Sathurbot (Malware Family)

Sathurbot

There is no description at this point.
References

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2017-04-06 ⋅ ESET Research ⋅ ESET Research
Sathurbot: Distributed WordPress password attack
Sathurbot
Yara Rules

[TLP:WHITE] win_sathurbot_auto (20230125 | Detects win.sathurbot.)
rule win_sathurbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sathurbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f6c701 bf91433cc2 0f45fa 89fe 81fec76b7f0c 89c7 74f4 }
            // n = 7, score = 100
            //   f6c701               | test                bh, 1
            //   bf91433cc2           | mov                 edi, 0xc23c4391
            //   0f45fa               | cmovne              edi, edx
            //   89fe                 | mov                 esi, edi
            //   81fec76b7f0c         | cmp                 esi, 0xc7f6bc7
            //   89c7                 | mov                 edi, eax
            //   74f4                 | je                  0xfffffff6

        $sequence_1 = { e9???????? 81ff45d59804 0f85e0f3ffff a1???????? 8d48ff 0fafc8 f6c101 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81ff45d59804         | cmp                 edi, 0x498d545
            //   0f85e0f3ffff         | jne                 0xfffff3e6
            //   a1????????           |                     
            //   8d48ff               | lea                 ecx, [eax - 1]
            //   0fafc8               | imul                ecx, eax
            //   f6c101               | test                cl, 1

        $sequence_2 = { b8ab6d36f1 0f45f8 e9???????? 81ffaf3a48a0 7f43 81ffd3e2c49f ba197d6665 }
            // n = 7, score = 100
            //   b8ab6d36f1           | mov                 eax, 0xf1366dab
            //   0f45f8               | cmovne              edi, eax
            //   e9????????           |                     
            //   81ffaf3a48a0         | cmp                 edi, 0xa0483aaf
            //   7f43                 | jg                  0x45
            //   81ffd3e2c49f         | cmp                 edi, 0x9fc4e2d3
            //   ba197d6665           | mov                 edx, 0x65667d19

        $sequence_3 = { f6c101 b8d0b94b2f 0f45c6 ebd6 3df990455a 75cf ebc8 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   b8d0b94b2f           | mov                 eax, 0x2f4bb9d0
            //   0f45c6               | cmovne              eax, esi
            //   ebd6                 | jmp                 0xffffffd8
            //   3df990455a           | cmp                 eax, 0x5a4590f9
            //   75cf                 | jne                 0xffffffd1
            //   ebc8                 | jmp                 0xffffffca

        $sequence_4 = { e9???????? 81fb14caa411 7f27 81fb8d013e0f bae82c8662 0f852eccffff 8b466c }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81fb14caa411         | cmp                 ebx, 0x11a4ca14
            //   7f27                 | jg                  0x29
            //   81fb8d013e0f         | cmp                 ebx, 0xf3e018d
            //   bae82c8662           | mov                 edx, 0x62862ce8
            //   0f852eccffff         | jne                 0xffffcc34
            //   8b466c               | mov                 eax, dword ptr [esi + 0x6c]

        $sequence_5 = { e9???????? 3ddbbf0f41 7f22 3d7056d738 0f851ff8ffff 8a45ef 84c0 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   3ddbbf0f41           | cmp                 eax, 0x410fbfdb
            //   7f22                 | jg                  0x24
            //   3d7056d738           | cmp                 eax, 0x38d75670
            //   0f851ff8ffff         | jne                 0xfffff825
            //   8a45ef               | mov                 al, byte ptr [ebp - 0x11]
            //   84c0                 | test                al, al

        $sequence_6 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b86ca9c193 b9f92c7e83 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b86ca9c193           | mov                 eax, 0x93c1a96c
            //   b9f92c7e83           | mov                 ecx, 0x837e2cf9

        $sequence_7 = { eb17 ebfe 8a542447 8a742448 08d6 f6c601 bf1c540a4e }
            // n = 7, score = 100
            //   eb17                 | jmp                 0x19
            //   ebfe                 | jmp                 0
            //   8a542447             | mov                 dl, byte ptr [esp + 0x47]
            //   8a742448             | mov                 dh, byte ptr [esp + 0x48]
            //   08d6                 | or                  dh, dl
            //   f6c601               | test                dh, 1
            //   bf1c540a4e           | mov                 edi, 0x4e0a541c

        $sequence_8 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8bd94f9d2 0f45c3 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b8bd94f9d2           | mov                 eax, 0xd2f994bd
            //   0f45c3               | cmovne              eax, ebx

        $sequence_9 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b829a143d4 b94789b320 }
            // n = 7, score = 100
            //   f6c101               | test                cl, 1
            //   0f94c0               | sete                al
            //   813d????????0a000000     |     
            //   0f9cc1               | setl                cl
            //   08c1                 | or                  cl, al
            //   b829a143d4           | mov                 eax, 0xd443a129
            //   b94789b320           | mov                 ecx, 0x20b38947

    condition:
        7 of them and filesize < 2727936
}
Download all Yara Rules
Sathurbot Propose Change

References

Yara Rules

Sathurbot
