SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sisfader (Back to overview)

Sisfader

Actor(s): Hellsing


There is no description at this point.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2018-08-02Sébastien Larinier
@online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } Goblin Panda against the Bears
Sisfader
2018-06-12NCC GroupBen Humphrey
@online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } CVE-2017-8570 RTF and the Sisfader RAT
Sisfader
Yara Rules
[TLP:WHITE] win_sisfader_auto (20211008 | Detects win.sisfader.)
rule win_sisfader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.sisfader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 b91d000000 0f44d9 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   b91d000000           | mov                 ecx, 0x1d
            //   0f44d9               | cmove               ebx, ecx

        $sequence_1 = { 85c9 741f 33c0 85c9 }
            // n = 4, score = 300
            //   85c9                 | test                ecx, ecx
            //   741f                 | je                  0x21
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx

        $sequence_2 = { 8be8 8d4840 ff15???????? 0f1005???????? }
            // n = 4, score = 200
            //   8be8                 | mov                 ebp, eax
            //   8d4840               | lea                 ecx, dword ptr [eax + 0x40]
            //   ff15????????         |                     
            //   0f1005????????       |                     

        $sequence_3 = { 3b4a04 72ee 8b4204 8bcf }
            // n = 4, score = 200
            //   3b4a04               | cmp                 ecx, dword ptr [edx + 4]
            //   72ee                 | jb                  0xfffffff0
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   8bcf                 | mov                 ecx, edi

        $sequence_4 = { 8b55fc 837a1400 743b 8b45fc 8b08 8b55f4 035128 }
            // n = 7, score = 200
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   837a1400             | cmp                 dword ptr [edx + 0x14], 0
            //   743b                 | je                  0x3d
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   035128               | add                 edx, dword ptr [ecx + 0x28]

        $sequence_5 = { 85c0 753b 8b4704 83c024 2bd8 }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   753b                 | jne                 0x3d
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   83c024               | add                 eax, 0x24
            //   2bd8                 | sub                 ebx, eax

        $sequence_6 = { 8d8698010000 50 ff15???????? 8d4514 50 }
            // n = 5, score = 200
            //   8d8698010000         | lea                 eax, dword ptr [esi + 0x198]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4514               | lea                 eax, dword ptr [ebp + 0x14]
            //   50                   | push                eax

        $sequence_7 = { c705????????10000000 8b442430 8905???????? c705????????07000000 8b442438 8905???????? }
            // n = 6, score = 200
            //   c705????????10000000     |     
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   8905????????         |                     
            //   c705????????07000000     |     
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8905????????         |                     

        $sequence_8 = { 56 8b8b68010000 85c9 0f85aa000000 66394b48 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   8b8b68010000         | mov                 ecx, dword ptr [ebx + 0x168]
            //   85c9                 | test                ecx, ecx
            //   0f85aa000000         | jne                 0xb0
            //   66394b48             | cmp                 word ptr [ebx + 0x48], cx

        $sequence_9 = { 8b4038 89442434 837c243400 0f8e9f000000 }
            // n = 4, score = 200
            //   8b4038               | mov                 eax, dword ptr [eax + 0x38]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   837c243400           | cmp                 dword ptr [esp + 0x34], 0
            //   0f8e9f000000         | jle                 0xa5

        $sequence_10 = { 8bec 83ec60 c745fc00000000 c745e000000000 6a40 8b450c }
            // n = 6, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83ec60               | sub                 esp, 0x60
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   6a40                 | push                0x40
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_11 = { 85c0 7407 33c0 e9???????? ba01000000 }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   ba01000000           | mov                 edx, 1

        $sequence_12 = { ff9424b0000000 89842480000000 83bc248000000000 750d b95a040000 }
            // n = 5, score = 200
            //   ff9424b0000000       | call                dword ptr [esp + 0xb0]
            //   89842480000000       | mov                 dword ptr [esp + 0x80], eax
            //   83bc248000000000     | cmp                 dword ptr [esp + 0x80], 0
            //   750d                 | jne                 0xf
            //   b95a040000           | mov                 ecx, 0x45a

        $sequence_13 = { b842000000 6bc800 8b5510 0fb7440a40 85c0 7422 }
            // n = 6, score = 200
            //   b842000000           | mov                 eax, 0x42
            //   6bc800               | imul                ecx, eax, 0
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   0fb7440a40           | movzx               eax, word ptr [edx + ecx + 0x40]
            //   85c0                 | test                eax, eax
            //   7422                 | je                  0x24

        $sequence_14 = { 837d0800 751f 8b451c 50 8b4d18 }
            // n = 5, score = 200
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   751f                 | jne                 0x21
            //   8b451c               | mov                 eax, dword ptr [ebp + 0x1c]
            //   50                   | push                eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

        $sequence_15 = { 89442450 837c245000 7402 eb12 c744245401000000 33c0 85c0 }
            // n = 7, score = 200
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   837c245000           | cmp                 dword ptr [esp + 0x50], 0
            //   7402                 | je                  4
            //   eb12                 | jmp                 0x14
            //   c744245401000000     | mov                 dword ptr [esp + 0x54], 1
            //   33c0                 | xor                 eax, eax
            //   85c0                 | test                eax, eax

        $sequence_16 = { 8d87d0000000 50 ffb7cc000000 8d4f66 ffb7c8000000 e8???????? }
            // n = 6, score = 200
            //   8d87d0000000         | lea                 eax, dword ptr [edi + 0xd0]
            //   50                   | push                eax
            //   ffb7cc000000         | push                dword ptr [edi + 0xcc]
            //   8d4f66               | lea                 ecx, dword ptr [edi + 0x66]
            //   ffb7c8000000         | push                dword ptr [edi + 0xc8]
            //   e8????????           |                     

        $sequence_17 = { 57 0f114614 ff15???????? 85c0 0f84b3000000 8b44240c 85c0 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   0f114614             | movups              xmmword ptr [esi + 0x14], xmm0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84b3000000         | je                  0xb9
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   85c0                 | test                eax, eax

        $sequence_18 = { 894708 817908020f0000 0f8573010000 83790410 c7442470dcff0000 }
            // n = 5, score = 200
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   817908020f0000       | cmp                 dword ptr [ecx + 8], 0xf02
            //   0f8573010000         | jne                 0x179
            //   83790410             | cmp                 dword ptr [ecx + 4], 0x10
            //   c7442470dcff0000     | mov                 dword ptr [esp + 0x70], 0xffdc

        $sequence_19 = { ba08020000 0f114014 c7400856120000 89580c }
            // n = 4, score = 200
            //   ba08020000           | mov                 edx, 0x208
            //   0f114014             | movups              xmmword ptr [eax + 0x14], xmm0
            //   c7400856120000       | mov                 dword ptr [eax + 8], 0x1256
            //   89580c               | mov                 dword ptr [eax + 0xc], ebx

        $sequence_20 = { 746b c744242000000000 eb0a 8b442420 ffc0 }
            // n = 5, score = 200
            //   746b                 | je                  0x6d
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   eb0a                 | jmp                 0xc
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   ffc0                 | inc                 eax

        $sequence_21 = { 8b5108 52 ff15???????? 83c404 8b45fc 83780400 }
            // n = 6, score = 200
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83780400             | cmp                 dword ptr [eax + 4], 0

        $sequence_22 = { 8b442448 89442420 837c242001 7402 eb05 e8???????? b801000000 }
            // n = 7, score = 200
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   837c242001           | cmp                 dword ptr [esp + 0x20], 1
            //   7402                 | je                  4
            //   eb05                 | jmp                 7
            //   e8????????           |                     
            //   b801000000           | mov                 eax, 1

        $sequence_23 = { 33d2 b904000000 e8???????? 33c0 83f801 7425 baffffffff }
            // n = 7, score = 200
            //   33d2                 | xor                 edx, edx
            //   b904000000           | mov                 ecx, 4
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   83f801               | cmp                 eax, 1
            //   7425                 | je                  0x27
            //   baffffffff           | mov                 edx, 0xffffffff

        $sequence_24 = { 6804010000 50 6a00 ff15???????? 8d8574fdffff 50 ff15???????? }
            // n = 7, score = 200
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8d8574fdffff         | lea                 eax, dword ptr [ebp - 0x28c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_25 = { 51 c745fc60010000 837d0800 7423 }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   c745fc60010000       | mov                 dword ptr [ebp - 4], 0x160
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7423                 | je                  0x25

        $sequence_26 = { 0f8579ffffff 837dfc00 740a 8b4dfc 51 ff15???????? }
            // n = 6, score = 200
            //   0f8579ffffff         | jne                 0xffffff7f
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   740a                 | je                  0xc
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_27 = { 7479 837c242005 0f8480000000 e9???????? }
            // n = 4, score = 200
            //   7479                 | je                  0x7b
            //   837c242005           | cmp                 dword ptr [esp + 0x20], 5
            //   0f8480000000         | je                  0x86
            //   e9????????           |                     

        $sequence_28 = { 83793000 0f85be000000 8b55fc 8b45f0 034220 }
            // n = 5, score = 200
            //   83793000             | cmp                 dword ptr [ecx + 0x30], 0
            //   0f85be000000         | jne                 0xc4
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   034220               | add                 eax, dword ptr [edx + 0x20]

        $sequence_29 = { ff15???????? 85c0 75c7 eb05 c644242001 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75c7                 | jne                 0xffffffc9
            //   eb05                 | jmp                 7
            //   c644242001           | mov                 byte ptr [esp + 0x20], 1

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules