Spyder (Malware Family)

Spyder
VTCollection
There is no description at this point.
References
2023-08-07 ⋅ Recorded Future ⋅ Insikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
Yara Rules
[TLP:WHITE] win_spyder_auto (20230808 | Detects win.spyder.)
rule win_spyder_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.spyder."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4053 4883ec20 8bd9 488d0da5a40000 ff15???????? 4885c0 7419 }
            // n = 7, score = 500
            //   4053                 | test                eax, eax
            //   4883ec20             | je                  0x39
            //   8bd9                 | dec                 esp
            //   488d0da5a40000       | lea                 eax, [0x3e56]
            //   ff15????????         |                     
            //   4885c0               | inc                 ecx
            //   7419                 | lea                 edx, [edx + 0x16]

        $sequence_1 = { 0f8493010000 488d156a5f0000 488bc8 ff15???????? 4885c0 0f847a010000 }
            // n = 6, score = 500
            //   0f8493010000         | je                  0x199
            //   488d156a5f0000       | dec                 eax
            //   488bc8               | lea                 edx, [0x5f6a]
            //   ff15????????         |                     
            //   4885c0               | dec                 eax
            //   0f847a010000         | mov                 ecx, eax

        $sequence_2 = { 756e 488d4b04 4c8d05563e0000 418d5216 e8???????? 85c0 7437 }
            // n = 7, score = 500
            //   756e                 | dec                 eax
            //   488d4b04             | test                eax, eax
            //   4c8d05563e0000       | je                  0x180
            //   418d5216             | jne                 0x70
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7437                 | lea                 ecx, [ebx + 4]

        $sequence_3 = { eb17 488b5638 498bcc ff5630 b97f000000 ff15???????? }
            // n = 6, score = 500
            //   eb17                 | je                  0x1b
            //   488b5638             | dec                 ecx
            //   498bcc               | arpl                word ptr [esp + 0x3c], si
            //   ff5630               | dec                 ecx
            //   b97f000000           | add                 esi, esp
            //   ff15????????         |                     

        $sequence_4 = { 7422 488d15795e0000 488bce ff15???????? 488bc8 }
            // n = 5, score = 500
            //   7422                 | cmp                 dword ptr [esi], 0x4550
            //   488d15795e0000       | je                  0x16
            //   488bce               | mov                 ecx, 0xc1
            //   ff15????????         |                     
            //   488bc8               | jbe                 0x59

        $sequence_5 = { 496374243c 4903f4 813e50450000 740b b9c1000000 }
            // n = 5, score = 500
            //   496374243c           | test                eax, eax
            //   4903f4               | je                  0x3f
            //   813e50450000         | inc                 eax
            //   740b                 | push                ebx
            //   b9c1000000           | dec                 eax

        $sequence_6 = { 7647 498bcd e8???????? 4c8d05478a0000 41b903000000 488d4c45bc 488bc1 }
            // n = 7, score = 500
            //   7647                 | sub                 esp, 0x20
            //   498bcd               | mov                 ebx, ecx
            //   e8????????           |                     
            //   4c8d05478a0000       | dec                 eax
            //   41b903000000         | lea                 ecx, [0xa4a5]
            //   488d4c45bc           | dec                 eax
            //   488bc1               | test                eax, eax

        $sequence_7 = { 85c0 7408 8bcb ff15???????? e8???????? 488d15faa20000 }
            // n = 6, score = 500
            //   85c0                 | dec                 ecx
            //   7408                 | mov                 ecx, ebp
            //   8bcb                 | dec                 esp
            //   ff15????????         |                     
            //   e8????????           |                     
            //   488d15faa20000       | lea                 eax, [0x8a47]

        $sequence_8 = { 8b7d0c 8d0540460910 83780800 754e b741 b35a }
            // n = 6, score = 100
            //   8b7d0c               | test                eax, eax
            //   8d0540460910         | je                  0xa
            //   83780800             | mov                 ecx, ebx
            //   754e                 | dec                 eax
            //   b741                 | lea                 edx, [0xa2fa]
            //   b35a                 | dec                 eax

        $sequence_9 = { 50 a3???????? e8???????? 8db6843d0910 bf???????? }
            // n = 5, score = 100
            //   50                   | add                 esp, 0x157c
            //   a3????????           |                     
            //   e8????????           |                     
            //   8db6843d0910         | ret                 
            //   bf????????           |                     

        $sequence_10 = { 888800490910 eb1f 83f861 7213 83f87a 770e 8088????????20 }
            // n = 7, score = 100
            //   888800490910         | sub                 esp, 0x20
            //   eb1f                 | dec                 eax
            //   83f861               | lea                 ebx, [0x9367]
            //   7213                 | dec                 eax
            //   83f87a               | lea                 edi, [0x9360]
            //   770e                 | jmp                 0x1e
            //   8088????????20       |                     

        $sequence_11 = { 83c424 aa 8d842484000000 6804010000 50 53 }
            // n = 6, score = 100
            //   83c424               | dec                 eax
            //   aa                   | mov                 eax, ecx
            //   8d842484000000       | jmp                 0x19
            //   6804010000           | dec                 eax
            //   50                   | mov                 edx, dword ptr [esi + 0x38]
            //   53                   | dec                 ecx

        $sequence_12 = { 81e1ffff0000 50 51 68???????? 8d54243c }
            // n = 5, score = 100
            //   81e1ffff0000         | push                eax
            //   50                   | push                ebx
            //   51                   | mov                 eax, 1
            //   68????????           |                     
            //   8d54243c             | pop                 ebx

        $sequence_13 = { 68???????? 8d44242c 8d8c2494050000 50 68???????? }
            // n = 5, score = 100
            //   68????????           |                     
            //   8d44242c             | mov                 ecx, esi
            //   8d8c2494050000       | dec                 eax
            //   50                   | mov                 ecx, eax
            //   68????????           |                     

        $sequence_14 = { b801000000 5b 81c47c150000 c3 5f 5e 33c0 }
            // n = 7, score = 100
            //   b801000000           | mov                 ecx, esp
            //   5b                   | call                dword ptr [esi + 0x30]
            //   81c47c150000         | mov                 ecx, 0x7f
            //   c3                   | je                  0x24
            //   5f                   | dec                 eax
            //   5e                   | lea                 edx, [0x5e79]
            //   33c0                 | dec                 eax

        $sequence_15 = { 0fb6d2 f682014a091004 7403 40 }
            // n = 4, score = 100
            //   0fb6d2               | add                 esp, 0x24
            //   f682014a091004       | stosb               byte ptr es:[edi], al
            //   7403                 | lea                 eax, [esp + 0x84]
            //   40                   | push                0x104

    condition:
        7 of them and filesize < 1458176
}
Download all Yara Rules
Spyder Propose Change

References

Yara Rules

Spyder
