SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sparrow_door (Back to overview)

SparrowDoor

aka: FamousSparrow

There is no description at this point.

References
2022-02-28NCSC UKNCSC UK
@techreport{uk:20220228:malware:0cbf8c2, author = {NCSC UK}, title = {{Malware Analysis Report: SparrowDoor}}, date = {2022-02-28}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf}, language = {English}, urldate = {2022-05-17} } Malware Analysis Report: SparrowDoor
SparrowDoor
2021-09-23ESET ResearchTahseen Bin Taj, Matthieu Faou
@online{taj:20210923:famoussparrow:5f0d606, author = {Tahseen Bin Taj and Matthieu Faou}, title = {{FamousSparrow: A suspicious hotel guest}}, date = {2021-09-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/}, language = {English}, urldate = {2021-09-24} } FamousSparrow: A suspicious hotel guest
SparrowDoor
Yara Rules
[TLP:WHITE] win_sparrow_door_auto (20220411 | Detects win.sparrow_door.)
rule win_sparrow_door_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.sparrow_door."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 c644245000 e8???????? 6803010000 8d942459010000 6a00 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   c644245000           | mov                 byte ptr [esp + 0x50], 0
            //   e8????????           |                     
            //   6803010000           | push                0x103
            //   8d942459010000       | lea                 edx, dword ptr [esp + 0x159]
            //   6a00                 | push                0

        $sequence_1 = { 896c2448 c684249000000000 e8???????? 6882050000 8d9424d4000000 6a00 }
            // n = 6, score = 100
            //   896c2448             | mov                 dword ptr [esp + 0x48], ebp
            //   c684249000000000     | mov                 byte ptr [esp + 0x90], 0
            //   e8????????           |                     
            //   6882050000           | push                0x582
            //   8d9424d4000000       | lea                 edx, dword ptr [esp + 0xd4]
            //   6a00                 | push                0

        $sequence_2 = { 53 6a01 52 ffd7 53 8d442418 50 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   53                   | push                ebx
            //   8d442418             | lea                 eax, dword ptr [esp + 0x18]
            //   50                   | push                eax

        $sequence_3 = { 33c9 3b04cd48e02a00 7413 41 }
            // n = 4, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   3b04cd48e02a00       | cmp                 eax, dword ptr [ecx*8 + 0x2ae048]
            //   7413                 | je                  0x15
            //   41                   | inc                 ecx

        $sequence_4 = { 8b542418 e8???????? 8b442410 83c408 50 ff15???????? 53 }
            // n = 7, score = 100
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   e8????????           |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   83c408               | add                 esp, 8
            //   50                   | push                eax
            //   ff15????????         |                     
            //   53                   | push                ebx

        $sequence_5 = { 897d00 e8???????? 8b742424 83c410 8d442450 50 }
            // n = 6, score = 100
            //   897d00               | mov                 dword ptr [ebp], edi
            //   e8????????           |                     
            //   8b742424             | mov                 esi, dword ptr [esp + 0x24]
            //   83c410               | add                 esp, 0x10
            //   8d442450             | lea                 eax, dword ptr [esp + 0x50]
            //   50                   | push                eax

        $sequence_6 = { 83c408 c3 833d????????00 7505 e8???????? 8d3c1b 57 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   c3                   | ret                 
            //   833d????????00       |                     
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   8d3c1b               | lea                 edi, dword ptr [ebx + ebx]
            //   57                   | push                edi

        $sequence_7 = { 51 ffd6 8d94243e010000 52 8d8302010000 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8d94243e010000       | lea                 edx, dword ptr [esp + 0x13e]
            //   52                   | push                edx
            //   8d8302010000         | lea                 eax, dword ptr [ebx + 0x102]

        $sequence_8 = { 52 8bd8 8d042b 6a00 50 e8???????? 83c414 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   8bd8                 | mov                 ebx, eax
            //   8d042b               | lea                 eax, dword ptr [ebx + ebp]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14

        $sequence_9 = { 6689942454070000 e8???????? 83c40c 68e8030000 8d8c244c070000 51 }
            // n = 6, score = 100
            //   6689942454070000     | mov                 word ptr [esp + 0x754], dx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68e8030000           | push                0x3e8
            //   8d8c244c070000       | lea                 ecx, dword ptr [esp + 0x74c]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 155648
}
Download all Yara Rules