SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slub (Back to overview)

SLUB


There is no description at this point.

References
2019-10-02Virus BulletinDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20191002:abusing:3c9a1b7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Abusing third-party cloud services in targeted attacks}}, date = {2019-10-02}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf}, language = {English}, urldate = {2020-01-13} } Abusing third-party cloud services in targeted attacks
BadNews SLUB
2019-03-07Trend MicroCedric Pernet, Daniel Lunghi, Jaromír Hořejší, Joseph Chen
@online{pernet:20190307:new:593e5b1, author = {Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph Chen}, title = {{New SLUB Backdoor Uses GitHub, Communicates via Slack}}, date = {2019-03-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/}, language = {English}, urldate = {2019-10-18} } New SLUB Backdoor Uses GitHub, Communicates via Slack
SLUB
Yara Rules
[TLP:WHITE] win_slub_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_slub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff4810 e8???????? 83c404 8b4624 83f811 0f8d34010000 85ff }
            // n = 7, score = 100
            //   ff4810               | dec                 dword ptr [eax + 0x10]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b4624               | mov                 eax, dword ptr [esi + 0x24]
            //   83f811               | cmp                 eax, 0x11
            //   0f8d34010000         | jge                 0x13a
            //   85ff                 | test                edi, edi

        $sequence_1 = { eb05 1bc0 83c801 85c0 7516 5f b802800000 }
            // n = 7, score = 100
            //   eb05                 | jmp                 7
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   5f                   | pop                 edi
            //   b802800000           | mov                 eax, 0x8002

        $sequence_2 = { e9???????? 807c243500 7416 837e2403 0f84440d0000 c7462403000000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   807c243500           | cmp                 byte ptr [esp + 0x35], 0
            //   7416                 | je                  0x18
            //   837e2403             | cmp                 dword ptr [esi + 0x24], 3
            //   0f84440d0000         | je                  0xd4a
            //   c7462403000000       | mov                 dword ptr [esi + 0x24], 3
            //   e9????????           |                     

        $sequence_3 = { c3 56 8b74240c 68???????? ff36 e8???????? 83c408 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   68????????           |                     
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_4 = { e9???????? 83f904 0f84dc0c0000 c7462404000000 e9???????? 8b3b 896c2414 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   83f904               | cmp                 ecx, 4
            //   0f84dc0c0000         | je                  0xce2
            //   c7462404000000       | mov                 dword ptr [esi + 0x24], 4
            //   e9????????           |                     
            //   8b3b                 | mov                 edi, dword ptr [ebx]
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp

        $sequence_5 = { c783d800000020488d00 c783d400000020488d00 c70600000000 c783e800000020488d00 c783e400000020488d00 3bfd 7379 }
            // n = 7, score = 100
            //   c783d800000020488d00     | mov    dword ptr [ebx + 0xd8], 0x8d4820
            //   c783d400000020488d00     | mov    dword ptr [ebx + 0xd4], 0x8d4820
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c783e800000020488d00     | mov    dword ptr [ebx + 0xe8], 0x8d4820
            //   c783e400000020488d00     | mov    dword ptr [ebx + 0xe4], 0x8d4820
            //   3bfd                 | cmp                 edi, ebp
            //   7379                 | jae                 0x7b

        $sequence_6 = { ffd0 ff7634 ff15???????? 83c404 894638 85c0 0f84d9010000 }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   ff7634               | push                dword ptr [esi + 0x34]
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   894638               | mov                 dword ptr [esi + 0x38], eax
            //   85c0                 | test                eax, eax
            //   0f84d9010000         | je                  0x1df

        $sequence_7 = { e8???????? 8d8680000000 50 e8???????? 8d4614 6a00 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d8680000000         | lea                 eax, [esi + 0x80]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4614               | lea                 eax, [esi + 0x14]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_8 = { e8???????? 83ec18 c785c4fbffff0f000000 8bcc 89a558fbffff c785c0fbffff00000000 c685b0fbffff00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   c785c4fbffff0f000000     | mov    dword ptr [ebp - 0x43c], 0xf
            //   8bcc                 | mov                 ecx, esp
            //   89a558fbffff         | mov                 dword ptr [ebp - 0x4a8], esp
            //   c785c0fbffff00000000     | mov    dword ptr [ebp - 0x440], 0
            //   c685b0fbffff00       | mov                 byte ptr [ebp - 0x450], 0

        $sequence_9 = { e8???????? 8a8533faffff 83c404 8b4df4 64890d00000000 59 5f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8a8533faffff         | mov                 al, byte ptr [ebp - 0x5cd]
            //   83c404               | add                 esp, 4
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules