   eb93                 | jmp                 0xffffff95
            //   3db145e7a3           | cmp                 eax, 0xa3e745b1
            //   750c                 | jne                 0xe
            //   89f0                 | mov                 eax, esi
            //   83c408               | add                 esp, 8
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_5 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b846234722 b93636a8a1 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b846234722           | mov                 eax, 0x22472346
            //   b93636a8a1           | mov                 ecx, 0xa1a83636

        $sequence_6 = { e8???????? 83ec0c 895c2404 8d5e70 891c24 c7442408e9fd0000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   8d5e70               | lea                 ebx, [esi + 0x70]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   c7442408e9fd0000     | mov                 dword ptr [esp + 8], 0xfde9
            //   e8????????           |                     

        $sequence_7 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8266f60e8 b9144a64ed }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8266f60e8           | mov                 eax, 0xe8606f26
            //   b9144a64ed           | mov                 ecx, 0xed644a14

        $sequence_8 = { ebb1 89f1 e8???????? b8f60c44ed eba3 3d21a56803 750a }
            // n = 7, score = 100
            //   ebb1                 | jmp                 0xffffffb3
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     
            //   b8f60c44ed           | mov                 eax, 0xed440cf6
            //   eba3                 | jmp                 0xffffffa5
            //   3d21a56803           | cmp                 eax, 0x368a521
            //   750a                 | jne                 0xc

        $sequence_9 = { ba3852d007 0f44d1 8955e4 ba66e21fdb eb02 89c2 89d1 }
            // n = 7, score = 100
            //   ba3852d007           | mov                 edx, 0x7d05238
            //   0f44d1               | cmove               edx, ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   ba66e21fdb           | mov                 edx, 0xdb1fe266
            //   eb02                 | jmp                 4
            //   89c2                 | mov                 edx, eax
            //   89d1                 | mov                 ecx, edx

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules
Sathurbot Propose Change

References

Yara Rules

Sathurbot
