SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slub (Back to overview)

SLUB


There is no description at this point.

References
2020-12-15Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20201215:who:c723930, author = {William Gamazo Sanchez}, title = {{Who is the Threat Actor Behind Operation Earth Kitsune?}}, date = {2020-12-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html}, language = {English}, urldate = {2020-12-16} } Who is the Threat Actor Behind Operation Earth Kitsune?
Freenki Loader SLUB
2020-10-28Trend MicroWilliam Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C Chen, John Zhang
@online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB
2020-10-19Trend MicroNelson William Gamazo Sanchez, Aliakbar Zahravi, John Zhang, Eliot Cao, Cedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph C. Chen
@techreport{sanchez:20201019:operation:e613dd2, author = {Nelson William Gamazo Sanchez and Aliakbar Zahravi and John Zhang and Eliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C. Chen}, title = {{Operation Earth Kitsune: Tracking SLUB’s Current Operations}}, date = {2020-10-19}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf}, language = {English}, urldate = {2020-10-21} } Operation Earth Kitsune: Tracking SLUB’s Current Operations
SLUB
2019-10-02Virus BulletinDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20191002:abusing:3c9a1b7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Abusing third-party cloud services in targeted attacks}}, date = {2019-10-02}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf}, language = {English}, urldate = {2020-01-13} } Abusing third-party cloud services in targeted attacks
BadNews SLUB
2019-03-07Trend MicroCedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph Chen
@online{pernet:20190307:new:593e5b1, author = {Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph Chen}, title = {{New SLUB Backdoor Uses GitHub, Communicates via Slack}}, date = {2019-03-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/}, language = {English}, urldate = {2019-10-18} } New SLUB Backdoor Uses GitHub, Communicates via Slack
SLUB
Yara Rules
[TLP:WHITE] win_slub_auto (20210616 | Detects win.slub.)
rule win_slub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.slub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 80784600 7477 8d4c241c 51 6a23 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   80784600             | cmp                 byte ptr [eax + 0x46], 0
            //   7477                 | je                  0x79
            //   8d4c241c             | lea                 ecx, dword ptr [esp + 0x1c]
            //   51                   | push                ecx
            //   6a23                 | push                0x23

        $sequence_1 = { 8b4c2410 833b00 7526 c785c009000000000000 33c0 c785c409000000000000 c785c809000000000000 }
            // n = 7, score = 100
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   833b00               | cmp                 dword ptr [ebx], 0
            //   7526                 | jne                 0x28
            //   c785c009000000000000     | mov    dword ptr [ebp + 0x9c0], 0
            //   33c0                 | xor                 eax, eax
            //   c785c409000000000000     | mov    dword ptr [ebp + 0x9c4], 0
            //   c785c809000000000000     | mov    dword ptr [ebp + 0x9c8], 0

        $sequence_2 = { f6404420 7433 80bb8802000000 752a 68???????? ff15???????? 83c404 }
            // n = 7, score = 100
            //   f6404420             | test                byte ptr [eax + 0x44], 0x20
            //   7433                 | je                  0x35
            //   80bb8802000000       | cmp                 byte ptr [ebx + 0x288], 0
            //   752a                 | jne                 0x2c
            //   68????????           |                     
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4

        $sequence_3 = { 80e201 5d 8bc3 88918d040000 5b 83c408 c3 }
            // n = 7, score = 100
            //   80e201               | and                 dl, 1
            //   5d                   | pop                 ebp
            //   8bc3                 | mov                 eax, ebx
            //   88918d040000         | mov                 byte ptr [ecx + 0x48d], dl
            //   5b                   | pop                 ebx
            //   83c408               | add                 esp, 8
            //   c3                   | ret                 

        $sequence_4 = { ff742428 6a02 53 e8???????? 8b542430 83c410 85d2 }
            // n = 7, score = 100
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   83c410               | add                 esp, 0x10
            //   85d2                 | test                edx, edx

        $sequence_5 = { 56 57 8bbc2450010000 8bd8 c1e304 be10020000 03df }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bbc2450010000       | mov                 edi, dword ptr [esp + 0x150]
            //   8bd8                 | mov                 ebx, eax
            //   c1e304               | shl                 ebx, 4
            //   be10020000           | mov                 esi, 0x210
            //   03df                 | add                 ebx, edi

        $sequence_6 = { c3 389eb4090000 7417 33c0 b916000000 388600050000 5f }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   389eb4090000         | cmp                 byte ptr [esi + 0x9b4], bl
            //   7417                 | je                  0x19
            //   33c0                 | xor                 eax, eax
            //   b916000000           | mov                 ecx, 0x16
            //   388600050000         | cmp                 byte ptr [esi + 0x500], al
            //   5f                   | pop                 edi

        $sequence_7 = { 5e 8991b8080000 ff83b4080000 838b3401000010 5d 5b }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   8991b8080000         | mov                 dword ptr [ecx + 0x8b8], edx
            //   ff83b4080000         | inc                 dword ptr [ebx + 0x8b4]
            //   838b3401000010       | or                  dword ptr [ebx + 0x134], 0x10
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx

        $sequence_8 = { ff742424 e8???????? 83c410 5d 5f 5e 5b }
            // n = 7, score = 100
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   5d                   | pop                 ebp
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_9 = { c1e803 89442410 85c0 741f 50 ff742424 55 }
            // n = 7, score = 100
            //   c1e803               | shr                 eax, 3
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   50                   | push                eax
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules