SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sisfader (Back to overview)

Sisfader

Actor(s): Hellsing


There is no description at this point.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2018-08-02Sébastien Larinier
@online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } Goblin Panda against the Bears
Sisfader
2018-06-12NCC GroupBen Humphrey
@online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } CVE-2017-8570 RTF and the Sisfader RAT
Sisfader
Yara Rules
[TLP:WHITE] win_sisfader_auto (20220516 | Detects win.sisfader.)
rule win_sisfader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.sisfader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 741f 33c0 85c9 7419 }
            // n = 4, score = 300
            //   741f                 | je                  0x21
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx
            //   7419                 | je                  0x1b

        $sequence_1 = { e8???????? 85c0 b91d000000 0f44d9 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   b91d000000           | mov                 ecx, 0x1d
            //   0f44d9               | cmove               ebx, ecx

        $sequence_2 = { 746b c744242000000000 eb0a 8b442420 ffc0 }
            // n = 5, score = 200
            //   746b                 | je                  0x6d
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   eb0a                 | jmp                 0xc
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   ffc0                 | inc                 eax

        $sequence_3 = { 6a40 ff15???????? 8945f8 8d4dfc 51 8b55f8 }
            // n = 6, score = 200
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_4 = { ff15???????? 83c404 8b45fc 83780400 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83780400             | cmp                 dword ptr [eax + 4], 0

        $sequence_5 = { 894de0 ebac 8d55a0 52 ff15???????? }
            // n = 5, score = 200
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   ebac                 | jmp                 0xffffffae
            //   8d55a0               | lea                 edx, [ebp - 0x60]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_6 = { 5e 5b c3 81f9e2f00000 756b c74708e3f00000 }
            // n = 6, score = 200
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   81f9e2f00000         | cmp                 ecx, 0xf0e2
            //   756b                 | jne                 0x6d
            //   c74708e3f00000       | mov                 dword ptr [edi + 8], 0xf0e3

        $sequence_7 = { 8b4508 83ec24 817808e3e00000 7409 b820010000 8be5 5d }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83ec24               | sub                 esp, 0x24
            //   817808e3e00000       | cmp                 dword ptr [eax + 8], 0xe0e3
            //   7409                 | je                  0xb
            //   b820010000           | mov                 eax, 0x120
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_8 = { c745fc60010000 837d0800 7423 8d450c 50 8b4d08 }
            // n = 6, score = 200
            //   c745fc60010000       | mov                 dword ptr [ebp - 4], 0x160
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7423                 | je                  0x25
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_9 = { 7425 837c242002 7441 837c242003 745d 837c242004 7479 }
            // n = 7, score = 200
            //   7425                 | je                  0x27
            //   837c242002           | cmp                 dword ptr [esp + 0x20], 2
            //   7441                 | je                  0x43
            //   837c242003           | cmp                 dword ptr [esp + 0x20], 3
            //   745d                 | je                  0x5f
            //   837c242004           | cmp                 dword ptr [esp + 0x20], 4
            //   7479                 | je                  0x7b

        $sequence_10 = { eb1f 8b4d1c 8b11 52 8b4518 }
            // n = 5, score = 200
            //   eb1f                 | jmp                 0x21
            //   8b4d1c               | mov                 ecx, dword ptr [ebp + 0x1c]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   52                   | push                edx
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]

        $sequence_11 = { 7402 eb12 c744245401000000 33c0 }
            // n = 4, score = 200
            //   7402                 | je                  4
            //   eb12                 | jmp                 0x14
            //   c744245401000000     | mov                 dword ptr [esp + 0x54], 1
            //   33c0                 | xor                 eax, eax

        $sequence_12 = { 7407 33c0 e9???????? ba01000000 }
            // n = 4, score = 200
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   ba01000000           | mov                 edx, 1

        $sequence_13 = { 8b45a4 50 8b4df8 8b5150 52 e8???????? }
            // n = 6, score = 200
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   50                   | push                eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b5150               | mov                 edx, dword ptr [ecx + 0x50]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_14 = { 0fb74c247e 6685c9 0f84cd010000 6683f92e 750f 6683bc248000000000 0f84b8010000 }
            // n = 7, score = 200
            //   0fb74c247e           | movzx               ecx, word ptr [esp + 0x7e]
            //   6685c9               | test                cx, cx
            //   0f84cd010000         | je                  0x1d3
            //   6683f92e             | cmp                 cx, 0x2e
            //   750f                 | jne                 0x11
            //   6683bc248000000000     | cmp    word ptr [esp + 0x80], 0
            //   0f84b8010000         | je                  0x1be

        $sequence_15 = { 3bf7 7c99 eb06 ff15???????? ff75f4 }
            // n = 5, score = 200
            //   3bf7                 | cmp                 esi, edi
            //   7c99                 | jl                  0xffffff9b
            //   eb06                 | jmp                 8
            //   ff15????????         |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_16 = { 8901 8d4dec 0fb703 668945ec 0fb74302 }
            // n = 5, score = 200
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   0fb703               | movzx               eax, word ptr [ebx]
            //   668945ec             | mov                 word ptr [ebp - 0x14], ax
            //   0fb74302             | movzx               eax, word ptr [ebx + 2]

        $sequence_17 = { 33d2 b907000000 e8???????? eb44 }
            // n = 4, score = 200
            //   33d2                 | xor                 edx, edx
            //   b907000000           | mov                 ecx, 7
            //   e8????????           |                     
            //   eb44                 | jmp                 0x46

        $sequence_18 = { 90 8bc8 83e10f 8a0c11 300c30 40 }
            // n = 6, score = 200
            //   90                   | nop                 
            //   8bc8                 | mov                 ecx, eax
            //   83e10f               | and                 ecx, 0xf
            //   8a0c11               | mov                 cl, byte ptr [ecx + edx]
            //   300c30               | xor                 byte ptr [eax + esi], cl
            //   40                   | inc                 eax

        $sequence_19 = { 89442450 837c245000 7402 eb12 }
            // n = 4, score = 200
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7402                 | je                  4
            //   eb12                 | jmp                 0x14

        $sequence_20 = { 817908020f0000 0f8573010000 83790410 c7442470dcff0000 }
            // n = 4, score = 200
            //   817908020f0000       | cmp                 dword ptr [ecx + 8], 0xf02
            //   0f8573010000         | jne                 0x179
            //   83790410             | cmp                 dword ptr [ecx + 4], 0x10
            //   c7442470dcff0000     | mov                 dword ptr [esp + 0x70], 0xffdc

        $sequence_21 = { 89442450 837c245000 7405 e9???????? 83bc248000000000 }
            // n = 5, score = 200
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7405                 | je                  7
            //   e9????????           |                     
            //   83bc248000000000     | cmp                 dword ptr [esp + 0x80], 0

        $sequence_22 = { ffd3 ff75f4 ff15???????? 8d45ec 50 }
            // n = 5, score = 200
            //   ffd3                 | call                ebx
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax

        $sequence_23 = { 7508 891e eb35 33c0 }
            // n = 4, score = 200
            //   7508                 | jne                 0xa
            //   891e                 | mov                 dword ptr [esi], ebx
            //   eb35                 | jmp                 0x37
            //   33c0                 | xor                 eax, eax

        $sequence_24 = { 8b55f8 8b4134 2b4234 8945d0 7418 8b4dd0 }
            // n = 6, score = 200
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b4134               | mov                 eax, dword ptr [ecx + 0x34]
            //   2b4234               | sub                 eax, dword ptr [edx + 0x34]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   7418                 | je                  0x1a
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]

        $sequence_25 = { 745d 837c242004 7479 837c242005 0f8480000000 e9???????? }
            // n = 6, score = 200
            //   745d                 | je                  0x5f
            //   837c242004           | cmp                 dword ptr [esp + 0x20], 4
            //   7479                 | je                  0x7b
            //   837c242005           | cmp                 dword ptr [esp + 0x20], 5
            //   0f8480000000         | je                  0x86
            //   e9????????           |                     

        $sequence_26 = { 8b4508 a3???????? c705????????07000000 8b4d0c 890d???????? c705????????00000000 8b5510 }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   a3????????           |                     
            //   c705????????07000000     |     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   890d????????         |                     
            //   c705????????00000000     |     
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_27 = { 8b442450 8906 8b442470 89442440 }
            // n = 4, score = 200
            //   8b442450             | mov                 eax, dword ptr [esp + 0x50]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b442470             | mov                 eax, dword ptr [esp + 0x70]
            //   89442440             | mov                 dword ptr [esp + 0x40], eax

        $sequence_28 = { 0f114624 668b5764 50 ff7720 e8???????? 8b471c 83c410 }
            // n = 7, score = 200
            //   0f114624             | movups              xmmword ptr [esi + 0x24], xmm0
            //   668b5764             | mov                 dx, word ptr [edi + 0x64]
            //   50                   | push                eax
            //   ff7720               | push                dword ptr [edi + 0x20]
            //   e8????????           |                     
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]
            //   83c410               | add                 esp, 0x10

        $sequence_29 = { 33d2 b904000000 e8???????? 33c0 83f801 7425 baffffffff }
            // n = 7, score = 200
            //   33d2                 | xor                 edx, edx
            //   b904000000           | mov                 ecx, 4
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   83f801               | cmp                 eax, 1
            //   7425                 | je                  0x27
            //   baffffffff           | mov                 edx, 0xffffffff

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules