SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spedear (Back to overview)

Spedear

Actor(s): Thrip


There is no description at this point.

References
2018-06-19SymantecSecurity Response Attack Investigation Team
@online{team:20180619:thrip:4662184, author = {Security Response Attack Investigation Team}, title = {{Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies}}, date = {2018-06-19}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets}, language = {English}, urldate = {2020-01-09} } Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies
Catchamas Rikamanu Spedear WMI Ghost Thrip
Yara Rules
[TLP:WHITE] win_spedear_auto (20220411 | Detects win.spedear.)
rule win_spedear_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.spedear."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 99 83e207 03c2 c1f803 83c40c }
            // n = 5, score = 600
            //   99                   | cdq                 
            //   83e207               | and                 edx, 7
            //   03c2                 | add                 eax, edx
            //   c1f803               | sar                 eax, 3
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { 8a5f06 50 894608 e8???????? }
            // n = 4, score = 500
            //   8a5f06               | mov                 bl, byte ptr [edi + 6]
            //   50                   | push                eax
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   e8????????           |                     

        $sequence_2 = { 53 50 e8???????? 8b7e0c 895e10 }
            // n = 5, score = 500
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b7e0c               | mov                 edi, dword ptr [esi + 0xc]
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx

        $sequence_3 = { 40 0bd1 3bc3 7c02 33c0 8b4c2410 8b0c39 }
            // n = 7, score = 400
            //   40                   | push                eax
            //   0bd1                 | mov                 edi, dword ptr [esi + 0xc]
            //   3bc3                 | mov                 dword ptr [esi + 0x10], ebx
            //   7c02                 | push                eax
            //   33c0                 | mov                 edi, dword ptr [esi + 0xc]
            //   8b4c2410             | mov                 dword ptr [esi + 0x10], ebx
            //   8b0c39               | push                0

        $sequence_4 = { 0fb7c3 038c82480c0000 33ce 836c241001 8b742414 75af 8b4204 }
            // n = 7, score = 400
            //   0fb7c3               | push                eax
            //   038c82480c0000       | mov                 dword ptr [esi + 8], eax
            //   33ce                 | mov                 eax, dword ptr [edi + 0x18]
            //   836c241001           | mov                 bl, byte ptr [edi + 6]
            //   8b742414             | push                eax
            //   75af                 | mov                 dword ptr [esi + 8], eax
            //   8b4204               | push                ebx

        $sequence_5 = { 894618 ffd7 89461c 5f }
            // n = 4, score = 400
            //   894618               | mov                 dword ptr [esi + 0x18], eax
            //   ffd7                 | call                edi
            //   89461c               | mov                 dword ptr [esi + 0x1c], eax
            //   5f                   | pop                 edi

        $sequence_6 = { 57 b8???????? 8d4d48 ba00010000 8d9b00000000 }
            // n = 5, score = 400
            //   57                   | sar                 eax, 3
            //   b8????????           |                     
            //   8d4d48               | add                 esp, 0xc
            //   ba00010000           | cdq                 
            //   8d9b00000000         | and                 edx, 7

        $sequence_7 = { 8b4204 33c1 8b0a 8b54241c 5f }
            // n = 5, score = 400
            //   8b4204               | mov                 eax, dword ptr [edi + 0x18]
            //   33c1                 | mov                 bl, byte ptr [edi + 6]
            //   8b0a                 | push                eax
            //   8b54241c             | mov                 dword ptr [esi + 8], eax
            //   5f                   | mov                 bl, byte ptr [edi + 6]

        $sequence_8 = { 6a00 68???????? e8???????? 83c40c 68d0070000 }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68d0070000           | push                0x7d0

        $sequence_9 = { 6a00 6a00 ffd0 85f6 7405 e8???????? }
            // n = 6, score = 400
            //   6a00                 | add                 eax, edx
            //   6a00                 | sar                 eax, 3
            //   ffd0                 | add                 esp, 0xc
            //   85f6                 | push                eax
            //   7405                 | mov                 edi, dword ptr [esi + 0xc]
            //   e8????????           |                     

        $sequence_10 = { 394878 7456 39487c 7451 }
            // n = 4, score = 300
            //   394878               | cmp                 dword ptr [eax + 0x78], ecx
            //   7456                 | je                  0x58
            //   39487c               | cmp                 dword ptr [eax + 0x7c], ecx
            //   7451                 | je                  0x53

        $sequence_11 = { 833e00 741a 6a00 6a00 }
            // n = 4, score = 300
            //   833e00               | cmp                 dword ptr [esi], 0
            //   741a                 | je                  0x1c
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_12 = { 6a00 ff7608 ff5604 6800800000 6a00 ff7608 ff15???????? }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff5604               | call                dword ptr [esi + 4]
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff15????????         |                     

        $sequence_13 = { 8bc7 5e 5f 5b 5d c3 6a08 }
            // n = 7, score = 300
            //   8bc7                 | mov                 eax, edi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a08                 | push                8

        $sequence_14 = { c20c00 55 8bec ff750c 8d4104 ff7508 }
            // n = 6, score = 200
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d4104               | lea                 eax, dword ptr [ecx + 4]
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_15 = { 33c9 4c8d6108 4d8b2c24 eb1f 4c8d25189f0000 488b0d???????? bf01000000 }
            // n = 7, score = 100
            //   33c9                 | ret                 
            //   4c8d6108             | dec                 eax
            //   4d8b2c24             | sub                 esp, 0x28
            //   eb1f                 | cmp                 dword ptr [ecx + 0x10], 0
            //   4c8d25189f0000       | dec                 eax
            //   488b0d????????       |                     
            //   bf01000000           | lea                 eax, dword ptr [0x6985]

        $sequence_16 = { 68???????? e8???????? 59 59 6a01 33ff 8d75e0 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 edi
            //   59                   | pop                 ebx
            //   6a01                 | pop                 ebp
            //   33ff                 | ret                 
            //   8d75e0               | push                8

        $sequence_17 = { 4883ec20 488d05fe690000 488bfa 488bd9 488901 8b4210 }
            // n = 6, score = 100
            //   4883ec20             | dec                 eax
            //   488d05fe690000       | mov                 dword ptr [ecx], eax
            //   488bfa               | xor                 ecx, ecx
            //   488bd9               | dec                 esp
            //   488901               | lea                 esp, dword ptr [ecx + 8]
            //   8b4210               | dec                 ebp

        $sequence_18 = { ff15???????? 6a00 ff15???????? cc 33c0 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   6a00                 | je                  0x1c
            //   ff15????????         |                     
            //   cc                   | push                0
            //   33c0                 | push                0

        $sequence_19 = { 4983c228 4883eb01 75cf 488b1c24 418bc0 }
            // n = 5, score = 100
            //   4983c228             | mov                 edx, dword ptr [eax + 0x8c]
            //   4883eb01             | dec                 ecx
            //   75cf                 | add                 edx, 0x28
            //   488b1c24             | dec                 eax
            //   418bc0               | sub                 ebx, 1

        $sequence_20 = { 8b7dd8 8b45dc 885c07ff 8bc7 8d4de0 }
            // n = 5, score = 100
            //   8b7dd8               | push                dword ptr [esi + 8]
            //   8b45dc               | call                dword ptr [esi + 4]
            //   885c07ff             | push                0x8000
            //   8bc7                 | mov                 eax, edi
            //   8d4de0               | pop                 esi

        $sequence_21 = { 4883c420 5f c3 8b908c000000 }
            // n = 4, score = 100
            //   4883c420             | dec                 eax
            //   5f                   | add                 esp, 0x20
            //   c3                   | pop                 edi
            //   8b908c000000         | ret                 

        $sequence_22 = { 443bd7 754f 4c8d053d360000 458bcd ba00010000 }
            // n = 5, score = 100
            //   443bd7               | dec                 eax
            //   754f                 | sub                 esp, 0x20
            //   4c8d053d360000       | dec                 eax
            //   458bcd               | lea                 eax, dword ptr [0x69fe]
            //   ba00010000           | dec                 eax

        $sequence_23 = { c3 4883ec28 83791000 488d0585690000 488901 }
            // n = 5, score = 100
            //   c3                   | jne                 0xffffffd1
            //   4883ec28             | dec                 eax
            //   83791000             | mov                 ebx, dword ptr [esp]
            //   488d0585690000       | inc                 ecx
            //   488901               | mov                 eax, eax

        $sequence_24 = { 33d2 41b803010000 4088bc2450010000 e8???????? }
            // n = 4, score = 100
            //   33d2                 | mov                 edi, edx
            //   41b803010000         | dec                 eax
            //   4088bc2450010000     | mov                 ebx, ecx
            //   e8????????           |                     

        $sequence_25 = { 817de494d12300 7311 8b45e4 8b00 85c0 7402 }
            // n = 6, score = 100
            //   817de494d12300       | push                dword ptr [esi + 8]
            //   7311                 | call                dword ptr [esi + 4]
            //   8b45e4               | push                0x8000
            //   8b00                 | push                0
            //   85c0                 | push                dword ptr [esi + 8]
            //   7402                 | call                dword ptr [esi + 4]

        $sequence_26 = { 741e 488b4910 4533c0 33d2 ff5308 }
            // n = 5, score = 100
            //   741e                 | mov                 ebp, dword ptr [esp]
            //   488b4910             | jmp                 0x29
            //   4533c0               | dec                 esp
            //   33d2                 | lea                 esp, dword ptr [0x9f18]
            //   ff5308               | mov                 edi, 1

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules