SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sisfader (Back to overview)

Sisfader

Actor(s): Hellsing

There is no description at this point.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2018-08-02Sébastien Larinier
@online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } Goblin Panda against the Bears
Sisfader
2018-06-12NCC GroupBen Humphrey
@online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } CVE-2017-8570 RTF and the Sisfader RAT
Sisfader
Yara Rules
[TLP:WHITE] win_sisfader_auto (20230125 | Detects win.sisfader.)
rule win_sisfader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sisfader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 741f 33c0 85c9 7419 }
            // n = 4, score = 300
            //   741f                 | je                  0x21
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx
            //   7419                 | je                  0x1b

        $sequence_1 = { e8???????? 85c0 b91d000000 0f44d9 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   b91d000000           | mov                 ecx, 0x1d
            //   0f44d9               | cmove               ebx, ecx

        $sequence_2 = { 8905???????? c705????????00000000 8b442440 8905???????? }
            // n = 4, score = 200
            //   8905????????         |                     
            //   c705????????00000000     |     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   8905????????         |                     

        $sequence_3 = { f3a5 6a00 ff15???????? a3???????? 85c0 7409 5f }
            // n = 7, score = 200
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   5f                   | pop                 edi

        $sequence_4 = { 837c242002 7441 837c242003 745d }
            // n = 4, score = 200
            //   837c242002           | cmp                 dword ptr [esp + 0x20], 2
            //   7441                 | je                  0x43
            //   837c242003           | cmp                 dword ptr [esp + 0x20], 3
            //   745d                 | je                  0x5f

        $sequence_5 = { ff15???????? 89442450 837c245000 7402 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7402                 | je                  4

        $sequence_6 = { 89842480000000 83bc248000000000 750d b95a040000 ff15???????? eb43 }
            // n = 6, score = 200
            //   89842480000000       | mov                 dword ptr [esp + 0x80], eax
            //   83bc248000000000     | cmp                 dword ptr [esp + 0x80], 0
            //   750d                 | jne                 0xf
            //   b95a040000           | mov                 ecx, 0x45a
            //   ff15????????         |                     
            //   eb43                 | jmp                 0x45

        $sequence_7 = { 0fb74c246e 6685c9 7415 6683f92e 7508 }
            // n = 5, score = 200
            //   0fb74c246e           | movzx               ecx, word ptr [esp + 0x6e]
            //   6685c9               | test                cx, cx
            //   7415                 | je                  0x17
            //   6683f92e             | cmp                 cx, 0x2e
            //   7508                 | jne                 0xa

        $sequence_8 = { 8b442448 89442420 837c242001 7402 eb05 }
            // n = 5, score = 200
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   837c242001           | cmp                 dword ptr [esp + 0x20], 1
            //   7402                 | je                  4
            //   eb05                 | jmp                 7

        $sequence_9 = { c744244854120000 0f11442454 c744245061090000 e8???????? 85c0 7554 }
            // n = 6, score = 200
            //   c744244854120000     | mov                 dword ptr [esp + 0x48], 0x1254
            //   0f11442454           | movups              xmmword ptr [esp + 0x54], xmm0
            //   c744245061090000     | mov                 dword ptr [esp + 0x50], 0x961
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7554                 | jne                 0x56

        $sequence_10 = { c70665632985 663939 8b3d???????? 7407 51 }
            // n = 5, score = 200
            //   c70665632985         | mov                 dword ptr [esi], 0x85296365
            //   663939               | cmp                 word ptr [ecx], di
            //   8b3d????????         |                     
            //   7407                 | je                  9
            //   51                   | push                ecx

        $sequence_11 = { 837c245000 7402 eb12 c744245401000000 33c0 85c0 0f850fffffff }
            // n = 7, score = 200
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7402                 | je                  4
            //   eb12                 | jmp                 0x14
            //   c744245401000000     | mov                 dword ptr [esp + 0x54], 1
            //   33c0                 | xor                 eax, eax
            //   85c0                 | test                eax, eax
            //   0f850fffffff         | jne                 0xffffff15

        $sequence_12 = { 8b442440 89442420 837c242001 7425 837c242002 7441 }
            // n = 6, score = 200
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   837c242001           | cmp                 dword ptr [esp + 0x20], 1
            //   7425                 | je                  0x27
            //   837c242002           | cmp                 dword ptr [esp + 0x20], 2
            //   7441                 | je                  0x43

        $sequence_13 = { a1???????? 50 6a01 e8???????? 83c418 }
            // n = 5, score = 200
            //   a1????????           |                     
            //   50                   | push                eax
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_14 = { 83c404 85c0 7502 eb71 8b45fc 8b08 83792800 }
            // n = 7, score = 200
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4
            //   eb71                 | jmp                 0x73
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83792800             | cmp                 dword ptr [ecx + 0x28], 0

        $sequence_15 = { 1bc0 83c801 8945f0 8b4df0 894de4 }
            // n = 5, score = 200
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_16 = { 89442450 837c245000 7405 e9???????? 83bc248000000000 7539 }
            // n = 6, score = 200
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7405                 | je                  7
            //   e9????????           |                     
            //   83bc248000000000     | cmp                 dword ptr [esp + 0x80], 0
            //   7539                 | jne                 0x3b

        $sequence_17 = { 7421 6aff 8b0d???????? 51 ff15???????? 6a00 }
            // n = 6, score = 200
            //   7421                 | je                  0x23
            //   6aff                 | push                -1
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_18 = { ff15???????? c1e802 33db 898754010000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   c1e802               | shr                 eax, 2
            //   33db                 | xor                 ebx, ebx
            //   898754010000         | mov                 dword ptr [edi + 0x154], eax

        $sequence_19 = { 7502 eb67 8b4dfc 51 8b55f8 52 e8???????? }
            // n = 7, score = 200
            //   7502                 | jne                 4
            //   eb67                 | jmp                 0x69
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_20 = { 33db 8bd3 395904 761b }
            // n = 4, score = 200
            //   33db                 | xor                 ebx, ebx
            //   8bd3                 | mov                 edx, ebx
            //   395904               | cmp                 dword ptr [ecx + 4], ebx
            //   761b                 | jbe                 0x1d

        $sequence_21 = { c7460855120000 0f1005???????? 51 57 0f114614 ff15???????? }
            // n = 6, score = 200
            //   c7460855120000       | mov                 dword ptr [esi + 8], 0x1255
            //   0f1005????????       |                     
            //   51                   | push                ecx
            //   57                   | push                edi
            //   0f114614             | movups              xmmword ptr [esi + 0x14], xmm0
            //   ff15????????         |                     

        $sequence_22 = { 8b450c 8986cc010000 8d4580 50 ff15???????? 668b4594 6689460c }
            // n = 7, score = 200
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8986cc010000         | mov                 dword ptr [esi + 0x1cc], eax
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   668b4594             | mov                 ax, word ptr [ebp - 0x6c]
            //   6689460c             | mov                 word ptr [esi + 0xc], ax

        $sequence_23 = { 7411 6683f92e 7509 66399db0010000 7402 }
            // n = 5, score = 200
            //   7411                 | je                  0x13
            //   6683f92e             | cmp                 cx, 0x2e
            //   7509                 | jne                 0xb
            //   66399db0010000       | cmp                 word ptr [ebp + 0x1b0], bx
            //   7402                 | je                  4

        $sequence_24 = { c745d800000000 8b55fc 8b45d8 894214 8b4dfc }
            // n = 5, score = 200
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   894214               | mov                 dword ptr [edx + 0x14], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_25 = { ff15???????? 56 ff15???????? a810 746a 8b570c }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   a810                 | test                al, 0x10
            //   746a                 | je                  0x6c
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]

        $sequence_26 = { c700aaeeddff c74008010f0000 0f1086f0000000 c7400410000000 }
            // n = 4, score = 200
            //   c700aaeeddff         | mov                 dword ptr [eax], 0xffddeeaa
            //   c74008010f0000       | mov                 dword ptr [eax + 8], 0xf01
            //   0f1086f0000000       | movups              xmm0, xmmword ptr [esi + 0xf0]
            //   c7400410000000       | mov                 dword ptr [eax + 4], 0x10

        $sequence_27 = { 6a00 6a01 e8???????? 83c40c eb38 6a00 6a00 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb38                 | jmp                 0x3a
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_28 = { 0f8579ffffff 837dfc00 740a 8b4dfc 51 ff15???????? }
            // n = 6, score = 200
            //   0f8579ffffff         | jne                 0xffffff7f
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   740a                 | je                  0xc
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_29 = { 83e20f 8a8c0a00010000 300c18 40 3b4704 72e8 }
            // n = 6, score = 200
            //   83e20f               | and                 edx, 0xf
            //   8a8c0a00010000       | mov                 cl, byte ptr [edx + ecx + 0x100]
            //   300c18               | xor                 byte ptr [eax + ebx], cl
            //   40                   | inc                 eax
            //   3b4704               | cmp                 eax, dword ptr [edi + 4]
            //   72e8                 | jb                  0xffffffea

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules