SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slub (Back to overview)

SLUB

VTCollection    

There is no description at this point.

References
2020-12-15Trend MicroWilliam Gamazo Sanchez
Who is the Threat Actor Behind Operation Earth Kitsune?
Freenki Loader SLUB Earth Kitsune
2020-10-28Trend MicroAliakbar Zahravi, Cedric Pernet, Daniel Lunghi, Elliot Cao, Jaromír Hořejší, John Zhang, Joseph C Chen, William Gamazo Sanchez
Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB Earth Kitsune
2020-10-19Trend MicroAliakbar Zahravi, Cedric Pernet, Daniel Lunghi, Eliot Cao, Jaromír Hořejší, John Zhang, Joseph C. Chen, Nelson William Gamazo Sanchez
Operation Earth Kitsune: Tracking SLUB’s Current Operations
SLUB
2019-10-02Virus BulletinDaniel Lunghi, Jaromír Hořejší
Abusing third-party cloud services in targeted attacks
BadNews SLUB
2019-03-07Trend MicroCedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph Chen
New SLUB Backdoor Uses GitHub, Communicates via Slack
SLUB
Yara Rules
[TLP:WHITE] win_slub_auto (20230808 | Detects win.slub.)
rule win_slub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.slub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff742420 55 e8???????? 83c414 89442414 85c0 0f8512010000 }
            // n = 7, score = 100
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   85c0                 | test                eax, eax
            //   0f8512010000         | jne                 0x118

        $sequence_1 = { 807c241200 7407 c686e808000000 80beb406000000 740f ffb6b0060000 ff15???????? }
            // n = 7, score = 100
            //   807c241200           | cmp                 byte ptr [esp + 0x12], 0
            //   7407                 | je                  9
            //   c686e808000000       | mov                 byte ptr [esi + 0x8e8], 0
            //   80beb406000000       | cmp                 byte ptr [esi + 0x6b4], 0
            //   740f                 | je                  0x11
            //   ffb6b0060000         | push                dword ptr [esi + 0x6b0]
            //   ff15????????         |                     

        $sequence_2 = { c785bcf8ffffcce48f00 8bc8 c785c0f8ffffa0358400 c785c4f8ffff90e98500 e8???????? 8d95bcf8ffff c785bcf8ffffd8e48f00 }
            // n = 7, score = 100
            //   c785bcf8ffffcce48f00     | mov    dword ptr [ebp - 0x744], 0x8fe4cc
            //   8bc8                 | mov                 ecx, eax
            //   c785c0f8ffffa0358400     | mov    dword ptr [ebp - 0x740], 0x8435a0
            //   c785c4f8ffff90e98500     | mov    dword ptr [ebp - 0x73c], 0x85e990
            //   e8????????           |                     
            //   8d95bcf8ffff         | lea                 edx, [ebp - 0x744]
            //   c785bcf8ffffd8e48f00     | mov    dword ptr [ebp - 0x744], 0x8fe4d8

        $sequence_3 = { 85ff 750e 837d2c10 8d4518 0f43c2 3a08 7c13 }
            // n = 7, score = 100
            //   85ff                 | test                edi, edi
            //   750e                 | jne                 0x10
            //   837d2c10             | cmp                 dword ptr [ebp + 0x2c], 0x10
            //   8d4518               | lea                 eax, [ebp + 0x18]
            //   0f43c2               | cmovae              eax, edx
            //   3a08                 | cmp                 cl, byte ptr [eax]
            //   7c13                 | jl                  0x15

        $sequence_4 = { 85c0 0f8443ffffff 8b96f4000000 85d2 0f8435ffffff 8b8df0000000 6690 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f8443ffffff         | je                  0xffffff49
            //   8b96f4000000         | mov                 edx, dword ptr [esi + 0xf4]
            //   85d2                 | test                edx, edx
            //   0f8435ffffff         | je                  0xffffff3b
            //   8b8df0000000         | mov                 ecx, dword ptr [ebp + 0xf0]
            //   6690                 | nop                 

        $sequence_5 = { 6800000100 6a00 6801000100 56 ff15???????? 89442414 85c0 }
            // n = 7, score = 100
            //   6800000100           | push                0x10000
            //   6a00                 | push                0
            //   6801000100           | push                0x10001
            //   56                   | push                esi
            //   ff15????????         |                     
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   85c0                 | test                eax, eax

        $sequence_6 = { 898640010000 85c0 0f8416050000 57 e8???????? 83c404 85c0 }
            // n = 7, score = 100
            //   898640010000         | mov                 dword ptr [esi + 0x140], eax
            //   85c0                 | test                eax, eax
            //   0f8416050000         | je                  0x51c
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax

        $sequence_7 = { e8???????? 50 68???????? ffb50cfdffff e8???????? ffb50cfdffff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   68????????           |                     
            //   ffb50cfdffff         | push                dword ptr [ebp - 0x2f4]
            //   e8????????           |                     
            //   ffb50cfdffff         | push                dword ptr [ebp - 0x2f4]

        $sequence_8 = { 8d8dc8ebffff 50 ffb5c8ebffff e8???????? 8b85c4ebffff c785dcebffff0f000000 c785d8ebffff00000000 }
            // n = 7, score = 100
            //   8d8dc8ebffff         | lea                 ecx, [ebp - 0x1438]
            //   50                   | push                eax
            //   ffb5c8ebffff         | push                dword ptr [ebp - 0x1438]
            //   e8????????           |                     
            //   8b85c4ebffff         | mov                 eax, dword ptr [ebp - 0x143c]
            //   c785dcebffff0f000000     | mov    dword ptr [ebp - 0x1424], 0xf
            //   c785d8ebffff00000000     | mov    dword ptr [ebp - 0x1428], 0

        $sequence_9 = { 8b86dc050000 89863c040000 8b86e0050000 898694040000 8b86e4050000 898640040000 8b86e8050000 }
            // n = 7, score = 100
            //   8b86dc050000         | mov                 eax, dword ptr [esi + 0x5dc]
            //   89863c040000         | mov                 dword ptr [esi + 0x43c], eax
            //   8b86e0050000         | mov                 eax, dword ptr [esi + 0x5e0]
            //   898694040000         | mov                 dword ptr [esi + 0x494], eax
            //   8b86e4050000         | mov                 eax, dword ptr [esi + 0x5e4]
            //   898640040000         | mov                 dword ptr [esi + 0x440], eax
            //   8b86e8050000         | mov                 eax, dword ptr [esi + 0x5e8]

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules