SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sisfader (Back to overview)

Sisfader

Actor(s): Hellsing

There is no description at this point.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2018-08-02Sébastien Larinier
@online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } Goblin Panda against the Bears
Sisfader
2018-06-12NCC GroupBen Humphrey
@online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } CVE-2017-8570 RTF and the Sisfader RAT
Sisfader
Yara Rules
[TLP:WHITE] win_sisfader_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_sisfader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 b91d000000 0f44d9 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   b91d000000           | mov                 ecx, 0x1d
            //   0f44d9               | cmove               ebx, ecx

        $sequence_1 = { 741f 33c0 85c9 7419 }
            // n = 4, score = 300
            //   741f                 | je                  0x21
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx
            //   7419                 | je                  0x1b

        $sequence_2 = { eb13 8d8d76fdffff 8d0441 50 8d86d4010000 50 }
            // n = 6, score = 200
            //   eb13                 | jmp                 0x15
            //   8d8d76fdffff         | lea                 ecx, [ebp - 0x28a]
            //   8d0441               | lea                 eax, [ecx + eax*2]
            //   50                   | push                eax
            //   8d86d4010000         | lea                 eax, [esi + 0x1d4]
            //   50                   | push                eax

        $sequence_3 = { 0fb74816 81e100200000 7409 c745d801000000 eb07 c745d800000000 }
            // n = 6, score = 200
            //   0fb74816             | movzx               ecx, word ptr [eax + 0x16]
            //   81e100200000         | and                 ecx, 0x2000
            //   7409                 | je                  0xb
            //   c745d801000000       | mov                 dword ptr [ebp - 0x28], 1
            //   eb07                 | jmp                 9
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0

        $sequence_4 = { 8b55fc 52 ff15???????? 8945f8 837df800 7402 eb0f }
            // n = 7, score = 200
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   7402                 | je                  4
            //   eb0f                 | jmp                 0x11

        $sequence_5 = { e8???????? b90e000000 ff15???????? 33c0 e9???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   b90e000000           | mov                 ecx, 0xe
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_6 = { 8d45f8 c745f804000000 50 8d4608 50 8d45f0 50 }
            // n = 7, score = 200
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   c745f804000000       | mov                 dword ptr [ebp - 8], 4
            //   50                   | push                eax
            //   8d4608               | lea                 eax, [esi + 8]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_7 = { 8b410c 89470c 8b4108 894708 817908020f0000 0f8573010000 83790410 }
            // n = 7, score = 200
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   89470c               | mov                 dword ptr [edi + 0xc], eax
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   817908020f0000       | cmp                 dword ptr [ecx + 8], 0xf02
            //   0f8573010000         | jne                 0x179
            //   83790410             | cmp                 dword ptr [ecx + 4], 0x10

        $sequence_8 = { 33d2 b904000000 e8???????? eb21 }
            // n = 4, score = 200
            //   33d2                 | xor                 edx, edx
            //   b904000000           | mov                 ecx, 4
            //   e8????????           |                     
            //   eb21                 | jmp                 0x23

        $sequence_9 = { ff15???????? 8945f0 83f8ff 7509 33c0 5f 5e }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   83f8ff               | cmp                 eax, -1
            //   7509                 | jne                 0xb
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_10 = { 8b4dfc c7411001000000 eb11 8b55fc 8b02 }
            // n = 5, score = 200
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c7411001000000       | mov                 dword ptr [ecx + 0x10], 1
            //   eb11                 | jmp                 0x13
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b02                 | mov                 eax, dword ptr [edx]

        $sequence_11 = { e9???????? c744243c00000000 eb34 8b44243c }
            // n = 4, score = 200
            //   e9????????           |                     
            //   c744243c00000000     | mov                 dword ptr [esp + 0x3c], 0
            //   eb34                 | jmp                 0x36
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]

        $sequence_12 = { 56 8b35???????? ffd6 57 ffd6 5f b86f000000 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8b35????????         |                     
            //   ffd6                 | call                esi
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   5f                   | pop                 edi
            //   b86f000000           | mov                 eax, 0x6f

        $sequence_13 = { 7505 e9???????? 8d4dec 51 8d9580feffff }
            // n = 5, score = 200
            //   7505                 | jne                 7
            //   e9????????           |                     
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   51                   | push                ecx
            //   8d9580feffff         | lea                 edx, [ebp - 0x180]

        $sequence_14 = { 83e10f 0fb60c39 300a 3b4304 }
            // n = 4, score = 200
            //   83e10f               | and                 ecx, 0xf
            //   0fb60c39             | movzx               ecx, byte ptr [ecx + edi]
            //   300a                 | xor                 byte ptr [edx], cl
            //   3b4304               | cmp                 eax, dword ptr [ebx + 4]

        $sequence_15 = { 85c0 741d 8bd3 0f1f440000 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   741d                 | je                  0x1f
            //   8bd3                 | mov                 edx, ebx
            //   0f1f440000           | nop                 dword ptr [eax + eax]

        $sequence_16 = { 83c801 8945f0 8b4df0 894de4 }
            // n = 4, score = 200
            //   83c801               | or                  eax, 1
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_17 = { 8905???????? c705????????00000000 8b442440 8905???????? c705????????b80b0000 }
            // n = 5, score = 200
            //   8905????????         |                     
            //   c705????????00000000     |     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   8905????????         |                     
            //   c705????????b80b0000     |     

        $sequence_18 = { 8bec 83ec1c 8b4508 8945e8 8b4d0c 894dec 8b55ec }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83ec1c               | sub                 esp, 0x1c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_19 = { b904000000 e8???????? 33c0 83f801 7425 baffffffff }
            // n = 6, score = 200
            //   b904000000           | mov                 ecx, 4
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   83f801               | cmp                 eax, 1
            //   7425                 | je                  0x27
            //   baffffffff           | mov                 edx, 0xffffffff

        $sequence_20 = { ff5048 b97f000000 ff15???????? eb05 }
            // n = 4, score = 200
            //   ff5048               | call                dword ptr [eax + 0x48]
            //   b97f000000           | mov                 ecx, 0x7f
            //   ff15????????         |                     
            //   eb05                 | jmp                 7

        $sequence_21 = { 7510 6a00 6a00 6a01 e8???????? 83c40c eb38 }
            // n = 7, score = 200
            //   7510                 | jne                 0x12
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb38                 | jmp                 0x3a

        $sequence_22 = { 8bec 81ec80010000 c745ec60010000 c745fc00001000 }
            // n = 4, score = 200
            //   8bec                 | mov                 ebp, esp
            //   81ec80010000         | sub                 esp, 0x180
            //   c745ec60010000       | mov                 dword ptr [ebp - 0x14], 0x160
            //   c745fc00001000       | mov                 dword ptr [ebp - 4], 0x100000

        $sequence_23 = { 746b c744242000000000 eb0a 8b442420 ffc0 }
            // n = 5, score = 200
            //   746b                 | je                  0x6d
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   eb0a                 | jmp                 0xc
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   ffc0                 | inc                 eax

        $sequence_24 = { c705????????10000000 8b442430 8905???????? c705????????07000000 8b442438 8905???????? }
            // n = 6, score = 200
            //   c705????????10000000     |     
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   8905????????         |                     
            //   c705????????07000000     |     
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8905????????         |                     

        $sequence_25 = { 891e eb35 33c0 eb36 }
            // n = 4, score = 200
            //   891e                 | mov                 dword ptr [esi], ebx
            //   eb35                 | jmp                 0x37
            //   33c0                 | xor                 eax, eax
            //   eb36                 | jmp                 0x38

        $sequence_26 = { 5f 5e 5b c3 8d81afedffff 83f806 }
            // n = 6, score = 200
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8d81afedffff         | lea                 eax, [ecx - 0x1251]
            //   83f806               | cmp                 eax, 6

        $sequence_27 = { 813faaeeddff 757e 8b4704 85c0 7520 }
            // n = 5, score = 200
            //   813faaeeddff         | cmp                 dword ptr [edi], 0xffddeeaa
            //   757e                 | jne                 0x80
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   85c0                 | test                eax, eax
            //   7520                 | jne                 0x22

        $sequence_28 = { 81ec80000000 8b4508 ba10000000 53 56 57 }
            // n = 6, score = 200
            //   81ec80000000         | sub                 esp, 0x80
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ba10000000           | mov                 edx, 0x10
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_29 = { c744240c30020000 c744241800000000 8d44242c ba30020000 0f1f440000 c60000 }
            // n = 6, score = 200
            //   c744240c30020000     | mov                 dword ptr [esp + 0xc], 0x230
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   ba30020000           | mov                 edx, 0x230
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   c60000               | mov                 byte ptr [eax], 0

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules