SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sparrow_door (Back to overview)

SparrowDoor

aka: FamousSparrow

There is no description at this point.

References
2021-09-23ESET ResearchTahseen Bin Taj, Matthieu Faou
@online{taj:20210923:famoussparrow:5f0d606, author = {Tahseen Bin Taj and Matthieu Faou}, title = {{FamousSparrow: A suspicious hotel guest}}, date = {2021-09-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/}, language = {English}, urldate = {2021-09-24} } FamousSparrow: A suspicious hotel guest
SparrowDoor
Yara Rules
[TLP:WHITE] win_sparrow_door_auto (20211008 | Detects win.sparrow_door.)
rule win_sparrow_door_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.sparrow_door."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 6a4a 55 ffd6 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   6a4a                 | push                0x4a
            //   55                   | push                ebp
            //   ffd6                 | call                esi

        $sequence_1 = { 8d4c242c 51 8d54242c 52 0fb79300010000 57 89442438 }
            // n = 7, score = 100
            //   8d4c242c             | lea                 ecx, dword ptr [esp + 0x2c]
            //   51                   | push                ecx
            //   8d54242c             | lea                 edx, dword ptr [esp + 0x2c]
            //   52                   | push                edx
            //   0fb79300010000       | movzx               edx, word ptr [ebx + 0x100]
            //   57                   | push                edi
            //   89442438             | mov                 dword ptr [esp + 0x38], eax

        $sequence_2 = { 6802020000 ff15???????? 8b3d???????? 68???????? }
            // n = 4, score = 100
            //   6802020000           | push                0x202
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   68????????           |                     

        $sequence_3 = { c644244800 e8???????? 8b1d???????? 83c40c 8d542410 }
            // n = 5, score = 100
            //   c644244800           | mov                 byte ptr [esp + 0x48], 0
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   8d542410             | lea                 edx, dword ptr [esp + 0x10]

        $sequence_4 = { 8a11 3a16 7564 83f801 7615 8a5101 3a5601 }
            // n = 7, score = 100
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   3a16                 | cmp                 dl, byte ptr [esi]
            //   7564                 | jne                 0x66
            //   83f801               | cmp                 eax, 1
            //   7615                 | jbe                 0x17
            //   8a5101               | mov                 dl, byte ptr [ecx + 1]
            //   3a5601               | cmp                 dl, byte ptr [esi + 1]

        $sequence_5 = { 6803010000 8d9424e5050000 53 52 }
            // n = 4, score = 100
            //   6803010000           | push                0x103
            //   8d9424e5050000       | lea                 edx, dword ptr [esp + 0x5e5]
            //   53                   | push                ebx
            //   52                   | push                edx

        $sequence_6 = { 3bfb 7436 683f000f00 8d842416010000 50 57 ff15???????? }
            // n = 7, score = 100
            //   3bfb                 | cmp                 edi, ebx
            //   7436                 | je                  0x38
            //   683f000f00           | push                0xf003f
            //   8d842416010000       | lea                 eax, dword ptr [esp + 0x116]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_7 = { 8d84243c010000 47 50 8d0c3e 51 e8???????? }
            // n = 6, score = 100
            //   8d84243c010000       | lea                 eax, dword ptr [esp + 0x13c]
            //   47                   | inc                 edi
            //   50                   | push                eax
            //   8d0c3e               | lea                 ecx, dword ptr [esi + edi]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_8 = { c705????????01000000 57 e8???????? 83c404 5f 5d 8bc3 }
            // n = 7, score = 100
            //   c705????????01000000     |     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   8bc3                 | mov                 eax, ebx

        $sequence_9 = { b84d5a0000 66398424f8000000 7599 8b842434010000 81bc04f800000050450000 8d8404f8000000 }
            // n = 6, score = 100
            //   b84d5a0000           | mov                 eax, 0x5a4d
            //   66398424f8000000     | cmp                 word ptr [esp + 0xf8], ax
            //   7599                 | jne                 0xffffff9b
            //   8b842434010000       | mov                 eax, dword ptr [esp + 0x134]
            //   81bc04f800000050450000     | cmp    dword ptr [esp + eax + 0xf8], 0x4550
            //   8d8404f8000000       | lea                 eax, dword ptr [esp + eax + 0xf8]

    condition:
        7 of them and filesize < 155648
}
Download all Yara Rules