SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smominru (Back to overview)

Smominru

aka: Ismo
URLhaus    

There is no description at this point.

References
2018-01-31ProofpointKafeine
@online{kafeine:20180131:smominru:5a6c554, author = {Kafeine}, title = {{Smominru Monero mining botnet making millions for operators}}, date = {2018-01-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators}, language = {English}, urldate = {2019-12-20} } Smominru Monero mining botnet making millions for operators
MyKings Spreader Smominru
2018-01-24JiaYu
@online{jiayu:20180124:mykings:63bef87, author = {JiaYu}, title = {{MyKings: A massively multiple botnet}}, date = {2018-01-24}, url = {http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/}, language = {Chinese}, urldate = {2019-11-20} } MyKings: A massively multiple botnet
MyKings Spreader Smominru
Yara Rules
[TLP:WHITE] win_smominru_auto (20230125 | Detects win.smominru.)
rule win_smominru_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.smominru."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 832100 8b4508 83f8f4 0f8439b3ab7b 83f8f5 0f841cb3ab7b }
            // n = 6, score = 100
            //   832100               | and                 dword ptr [ecx], 0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83f8f4               | cmp                 eax, -0xc
            //   0f8439b3ab7b         | je                  0x7babb33f
            //   83f8f5               | cmp                 eax, -0xb
            //   0f841cb3ab7b         | je                  0x7babb322

        $sequence_1 = { 8a00 2c01 0f8367240000 bf04000000 c602d5 c70105000000 83c602 }
            // n = 7, score = 100
            //   8a00                 | mov                 al, byte ptr [eax]
            //   2c01                 | sub                 al, 1
            //   0f8367240000         | jae                 0x246d
            //   bf04000000           | mov                 edi, 4
            //   c602d5               | mov                 byte ptr [edx], 0xd5
            //   c70105000000         | mov                 dword ptr [ecx], 5
            //   83c602               | add                 esi, 2

        $sequence_2 = { 8b15???????? 8b12 8b92b4000000 8d14fa e8???????? 8b45f8 e8???????? }
            // n = 7, score = 100
            //   8b15????????         |                     
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   8b92b4000000         | mov                 edx, dword ptr [edx + 0xb4]
            //   8d14fa               | lea                 edx, [edx + edi*8]
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   e8????????           |                     

        $sequence_3 = { 5b c9 c20400 57 5f 55 }
            // n = 6, score = 100
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   57                   | push                edi
            //   5f                   | pop                 edi
            //   55                   | push                ebp

        $sequence_4 = { 6f 6c 207369 7a65 207768 696c652074686520 706f }
            // n = 7, score = 100
            //   6f                   | outsd               dx, dword ptr [esi]
            //   6c                   | insb                byte ptr es:[edi], dx
            //   207369               | and                 byte ptr [ebx + 0x69], dh
            //   7a65                 | jp                  0x67
            //   207768               | and                 byte ptr [edi + 0x68], dh
            //   696c652074686520     | imul                ebp, dword ptr [ebp + 0x20], 0x20656874
            //   706f                 | jo                  0x71

        $sequence_5 = { 89460c 8b85e0fdffff 894610 8b85e4fdffff 894614 }
            // n = 5, score = 100
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8b85e0fdffff         | mov                 eax, dword ptr [ebp - 0x220]
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8b85e4fdffff         | mov                 eax, dword ptr [ebp - 0x21c]
            //   894614               | mov                 dword ptr [esi + 0x14], eax

        $sequence_6 = { 8b4e24 894824 8b4e28 894828 8b4e2c 89482c f7402c00070000 }
            // n = 7, score = 100
            //   8b4e24               | mov                 ecx, dword ptr [esi + 0x24]
            //   894824               | mov                 dword ptr [eax + 0x24], ecx
            //   8b4e28               | mov                 ecx, dword ptr [esi + 0x28]
            //   894828               | mov                 dword ptr [eax + 0x28], ecx
            //   8b4e2c               | mov                 ecx, dword ptr [esi + 0x2c]
            //   89482c               | mov                 dword ptr [eax + 0x2c], ecx
            //   f7402c00070000       | test                dword ptr [eax + 0x2c], 0x700

        $sequence_7 = { 5d c20400 8bd0 c1ea0c 03d0 c1e80e 03d0 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8bd0                 | mov                 edx, eax
            //   c1ea0c               | shr                 edx, 0xc
            //   03d0                 | add                 edx, eax
            //   c1e80e               | shr                 eax, 0xe
            //   03d0                 | add                 edx, eax

        $sequence_8 = { 8b7810 85f6 0f852dcca87b e8???????? }
            // n = 4, score = 100
            //   8b7810               | mov                 edi, dword ptr [eax + 0x10]
            //   85f6                 | test                esi, esi
            //   0f852dcca87b         | jne                 0x7ba8cc33
            //   e8????????           |                     

        $sequence_9 = { 57 8bd8 55 51 8b732c 8b7b3c 2b7b74 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8bd8                 | mov                 ebx, eax
            //   55                   | push                ebp
            //   51                   | push                ecx
            //   8b732c               | mov                 esi, dword ptr [ebx + 0x2c]
            //   8b7b3c               | mov                 edi, dword ptr [ebx + 0x3c]
            //   2b7b74               | sub                 edi, dword ptr [ebx + 0x74]

        $sequence_10 = { 8bd0 51 ff7510 81e203000010 ff750c 50 83fa03 }
            // n = 7, score = 100
            //   8bd0                 | mov                 edx, eax
            //   51                   | push                ecx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   81e203000010         | and                 edx, 0x10000003
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   83fa03               | cmp                 edx, 3

        $sequence_11 = { 4e 75c1 8b45ec e8???????? 8bf7 8bc6 8b583c }
            // n = 7, score = 100
            //   4e                   | dec                 esi
            //   75c1                 | jne                 0xffffffc3
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   8b583c               | mov                 ebx, dword ptr [eax + 0x3c]

        $sequence_12 = { 8b4318 e8???????? 50 8d4318 e8???????? 8b530c 33c9 }
            // n = 7, score = 100
            //   8b4318               | mov                 eax, dword ptr [ebx + 0x18]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4318               | lea                 eax, [ebx + 0x18]
            //   e8????????           |                     
            //   8b530c               | mov                 edx, dword ptr [ebx + 0xc]
            //   33c9                 | xor                 ecx, ecx

        $sequence_13 = { f7430800000401 5f 0f841b3ea97b 837b1000 0f84113ea97b }
            // n = 5, score = 100
            //   f7430800000401       | test                dword ptr [ebx + 8], 0x1040000
            //   5f                   | pop                 edi
            //   0f841b3ea97b         | je                  0x7ba93e21
            //   837b1000             | cmp                 dword ptr [ebx + 0x10], 0
            //   0f84113ea97b         | je                  0x7ba93e17

        $sequence_14 = { 8b37 8975e0 85f6 0f842bfebb7b }
            // n = 4, score = 100
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   85f6                 | test                esi, esi
            //   0f842bfebb7b         | je                  0x7bbbfe31

        $sequence_15 = { 897e1c 8b4604 8b4004 80b84402000000 7574 68000f0000 8b461c }
            // n = 7, score = 100
            //   897e1c               | mov                 dword ptr [esi + 0x1c], edi
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   80b84402000000       | cmp                 byte ptr [eax + 0x244], 0
            //   7574                 | jne                 0x76
            //   68000f0000           | push                0xf00
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]

    condition:
        7 of them and filesize < 8167424
}
Download all Yara Rules