SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sathurbot (Back to overview)

Sathurbot


There is no description at this point.

References
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06ESET ResearchESET Research
@online{research:20170406:sathurbot:53f5afb, author = {ESET Research}, title = {{Sathurbot: Distributed WordPress password attack}}, date = {2017-04-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/}, language = {English}, urldate = {2019-12-20} } Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules
[TLP:WHITE] win_sathurbot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? b8d160e63c e9???????? 3d96420199 7f3d 3d08cc5198 0f853aebffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   b8d160e63c           | mov                 eax, 0x3ce660d1
            //   e9????????           |                     
            //   3d96420199           | cmp                 eax, 0x99014296
            //   7f3d                 | jg                  0x3f
            //   3d08cc5198           | cmp                 eax, 0x9851cc08
            //   0f853aebffff         | jne                 0xffffeb40

        $sequence_1 = { ba37aa6b4e 0f45da 89da 81fa37aa6b4e 89cb 74f4 81faf770c688 }
            // n = 7, score = 100
            //   ba37aa6b4e           | mov                 edx, 0x4e6baa37
            //   0f45da               | cmovne              ebx, edx
            //   89da                 | mov                 edx, ebx
            //   81fa37aa6b4e         | cmp                 edx, 0x4e6baa37
            //   89cb                 | mov                 ebx, ecx
            //   74f4                 | je                  0xfffffff6
            //   81faf770c688         | cmp                 edx, 0x88c670f7

        $sequence_2 = { b91c0c95fc 0f45c1 e9???????? 3dbef8763d ba3448224a 0f8595f8ffff b86dea3ec7 }
            // n = 7, score = 100
            //   b91c0c95fc           | mov                 ecx, 0xfc950c1c
            //   0f45c1               | cmovne              eax, ecx
            //   e9????????           |                     
            //   3dbef8763d           | cmp                 eax, 0x3d76f8be
            //   ba3448224a           | mov                 edx, 0x4a224834
            //   0f8595f8ffff         | jne                 0xfffff89b
            //   b86dea3ec7           | mov                 eax, 0xc73eea6d

        $sequence_3 = { e9???????? 81ffaa5bf3a9 7f26 81ffb1808fa6 ba96b0469a 0f8532f8ffff bf9b3e9724 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81ffaa5bf3a9         | cmp                 edi, 0xa9f35baa
            //   7f26                 | jg                  0x28
            //   81ffb1808fa6         | cmp                 edi, 0xa68f80b1
            //   ba96b0469a           | mov                 edx, 0x9a46b096
            //   0f8532f8ffff         | jne                 0xfffff838
            //   bf9b3e9724           | mov                 edi, 0x24973e9b

        $sequence_4 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8f218ebf3 b9f1db18a8 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8f218ebf3           | mov                 eax, 0xf3eb18f2
            //   b9f1db18a8           | mov                 ecx, 0xa818dbf1

        $sequence_5 = { ff15???????? b82d58bedc e9???????? 3d6622c7da 7f18 3d85fb08d7 0f8554fbffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   b82d58bedc           | mov                 eax, 0xdcbe582d
            //   e9????????           |                     
            //   3d6622c7da           | cmp                 eax, 0xdac72266
            //   7f18                 | jg                  0x1a
            //   3d85fb08d7           | cmp                 eax, 0xd708fb85
            //   0f8554fbffff         | jne                 0xfffffb5a

        $sequence_6 = { e8???????? 83ec0c 8b45f0 8945d8 894610 89f1 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_7 = { ebbd 3d3409e3ab 7f17 3dd1965ca6 75e2 88d8 2401 }
            // n = 7, score = 100
            //   ebbd                 | jmp                 0xffffffbf
            //   3d3409e3ab           | cmp                 eax, 0xabe30934
            //   7f17                 | jg                  0x19
            //   3dd1965ca6           | cmp                 eax, 0xa65c96d1
            //   75e2                 | jne                 0xffffffe4
            //   88d8                 | mov                 al, bl
            //   2401                 | and                 al, 1

        $sequence_8 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8c7cd594e b9777d4fa4 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8c7cd594e           | mov                 eax, 0x4e59cdc7
            //   b9777d4fa4           | mov                 ecx, 0xa44f7d77

        $sequence_9 = { eb39 8b450c 890424 8b4d08 e8???????? 83ec04 a1???????? }
            // n = 7, score = 100
            //   eb39                 | jmp                 0x3b
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   890424               | mov                 dword ptr [esp], eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   a1????????           |                     

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules