SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sisfader (Back to overview)

Sisfader

Actor(s): Hellsing


There is no description at this point.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2018-08-02Sébastien Larinier
@online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } Goblin Panda against the Bears
Sisfader
2018-06-12NCC GroupBen Humphrey
@online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } CVE-2017-8570 RTF and the Sisfader RAT
Sisfader
Yara Rules
[TLP:WHITE] win_sisfader_auto (20210616 | Detects win.sisfader.)
rule win_sisfader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.sisfader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 b91d000000 0f44d9 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   b91d000000           | mov                 ecx, 0x1d
            //   0f44d9               | cmove               ebx, ecx

        $sequence_1 = { 741f 33c0 85c9 7419 }
            // n = 4, score = 300
            //   741f                 | je                  0x21
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx
            //   7419                 | je                  0x1b

        $sequence_2 = { 6a0c 8d45ec c745ec01000000 50 0f57c0 }
            // n = 5, score = 200
            //   6a0c                 | push                0xc
            //   8d45ec               | lea                 eax, dword ptr [ebp - 0x14]
            //   c745ec01000000       | mov                 dword ptr [ebp - 0x14], 1
            //   50                   | push                eax
            //   0f57c0               | xorps               xmm0, xmm0

        $sequence_3 = { 0f84cd010000 6683f92e 750f 6683bc248000000000 0f84b8010000 }
            // n = 5, score = 200
            //   0f84cd010000         | je                  0x1d3
            //   6683f92e             | cmp                 cx, 0x2e
            //   750f                 | jne                 0x11
            //   6683bc248000000000     | cmp    word ptr [esp + 0x80], 0
            //   0f84b8010000         | je                  0x1be

        $sequence_4 = { ff9424b0000000 89842480000000 83bc248000000000 750d b95a040000 }
            // n = 5, score = 200
            //   ff9424b0000000       | call                dword ptr [esp + 0xb0]
            //   89842480000000       | mov                 dword ptr [esp + 0x80], eax
            //   83bc248000000000     | cmp                 dword ptr [esp + 0x80], 0
            //   750d                 | jne                 0xf
            //   b95a040000           | mov                 ecx, 0x45a

        $sequence_5 = { a3???????? 833d????????00 7510 6a00 6a00 }
            // n = 5, score = 200
            //   a3????????           |                     
            //   833d????????00       |                     
            //   7510                 | jne                 0x12
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_6 = { 50 ff15???????? 83c404 8b4dfc 83790800 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83790800             | cmp                 dword ptr [ecx + 8], 0

        $sequence_7 = { 746b c744242000000000 eb0a 8b442420 ffc0 }
            // n = 5, score = 200
            //   746b                 | je                  0x6d
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   eb0a                 | jmp                 0xc
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   ffc0                 | inc                 eax

        $sequence_8 = { 8a8c0a00010000 300c18 40 3b4704 72e8 }
            // n = 5, score = 200
            //   8a8c0a00010000       | mov                 cl, byte ptr [edx + ecx + 0x100]
            //   300c18               | xor                 byte ptr [eax + ebx], cl
            //   40                   | inc                 eax
            //   3b4704               | cmp                 eax, dword ptr [edi + 4]
            //   72e8                 | jb                  0xffffffea

        $sequence_9 = { e9???????? c744243c00000000 eb34 8b44243c ffc0 8944243c }
            // n = 6, score = 200
            //   e9????????           |                     
            //   c744243c00000000     | mov                 dword ptr [esp + 0x3c], 0
            //   eb34                 | jmp                 0x36
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]
            //   ffc0                 | inc                 eax
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_10 = { 89442438 8b442448 89442434 837c243403 }
            // n = 4, score = 200
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   837c243403           | cmp                 dword ptr [esp + 0x34], 3

        $sequence_11 = { 89442450 837c245000 7402 eb12 c744245401000000 33c0 }
            // n = 6, score = 200
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7402                 | je                  4
            //   eb12                 | jmp                 0x14
            //   c744245401000000     | mov                 dword ptr [esp + 0x54], 1
            //   33c0                 | xor                 eax, eax

        $sequence_12 = { ffd6 8b4df8 8945ec 85c9 }
            // n = 4, score = 200
            //   ffd6                 | call                esi
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   85c9                 | test                ecx, ecx

        $sequence_13 = { 83793000 0f85be000000 8b55fc 8b45f0 034220 }
            // n = 5, score = 200
            //   83793000             | cmp                 dword ptr [ecx + 0x30], 0
            //   0f85be000000         | jne                 0xc4
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   034220               | add                 eax, dword ptr [edx + 0x20]

        $sequence_14 = { 33d2 b901000000 e8???????? eb3b }
            // n = 4, score = 200
            //   33d2                 | xor                 edx, edx
            //   b901000000           | mov                 ecx, 1
            //   e8????????           |                     
            //   eb3b                 | jmp                 0x3d

        $sequence_15 = { 53 8b5d10 66833b00 0f8594000000 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   66833b00             | cmp                 word ptr [ebx], 0
            //   0f8594000000         | jne                 0x9a

        $sequence_16 = { 7423 6666660f1f840000000000 8bc2 ffc2 }
            // n = 4, score = 200
            //   7423                 | je                  0x25
            //   6666660f1f840000000000     | nop    word ptr [eax + eax]
            //   8bc2                 | mov                 eax, edx
            //   ffc2                 | inc                 edx

        $sequence_17 = { 33c0 0f8579ffffff 837dfc00 740a 8b4dfc 51 ff15???????? }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   0f8579ffffff         | jne                 0xffffff7f
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   740a                 | je                  0xc
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_18 = { 8bec c705????????10000000 8b4508 a3???????? c705????????07000000 8b4d0c }
            // n = 6, score = 200
            //   8bec                 | mov                 ebp, esp
            //   c705????????10000000     |     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   a3????????           |                     
            //   c705????????07000000     |     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_19 = { 3b1e 743d 85db 7508 891e eb35 }
            // n = 6, score = 200
            //   3b1e                 | cmp                 ebx, dword ptr [esi]
            //   743d                 | je                  0x3f
            //   85db                 | test                ebx, ebx
            //   7508                 | jne                 0xa
            //   891e                 | mov                 dword ptr [esi], ebx
            //   eb35                 | jmp                 0x37

        $sequence_20 = { ff15???????? 85c0 7e2c 03d8 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7e2c                 | jle                 0x2e
            //   03d8                 | add                 ebx, eax

        $sequence_21 = { ff5048 b97f000000 ff15???????? eb05 }
            // n = 4, score = 200
            //   ff5048               | call                dword ptr [eax + 0x48]
            //   b97f000000           | mov                 ecx, 0x7f
            //   ff15????????         |                     
            //   eb05                 | jmp                 7

        $sequence_22 = { e9???????? 8b45fc 8b08 8b55f8 8b4134 2b4234 8945d0 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b4134               | mov                 eax, dword ptr [ecx + 0x34]
            //   2b4234               | sub                 eax, dword ptr [edx + 0x34]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_23 = { 41 3b4a04 72ee 8b4204 8bcf 83c024 }
            // n = 6, score = 200
            //   41                   | inc                 ecx
            //   3b4a04               | cmp                 ecx, dword ptr [edx + 4]
            //   72ee                 | jb                  0xfffffff0
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   8bcf                 | mov                 ecx, edi
            //   83c024               | add                 eax, 0x24

        $sequence_24 = { 8905???????? c705????????00000000 8b442440 8905???????? }
            // n = 4, score = 200
            //   8905????????         |                     
            //   c705????????00000000     |     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   8905????????         |                     

        $sequence_25 = { e8???????? 83c404 c744240c30020000 c744241800000000 8d44242c ba30020000 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c744240c30020000     | mov                 dword ptr [esp + 0xc], 0x230
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   8d44242c             | lea                 eax, dword ptr [esp + 0x2c]
            //   ba30020000           | mov                 edx, 0x230

        $sequence_26 = { 83e00f 0fb60410 304124 3b5f04 72e9 }
            // n = 5, score = 200
            //   83e00f               | and                 eax, 0xf
            //   0fb60410             | movzx               eax, byte ptr [eax + edx]
            //   304124               | xor                 byte ptr [ecx + 0x24], al
            //   3b5f04               | cmp                 ebx, dword ptr [edi + 4]
            //   72e9                 | jb                  0xffffffeb

        $sequence_27 = { 837de000 740a 8d8580feffff 50 ff55e0 33c9 0f8543ffffff }
            // n = 7, score = 200
            //   837de000             | cmp                 dword ptr [ebp - 0x20], 0
            //   740a                 | je                  0xc
            //   8d8580feffff         | lea                 eax, dword ptr [ebp - 0x180]
            //   50                   | push                eax
            //   ff55e0               | call                dword ptr [ebp - 0x20]
            //   33c9                 | xor                 ecx, ecx
            //   0f8543ffffff         | jne                 0xffffff49

        $sequence_28 = { 8b4d0c 890d???????? c705????????00000000 8b5510 8915???????? c705????????b80b0000 }
            // n = 6, score = 200
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   890d????????         |                     
            //   c705????????00000000     |     
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8915????????         |                     
            //   c705????????b80b0000     |     

        $sequence_29 = { c744244854120000 0f11442454 c744245061090000 e8???????? }
            // n = 4, score = 200
            //   c744244854120000     | mov                 dword ptr [esp + 0x48], 0x1254
            //   0f11442454           | movups              xmmword ptr [esp + 0x54], xmm0
            //   c744245061090000     | mov                 dword ptr [esp + 0x50], 0x961
            //   e8????????           |                     

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules