SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_042 (Back to overview)

Unidentified 042

Actor(s): Lazarus Group


There is no description at this point.

References
2018-03-28IntezerJay Rosenberg
@online{rosenberg:20180328:lazarus:307e39e, author = {Jay Rosenberg}, title = {{Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies}}, date = {2018-03-28}, organization = {Intezer}, url = {http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/}, language = {English}, urldate = {2019-11-27} } Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies
Unidentified 042
Yara Rules
[TLP:WHITE] win_unidentified_042_auto (20220516 | Detects win.unidentified_042.)
rule win_unidentified_042_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.unidentified_042."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7438 8b8528f9ffff 5f 5e 5b 8b4dfc 33cd }
            // n = 7, score = 100
            //   7438                 | je                  0x3a
            //   8b8528f9ffff         | mov                 eax, dword ptr [ebp - 0x6d8]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp

        $sequence_1 = { 8b78fc 897dfc 8b79fc 8978fc 8b7dfc 8979fc 8b38 }
            // n = 7, score = 100
            //   8b78fc               | mov                 edi, dword ptr [eax - 4]
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b79fc               | mov                 edi, dword ptr [ecx - 4]
            //   8978fc               | mov                 dword ptr [eax - 4], edi
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   8979fc               | mov                 dword ptr [ecx - 4], edi
            //   8b38                 | mov                 edi, dword ptr [eax]

        $sequence_2 = { 57 ffd2 8b4f08 894110 8b4708 8b4810 83c410 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ffd2                 | call                edx
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   83c410               | add                 esp, 0x10

        $sequence_3 = { 03b36cf94200 8bdf 0375ec c1cb02 0175dc 899dc8feffff 8bdf }
            // n = 7, score = 100
            //   03b36cf94200         | add                 esi, dword ptr [ebx + 0x42f96c]
            //   8bdf                 | mov                 ebx, edi
            //   0375ec               | add                 esi, dword ptr [ebp - 0x14]
            //   c1cb02               | ror                 ebx, 2
            //   0175dc               | add                 dword ptr [ebp - 0x24], esi
            //   899dc8feffff         | mov                 dword ptr [ebp - 0x138], ebx
            //   8bdf                 | mov                 ebx, edi

        $sequence_4 = { e8???????? 8b4d40 8b553c 8b4538 51 8b4d34 52 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4d40               | mov                 ecx, dword ptr [ebp + 0x40]
            //   8b553c               | mov                 edx, dword ptr [ebp + 0x3c]
            //   8b4538               | mov                 eax, dword ptr [ebp + 0x38]
            //   51                   | push                ecx
            //   8b4d34               | mov                 ecx, dword ptr [ebp + 0x34]
            //   52                   | push                edx

        $sequence_5 = { 81fa00400000 7616 b87cffffff 5f 5e 5b 8b4dfc }
            // n = 7, score = 100
            //   81fa00400000         | cmp                 edx, 0x4000
            //   7616                 | jbe                 0x18
            //   b87cffffff           | mov                 eax, 0xffffff7c
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_6 = { f7e2 c1ea02 8d4415f4 8d1452 03d2 }
            // n = 5, score = 100
            //   f7e2                 | mul                 edx
            //   c1ea02               | shr                 edx, 2
            //   8d4415f4             | lea                 eax, [ebp + edx - 0xc]
            //   8d1452               | lea                 edx, [edx + edx*2]
            //   03d2                 | add                 edx, edx

        $sequence_7 = { 8bc8 2b4508 53 56 2bca 2bc2 57 }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   2b4508               | sub                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   2bca                 | sub                 ecx, edx
            //   2bc2                 | sub                 eax, edx
            //   57                   | push                edi

        $sequence_8 = { c78568faffff4a705876 c7856cfaffff59517a54 c78570faffff655a4b78 c78574faffff660d0a64 c78578faffff516d6a53 c7857cfaffff38514e38 c78580faffff49467476 }
            // n = 7, score = 100
            //   c78568faffff4a705876     | mov    dword ptr [ebp - 0x598], 0x7658704a
            //   c7856cfaffff59517a54     | mov    dword ptr [ebp - 0x594], 0x547a5159
            //   c78570faffff655a4b78     | mov    dword ptr [ebp - 0x590], 0x784b5a65
            //   c78574faffff660d0a64     | mov    dword ptr [ebp - 0x58c], 0x640a0d66
            //   c78578faffff516d6a53     | mov    dword ptr [ebp - 0x588], 0x536a6d51
            //   c7857cfaffff38514e38     | mov    dword ptr [ebp - 0x584], 0x384e5138
            //   c78580faffff49467476     | mov    dword ptr [ebp - 0x580], 0x76744649

        $sequence_9 = { 3d67ffffff 7405 ba???????? e8???????? 8b4dfc 83c404 5f }
            // n = 7, score = 100
            //   3d67ffffff           | cmp                 eax, 0xffffff67
            //   7405                 | je                  7
            //   ba????????           |                     
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules