SYMBOLCOMMON_NAMEaka. SYNONYMS
win.underminer_ek (Back to overview)

UnderminerEK


There is no description at this point.

References
2022-01-12AvastJan Vojtěšek
@online{vojtek:20220112:exploit:479fe11, author = {Jan Vojtěšek}, title = {{Exploit Kits vs. Google Chrome}}, date = {2022-01-12}, organization = {Avast}, url = {https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/}, language = {English}, urldate = {2022-07-01} } Exploit Kits vs. Google Chrome
Magniber UnderminerEK
2021-11-02MinervaNatalie Zargarov
@online{zargarov:20211102:underminer:f03f426, author = {Natalie Zargarov}, title = {{Underminer Exploit Kit: The More You Check The More Evasive You Become}}, date = {2021-11-02}, organization = {Minerva}, url = {https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become}, language = {English}, urldate = {2021-11-03} } Underminer Exploit Kit: The More You Check The More Evasive You Become
Amadey Oski Stealer RedLine Stealer UnderminerEK
Yara Rules
[TLP:WHITE] win_underminer_ek_auto (20230715 | Detects win.underminer_ek.)
rule win_underminer_ek_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.underminer_ek."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 8bc6 5e c3 55 8bec 51 }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx

        $sequence_1 = { ff4d0c 53 56 85c0 57 }
            // n = 5, score = 100
            //   ff4d0c               | dec                 dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   85c0                 | test                eax, eax
            //   57                   | push                edi

        $sequence_2 = { 8d55e0 8d4db0 50 e8???????? 83c404 8d4d98 8bd0 }
            // n = 7, score = 100
            //   8d55e0               | lea                 edx, [ebp - 0x20]
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   8bd0                 | mov                 edx, eax

        $sequence_3 = { 2bc1 83c0fc 83f81f 0f8734050000 52 }
            // n = 5, score = 100
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f8734050000         | ja                  0x53a
            //   52                   | push                edx

        $sequence_4 = { 83f801 720e 83f803 7309 8b0485a452fa7e }
            // n = 5, score = 100
            //   83f801               | cmp                 eax, 1
            //   720e                 | jb                  0x10
            //   83f803               | cmp                 eax, 3
            //   7309                 | jae                 0xb
            //   8b0485a452fa7e       | mov                 eax, dword ptr [eax*4 + 0x7efa52a4]

        $sequence_5 = { c745f40f000000 c645e000 83f908 0f8250050000 }
            // n = 4, score = 100
            //   c745f40f000000       | mov                 dword ptr [ebp - 0xc], 0xf
            //   c645e000             | mov                 byte ptr [ebp - 0x20], 0
            //   83f908               | cmp                 ecx, 8
            //   0f8250050000         | jb                  0x556

        $sequence_6 = { 2236 3336 3836 42 3653 3658 366236 }
            // n = 7, score = 100
            //   2236                 | and                 dh, byte ptr [esi]
            //   3336                 | xor                 esi, dword ptr [esi]
            //   3836                 | cmp                 byte ptr [esi], dh
            //   42                   | inc                 edx
            //   3653                 | push                ebx
            //   3658                 | pop                 eax
            //   366236               | bound               esi, qword ptr ss:[esi]

        $sequence_7 = { c645c800 0f42c6 837df410 50 0f434de0 }
            // n = 5, score = 100
            //   c645c800             | mov                 byte ptr [ebp - 0x38], 0
            //   0f42c6               | cmovb               eax, esi
            //   837df410             | cmp                 dword ptr [ebp - 0xc], 0x10
            //   50                   | push                eax
            //   0f434de0             | cmovae              ecx, dword ptr [ebp - 0x20]

        $sequence_8 = { 2bda 83c2f8 57 83c008 56 }
            // n = 5, score = 100
            //   2bda                 | sub                 ebx, edx
            //   83c2f8               | add                 edx, -8
            //   57                   | push                edi
            //   83c008               | add                 eax, 8
            //   56                   | push                esi

        $sequence_9 = { 8b08 ff5128 85c0 7c22 397d10 }
            // n = 5, score = 100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff5128               | call                dword ptr [ecx + 0x28]
            //   85c0                 | test                eax, eax
            //   7c22                 | jl                  0x24
            //   397d10               | cmp                 dword ptr [ebp + 0x10], edi

        $sequence_10 = { 8b0485582c4300 807c012800 7d5d 8d45d8 50 ff75e8 ff15???????? }
            // n = 7, score = 100
            //   8b0485582c4300       | mov                 eax, dword ptr [eax*4 + 0x432c58]
            //   807c012800           | cmp                 byte ptr [ecx + eax + 0x28], 0
            //   7d5d                 | jge                 0x5f
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     

        $sequence_11 = { 7508 8b450c c60015 eb9c 3cd4 }
            // n = 5, score = 100
            //   7508                 | jne                 0xa
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c60015               | mov                 byte ptr [eax], 0x15
            //   eb9c                 | jmp                 0xffffff9e
            //   3cd4                 | cmp                 al, 0xd4

        $sequence_12 = { 33c0 ebf7 83c8ff ebf2 55 8bec 83ec0c }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   ebf7                 | jmp                 0xfffffff9
            //   83c8ff               | or                  eax, 0xffffffff
            //   ebf2                 | jmp                 0xfffffff4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc

        $sequence_13 = { 747f 8b45f8 8b5df0 8b0485582c4300 8a44032b }
            // n = 5, score = 100
            //   747f                 | je                  0x81
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   8b0485582c4300       | mov                 eax, dword ptr [eax*4 + 0x432c58]
            //   8a44032b             | mov                 al, byte ptr [ebx + eax + 0x2b]

        $sequence_14 = { eb21 807d9a01 7511 66837da009 }
            // n = 4, score = 100
            //   eb21                 | jmp                 0x23
            //   807d9a01             | cmp                 byte ptr [ebp - 0x66], 1
            //   7511                 | jne                 0x13
            //   66837da009           | cmp                 word ptr [ebp - 0x60], 9

        $sequence_15 = { 50 e8???????? 83c418 85c0 0f84fa000000 395de4 0f86f1000000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   0f84fa000000         | je                  0x100
            //   395de4               | cmp                 dword ptr [ebp - 0x1c], ebx
            //   0f86f1000000         | jbe                 0xf7

    condition:
        7 of them and filesize < 466944
}
Download all Yara Rules