SYMBOLCOMMON_NAMEaka. SYNONYMS
win.telebot (Back to overview)

TeleBot

Actor(s): TeleBots, Sandworm

VTCollection    

There is no description at this point.

References
2021-07-27BlackberryBlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2017-06-30ESET ResearchAnton Cherepanov
TeleBots are back: Supply‑chain attacks against Ukraine
TeleBot Sandworm
2016-12-13ESET ResearchAnton Cherepanov
The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
2016-12-13ESET ResearchAnton Cherepanov
The rise of TeleBots: Analyzing disruptive KillDisk attacks
KillDisk TeleBot Sandworm
Yara Rules
[TLP:WHITE] win_telebot_auto (20230808 | Detects win.telebot.)
rule win_telebot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.telebot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442408 891c24 e8???????? 891c24 e8???????? 807c03ff5c }
            // n = 6, score = 100
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   807c03ff5c           | cmp                 byte ptr [ebx + eax - 1], 0x5c

        $sequence_1 = { 8d9730050000 89542450 8d97f0020000 89ef 89dd 89f3 89ce }
            // n = 7, score = 100
            //   8d9730050000         | lea                 edx, [edi + 0x530]
            //   89542450             | mov                 dword ptr [esp + 0x50], edx
            //   8d97f0020000         | lea                 edx, [edi + 0x2f0]
            //   89ef                 | mov                 edi, ebp
            //   89dd                 | mov                 ebp, ebx
            //   89f3                 | mov                 ebx, esi
            //   89ce                 | mov                 esi, ecx

        $sequence_2 = { 895638 0f868d010000 83e908 8d442418 c1e903 8d7101 8d0c30 }
            // n = 7, score = 100
            //   895638               | mov                 dword ptr [esi + 0x38], edx
            //   0f868d010000         | jbe                 0x193
            //   83e908               | sub                 ecx, 8
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   c1e903               | shr                 ecx, 3
            //   8d7101               | lea                 esi, [ecx + 1]
            //   8d0c30               | lea                 ecx, [eax + esi]

        $sequence_3 = { a3???????? 0f85f3fcffff c70424???????? e8???????? b8ffffffff ebc9 c7442404???????? }
            // n = 7, score = 100
            //   a3????????           |                     
            //   0f85f3fcffff         | jne                 0xfffffcf9
            //   c70424????????       |                     
            //   e8????????           |                     
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   ebc9                 | jmp                 0xffffffcb
            //   c7442404????????     |                     

        $sequence_4 = { 31c0 c7463000000000 39ca 7796 eb99 }
            // n = 5, score = 100
            //   31c0                 | xor                 eax, eax
            //   c7463000000000       | mov                 dword ptr [esi + 0x30], 0
            //   39ca                 | cmp                 edx, ecx
            //   7796                 | ja                  0xffffff98
            //   eb99                 | jmp                 0xffffff9b

        $sequence_5 = { 83ef01 d3e0 83c108 01c6 8b442440 }
            // n = 5, score = 100
            //   83ef01               | sub                 edi, 1
            //   d3e0                 | shl                 eax, cl
            //   83c108               | add                 ecx, 8
            //   01c6                 | add                 esi, eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]

        $sequence_6 = { 895008 89f2 c1ea08 89500c 8b442424 8b5010 f6c602 }
            // n = 7, score = 100
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   89f2                 | mov                 edx, esi
            //   c1ea08               | shr                 edx, 8
            //   89500c               | mov                 dword ptr [eax + 0xc], edx
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b5010               | mov                 edx, dword ptr [eax + 0x10]
            //   f6c602               | test                dh, 2

        $sequence_7 = { e8???????? 893424 89c3 89442404 ff15???????? 83ec08 89c7 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   893424               | mov                 dword ptr [esp], esi
            //   89c3                 | mov                 ebx, eax
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   ff15????????         |                     
            //   83ec08               | sub                 esp, 8
            //   89c7                 | mov                 edi, eax

        $sequence_8 = { 76e2 eb15 8b442424 8b5010 f6c604 }
            // n = 5, score = 100
            //   76e2                 | jbe                 0xffffffe4
            //   eb15                 | jmp                 0x17
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b5010               | mov                 edx, dword ptr [eax + 0x10]
            //   f6c604               | test                dh, 4

        $sequence_9 = { 89ef 89dd 89f3 89ce 8954244c 83f81e 0f876c160000 }
            // n = 7, score = 100
            //   89ef                 | mov                 edi, ebp
            //   89dd                 | mov                 ebp, ebx
            //   89f3                 | mov                 ebx, esi
            //   89ce                 | mov                 esi, ecx
            //   8954244c             | mov                 dword ptr [esp + 0x4c], edx
            //   83f81e               | cmp                 eax, 0x1e
            //   0f876c160000         | ja                  0x1672

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules