SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stegoloader (Back to overview)

StegoLoader


There is no description at this point.

References
2015-06-15SecureworksCTU Research Team
@online{team:20150615:stegoloader:9a04145, author = {CTU Research Team}, title = {{Stegoloader: A Stealthy Information Stealer}}, date = {2015-06-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer}, language = {English}, urldate = {2020-01-10} } Stegoloader: A Stealthy Information Stealer
StegoLoader
Yara Rules
[TLP:WHITE] win_stegoloader_auto (20220411 | Detects win.stegoloader.)
rule win_stegoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.stegoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 43 3b5e14 76e2 ff45fc 837dfc02 }
            // n = 5, score = 200
            //   43                   | inc                 ebx
            //   3b5e14               | cmp                 ebx, dword ptr [esi + 0x14]
            //   76e2                 | jbe                 0xffffffe4
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   837dfc02             | cmp                 dword ptr [ebp - 4], 2

        $sequence_1 = { 0fb70438 eb07 662b5e10 0fb7c3 8b4e1c 0fb7c0 }
            // n = 6, score = 200
            //   0fb70438             | movzx               eax, word ptr [eax + edi]
            //   eb07                 | jmp                 9
            //   662b5e10             | sub                 bx, word ptr [esi + 0x10]
            //   0fb7c3               | movzx               eax, bx
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   0fb7c0               | movzx               eax, ax

        $sequence_2 = { 394df8 7612 8b55fc 8d043e }
            // n = 4, score = 200
            //   394df8               | cmp                 dword ptr [ebp - 8], ecx
            //   7612                 | jbe                 0x14
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8d043e               | lea                 eax, dword ptr [esi + edi]

        $sequence_3 = { 50 ff7604 8bcf e8???????? 84c0 750b 8b07 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff7604               | push                dword ptr [esi + 4]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   750b                 | jne                 0xd
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_4 = { 8801 33f6 837c240c00 0f84b4feffff 8b442414 5f 2bc3 }
            // n = 7, score = 200
            //   8801                 | mov                 byte ptr [ecx], al
            //   33f6                 | xor                 esi, esi
            //   837c240c00           | cmp                 dword ptr [esp + 0xc], 0
            //   0f84b4feffff         | je                  0xfffffeba
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   5f                   | pop                 edi
            //   2bc3                 | sub                 eax, ebx

        $sequence_5 = { 0f841a010000 e8???????? 85c0 747d e8???????? 85c0 }
            // n = 6, score = 200
            //   0f841a010000         | je                  0x120
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   747d                 | je                  0x7f
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 6a02 50 e8???????? 3b4508 59 59 }
            // n = 6, score = 200
            //   6a02                 | push                2
            //   50                   | push                eax
            //   e8????????           |                     
            //   3b4508               | cmp                 eax, dword ptr [ebp + 8]
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_7 = { 7432 8b06 53 ff742410 8bce }
            // n = 5, score = 200
            //   7432                 | je                  0x34
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   53                   | push                ebx
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8bce                 | mov                 ecx, esi

        $sequence_8 = { 037d14 83c410 3bfe 72c1 837b0808 }
            // n = 5, score = 200
            //   037d14               | add                 edi, dword ptr [ebp + 0x14]
            //   83c410               | add                 esp, 0x10
            //   3bfe                 | cmp                 edi, esi
            //   72c1                 | jb                  0xffffffc3
            //   837b0808             | cmp                 dword ptr [ebx + 8], 8

        $sequence_9 = { 75f9 56 8d740201 33ff 803e00 7407 47 }
            // n = 7, score = 200
            //   75f9                 | jne                 0xfffffffb
            //   56                   | push                esi
            //   8d740201             | lea                 esi, dword ptr [edx + eax + 1]
            //   33ff                 | xor                 edi, edi
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7407                 | je                  9
            //   47                   | inc                 edi

        $sequence_10 = { ff7604 e8???????? 57 53 e8???????? 83c414 eb18 }
            // n = 7, score = 200
            //   ff7604               | push                dword ptr [esi + 4]
            //   e8????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   eb18                 | jmp                 0x1a

        $sequence_11 = { 8a07 83c40c 46 3c43 7511 }
            // n = 5, score = 200
            //   8a07                 | mov                 al, byte ptr [edi]
            //   83c40c               | add                 esp, 0xc
            //   46                   | inc                 esi
            //   3c43                 | cmp                 al, 0x43
            //   7511                 | jne                 0x13

        $sequence_12 = { 59 744a 8b4508 8b4008 56 57 }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   744a                 | je                  0x4c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_13 = { c78518ffffff72a60c1f c7851cffffff0eb40e9b c78520ffffffd2311e07 c78524ffffffc12e5976 }
            // n = 4, score = 200
            //   c78518ffffff72a60c1f     | mov    dword ptr [ebp - 0xe8], 0x1f0ca672
            //   c7851cffffff0eb40e9b     | mov    dword ptr [ebp - 0xe4], 0x9b0eb40e
            //   c78520ffffffd2311e07     | mov    dword ptr [ebp - 0xe0], 0x71e31d2
            //   c78524ffffffc12e5976     | mov    dword ptr [ebp - 0xdc], 0x76592ec1

        $sequence_14 = { c3 55 8bec 8d45a0 81ec78020000 50 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8d45a0               | lea                 eax, dword ptr [ebp - 0x60]
            //   81ec78020000         | sub                 esp, 0x278
            //   50                   | push                eax

        $sequence_15 = { c645c426 c645c526 c645c620 c645c753 }
            // n = 4, score = 200
            //   c645c426             | mov                 byte ptr [ebp - 0x3c], 0x26
            //   c645c526             | mov                 byte ptr [ebp - 0x3b], 0x26
            //   c645c620             | mov                 byte ptr [ebp - 0x3a], 0x20
            //   c645c753             | mov                 byte ptr [ebp - 0x39], 0x53

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules