SYMBOLCOMMON_NAMEaka. SYNONYMS
win.telebot (Back to overview)

TeleBot

Actor(s): TeleBots, Sandworm


There is no description at this point.

References
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2017-06-30ESET ResearchAnton Cherepanov
@online{cherepanov:20170630:telebots:7991503, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine}, language = {English}, urldate = {2022-08-25} } TeleBots are back: Supply‑chain attacks against Ukraine
TeleBot Sandworm
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:057c5f4, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks}, language = {English}, urldate = {2022-08-25} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
KillDisk TeleBot Sandworm
Yara Rules
[TLP:WHITE] win_telebot_auto (20221125 | Detects win.telebot.)
rule win_telebot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.telebot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 895c2404 c70424???????? e8???????? b8ffffffff ebe2 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   c70424????????       |                     
            //   e8????????           |                     
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   ebe2                 | jmp                 0xffffffe4

        $sequence_1 = { e8???????? 8b470c 890424 ffd5 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   890424               | mov                 dword ptr [esp], eax
            //   ffd5                 | call                ebp

        $sequence_2 = { 8d7c245c 893424 89442404 e8???????? c744240401000000 c7042416000000 e8???????? }
            // n = 7, score = 100
            //   8d7c245c             | lea                 edi, [esp + 0x5c]
            //   893424               | mov                 dword ptr [esp], esi
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   c7042416000000       | mov                 dword ptr [esp], 0x16
            //   e8????????           |                     

        $sequence_3 = { e9???????? 8974243c 89de 89eb 89fd 8b7c2424 c7071c000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8974243c             | mov                 dword ptr [esp + 0x3c], esi
            //   89de                 | mov                 esi, ebx
            //   89eb                 | mov                 ebx, ebp
            //   89fd                 | mov                 ebp, edi
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   c7071c000000         | mov                 dword ptr [edi], 0x1c

        $sequence_4 = { c74424043c000000 8d7c241c 8b03 890424 e8???????? 8b03 c744240801000000 }
            // n = 7, score = 100
            //   c74424043c000000     | mov                 dword ptr [esp + 4], 0x3c
            //   8d7c241c             | lea                 edi, [esp + 0x1c]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1

        $sequence_5 = { 85c0 7403 897014 f6c602 0f855d0c0000 31db 31f6 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   897014               | mov                 dword ptr [eax + 0x14], esi
            //   f6c602               | test                dh, 2
            //   0f855d0c0000         | jne                 0xc63
            //   31db                 | xor                 ebx, ebx
            //   31f6                 | xor                 esi, esi

        $sequence_6 = { 8b6e1c 85ed 0f8486010000 8b4620 85c0 0f847b010000 8b5624 }
            // n = 7, score = 100
            //   8b6e1c               | mov                 ebp, dword ptr [esi + 0x1c]
            //   85ed                 | test                ebp, ebp
            //   0f8486010000         | je                  0x18c
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   85c0                 | test                eax, eax
            //   0f847b010000         | je                  0x181
            //   8b5624               | mov                 edx, dword ptr [esi + 0x24]

        $sequence_7 = { 83fb1f 772c 85ff 0f84fb080000 89d9 eb08 85ff }
            // n = 7, score = 100
            //   83fb1f               | cmp                 ebx, 0x1f
            //   772c                 | ja                  0x2e
            //   85ff                 | test                edi, edi
            //   0f84fb080000         | je                  0x901
            //   89d9                 | mov                 ecx, ebx
            //   eb08                 | jmp                 0xa
            //   85ff                 | test                edi, edi

        $sequence_8 = { 8b442418 890424 ffd7 85c0 8d7d12 }
            // n = 5, score = 100
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   890424               | mov                 dword ptr [esp], eax
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   8d7d12               | lea                 edi, [ebp + 0x12]

        $sequence_9 = { 8b723c 8d1c31 83fb20 773a b801000000 895a3c d3e0 }
            // n = 7, score = 100
            //   8b723c               | mov                 esi, dword ptr [edx + 0x3c]
            //   8d1c31               | lea                 ebx, [ecx + esi]
            //   83fb20               | cmp                 ebx, 0x20
            //   773a                 | ja                  0x3c
            //   b801000000           | mov                 eax, 1
            //   895a3c               | mov                 dword ptr [edx + 0x3c], ebx
            //   d3e0                 | shl                 eax, cl

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules