SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spedear (Back to overview)

Spedear

Actor(s): Thrip


There is no description at this point.

References
2018-06-19SymantecSecurity Response Attack Investigation Team
@online{team:20180619:thrip:4662184, author = {Security Response Attack Investigation Team}, title = {{Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies}}, date = {2018-06-19}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets}, language = {English}, urldate = {2020-01-09} } Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies
Catchamas Rikamanu Spedear WMI Ghost Thrip
Yara Rules
[TLP:WHITE] win_spedear_auto (20211008 | Detects win.spedear.)
rule win_spedear_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.spedear."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 99 83e207 03c2 c1f803 83c40c 85c0 }
            // n = 6, score = 600
            //   99                   | cdq                 
            //   83e207               | and                 edx, 7
            //   03c2                 | add                 eax, edx
            //   c1f803               | sar                 eax, 3
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_1 = { 8a5f06 50 894608 e8???????? }
            // n = 4, score = 500
            //   8a5f06               | mov                 bl, byte ptr [edi + 6]
            //   50                   | push                eax
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   e8????????           |                     

        $sequence_2 = { 53 50 e8???????? 8b7e0c 895e10 }
            // n = 5, score = 500
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b7e0c               | mov                 edi, dword ptr [esi + 0xc]
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx

        $sequence_3 = { 53 55 56 8b30 57 8d7a44 }
            // n = 6, score = 400
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   56                   | push                esi
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   57                   | push                edi
            //   8d7a44               | lea                 edi, dword ptr [edx + 0x44]

        $sequence_4 = { 8b442430 57 6a00 6880000000 }
            // n = 4, score = 400
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6880000000           | push                0x80

        $sequence_5 = { 8944241c 8b44244c 6800000080 50 ff15???????? }
            // n = 5, score = 400
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8b44244c             | mov                 eax, dword ptr [esp + 0x4c]
            //   6800000080           | push                0x80000000
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 894618 ffd7 89461c 5f }
            // n = 4, score = 400
            //   894618               | mov                 dword ptr [esi + 0x18], eax
            //   ffd7                 | call                edi
            //   89461c               | mov                 dword ptr [esi + 0x1c], eax
            //   5f                   | pop                 edi

        $sequence_7 = { 52 56 8bd3 e8???????? 83c608 }
            // n = 5, score = 400
            //   52                   | push                edx
            //   56                   | push                esi
            //   8bd3                 | mov                 edx, ebx
            //   e8????????           |                     
            //   83c608               | add                 esi, 8

        $sequence_8 = { 6a00 68???????? e8???????? 83c40c 68d0070000 }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68d0070000           | push                0x7d0

        $sequence_9 = { 83c404 896e0c 896e10 53 e8???????? 83c404 89460c }
            // n = 7, score = 400
            //   83c404               | add                 esp, 4
            //   896e0c               | mov                 dword ptr [esi + 0xc], ebp
            //   896e10               | mov                 dword ptr [esi + 0x10], ebp
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_10 = { 833e00 741a 6a00 6a00 ff7608 }
            // n = 5, score = 300
            //   833e00               | nop                 word ptr [eax + eax]
            //   741a                 | dec                 eax
            //   6a00                 | cwde                
            //   6a00                 | inc                 ecx
            //   ff7608               | mov                 ecx, dword ptr [esi + eax*4]

        $sequence_11 = { 6a00 ff7608 ff5604 6800800000 }
            // n = 4, score = 300
            //   6a00                 | push                0
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff5604               | call                dword ptr [esi + 4]
            //   6800800000           | push                0x8000

        $sequence_12 = { 8bc7 5e 5f 5b 5d c3 6a08 }
            // n = 7, score = 300
            //   8bc7                 | push                dword ptr [esi + 8]
            //   5e                   | call                dword ptr [esi + 4]
            //   5f                   | push                0x8000
            //   5b                   | push                0
            //   5d                   | push                dword ptr [esi + 8]
            //   c3                   | push                dword ptr [esi + 8]
            //   6a08                 | call                dword ptr [esi + 4]

        $sequence_13 = { ff5604 6800800000 6a00 ff7608 ff15???????? }
            // n = 5, score = 300
            //   ff5604               | call                dword ptr [esi + 4]
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff15????????         |                     

        $sequence_14 = { 394878 7456 39487c 7451 }
            // n = 4, score = 300
            //   394878               | cmp                 dword ptr [eax + 0x78], ecx
            //   7456                 | je                  0x58
            //   39487c               | cmp                 dword ptr [eax + 0x7c], ecx
            //   7451                 | je                  0x53

        $sequence_15 = { 4883c210 8b4204 0302 413bc2 778e 498b4120 }
            // n = 6, score = 100
            //   4883c210             | dec                 eax
            //   8b4204               | lea                 edx, dword ptr [eax + 0x108]
            //   0302                 | dec                 ecx
            //   413bc2               | lea                 eax, dword ptr [eax + edx]
            //   778e                 | dec                 ecx
            //   498b4120             | mov                 dword ptr [ecx + 0x20], eax

        $sequence_16 = { 488b7718 8b461c 4883c020 483be8 7312 488bce e8???????? }
            // n = 7, score = 100
            //   488b7718             | arpl                cx, ax
            //   8b461c               | dec                 eax
            //   4883c020             | mov                 eax, dword ptr [esi + 0x20]
            //   483be8               | xor                 edi, edi
            //   7312                 | dec                 eax
            //   488bce               | mov                 esi, dword ptr [edi + 0x18]
            //   e8????????           |                     

        $sequence_17 = { 4985cf 740e 0fb7d1 488bce ff15???????? }
            // n = 5, score = 100
            //   4985cf               | dec                 ecx
            //   740e                 | test                edi, ecx
            //   0fb7d1               | je                  0x10
            //   488bce               | movzx               edx, cx
            //   ff15????????         |                     

        $sequence_18 = { 498d0410 49894120 813850450000 75cf 0fb74816 ba00200000 6685ca }
            // n = 7, score = 100
            //   498d0410             | dec                 eax
            //   49894120             | mov                 ecx, esi
            //   813850450000         | test                cl, 2
            //   75cf                 | je                  0xffffffbe
            //   0fb74816             | mov                 ecx, 0xf0
            //   ba00200000           | cmp                 word ptr [eax + 0x14], cx
            //   6685ca               | jne                 0xffffffbe

        $sequence_19 = { f6c102 74bc b9f0000000 66394814 75b1 488d9008010000 }
            // n = 6, score = 100
            //   f6c102               | mov                 eax, dword ptr [esi + 0x1c]
            //   74bc                 | dec                 eax
            //   b9f0000000           | add                 eax, 0x20
            //   66394814             | dec                 eax
            //   75b1                 | cmp                 ebp, eax
            //   488d9008010000       | jae                 0x1e

        $sequence_20 = { 7407 33c0 e9???????? ff750c 8b4508 }
            // n = 5, score = 100
            //   7407                 | call                dword ptr [esi + 4]
            //   33c0                 | push                0x8000
            //   e9????????           |                     
            //   ff750c               | push                0
            //   8b4508               | push                0

        $sequence_21 = { 8bc2 c1f805 8b0485a02c2400 8bfa }
            // n = 4, score = 100
            //   8bc2                 | push                dword ptr [esi + 8]
            //   c1f805               | je                  0x1c
            //   8b0485a02c2400       | push                0
            //   8bfa                 | push                0

        $sequence_22 = { 4898 418b0c86 413bcc 7608 428d0422 3bc8 72a8 }
            // n = 7, score = 100
            //   4898                 | add                 edx, 0x10
            //   418b0c86             | mov                 eax, dword ptr [edx + 4]
            //   413bcc               | add                 eax, dword ptr [edx]
            //   7608                 | inc                 ecx
            //   428d0422             | cmp                 eax, edx
            //   3bc8                 | ja                  0xffffff98
            //   72a8                 | dec                 ecx

        $sequence_23 = { 4883ed01 75c2 448bd2 488bda 41bfff000000 660f1f440000 }
            // n = 6, score = 100
            //   4883ed01             | cmp                 dword ptr [eax], 0x4550
            //   75c2                 | jne                 0xffffffdb
            //   448bd2               | movzx               ecx, word ptr [eax + 0x16]
            //   488bda               | mov                 edx, 0x2000
            //   41bfff000000         | test                dx, cx
            //   660f1f440000         | dec                 eax

        $sequence_24 = { 4d63c1 e8???????? 488b4620 33ff }
            // n = 4, score = 100
            //   4d63c1               | dec                 eax
            //   e8????????           |                     
            //   488b4620             | mov                 ecx, esi
            //   33ff                 | dec                 ebp

        $sequence_25 = { 6801040000 50 e8???????? 83c40c 8d85d8f7ffff 50 8d4de0 }
            // n = 7, score = 100
            //   6801040000           | push                dword ptr [esi + 8]
            //   50                   | call                dword ptr [esi + 4]
            //   e8????????           |                     
            //   83c40c               | push                0x8000
            //   8d85d8f7ffff         | push                0
            //   50                   | push                0
            //   8d4de0               | push                dword ptr [esi + 8]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules