SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_042 (Back to overview)

Unidentified 042

Actor(s): Lazarus Group


There is no description at this point.

References
2018-03-28IntezerJay Rosenberg
@online{rosenberg:20180328:lazarus:307e39e, author = {Jay Rosenberg}, title = {{Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies}}, date = {2018-03-28}, organization = {Intezer}, url = {http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/}, language = {English}, urldate = {2019-11-27} } Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies
Unidentified 042
Yara Rules
[TLP:WHITE] win_unidentified_042_auto (20230125 | Detects win.unidentified_042.)
rule win_unidentified_042_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.unidentified_042."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 01857cffffff 014580 03f0 03c8 03f8 83fe31 0f8ca8feffff }
            // n = 7, score = 100
            //   01857cffffff         | add                 dword ptr [ebp - 0x84], eax
            //   014580               | add                 dword ptr [ebp - 0x80], eax
            //   03f0                 | add                 esi, eax
            //   03c8                 | add                 ecx, eax
            //   03f8                 | add                 edi, eax
            //   83fe31               | cmp                 esi, 0x31
            //   0f8ca8feffff         | jl                  0xfffffeae

        $sequence_1 = { bf???????? eb36 c745fc???????? bf???????? eb28 c745fc???????? bf???????? }
            // n = 7, score = 100
            //   bf????????           |                     
            //   eb36                 | jmp                 0x38
            //   c745fc????????       |                     
            //   bf????????           |                     
            //   eb28                 | jmp                 0x2a
            //   c745fc????????       |                     
            //   bf????????           |                     

        $sequence_2 = { 56 c745e401234567 c745e889abcdef c745ecfedcba98 c745f076543210 c745f4f0e1d2c3 894598 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   c745e401234567       | mov                 dword ptr [ebp - 0x1c], 0x67452301
            //   c745e889abcdef       | mov                 dword ptr [ebp - 0x18], 0xefcdab89
            //   c745ecfedcba98       | mov                 dword ptr [ebp - 0x14], 0x98badcfe
            //   c745f076543210       | mov                 dword ptr [ebp - 0x10], 0x10325476
            //   c745f4f0e1d2c3       | mov                 dword ptr [ebp - 0xc], 0xc3d2e1f0
            //   894598               | mov                 dword ptr [ebp - 0x68], eax

        $sequence_3 = { c78528f8ffff8444e610 c7852cf8ffff585d2200 c78530f8ffffd1516a05 c78534f8ffff6eb8bfa6 c78538f8ffffe7744df5 c7853cf8ffff5945a7c1 c78540f8ffffa498530c }
            // n = 7, score = 100
            //   c78528f8ffff8444e610     | mov    dword ptr [ebp - 0x7d8], 0x10e64484
            //   c7852cf8ffff585d2200     | mov    dword ptr [ebp - 0x7d4], 0x225d58
            //   c78530f8ffffd1516a05     | mov    dword ptr [ebp - 0x7d0], 0x56a51d1
            //   c78534f8ffff6eb8bfa6     | mov    dword ptr [ebp - 0x7cc], 0xa6bfb86e
            //   c78538f8ffffe7744df5     | mov    dword ptr [ebp - 0x7c8], 0xf54d74e7
            //   c7853cf8ffff5945a7c1     | mov    dword ptr [ebp - 0x7c4], 0xc1a74559
            //   c78540f8ffffa498530c     | mov    dword ptr [ebp - 0x7c0], 0xc5398a4

        $sequence_4 = { 8bf8 c1cf02 89bdc8feffff 8bf8 c1cf0d 89bdd4feffff 03ce }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   c1cf02               | ror                 edi, 2
            //   89bdc8feffff         | mov                 dword ptr [ebp - 0x138], edi
            //   8bf8                 | mov                 edi, eax
            //   c1cf0d               | ror                 edi, 0xd
            //   89bdd4feffff         | mov                 dword ptr [ebp - 0x12c], edi
            //   03ce                 | add                 ecx, esi

        $sequence_5 = { 0fb611 0fb64902 c1e208 0bc2 c1e008 0bc1 3d1e480000 }
            // n = 7, score = 100
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   0fb64902             | movzx               ecx, byte ptr [ecx + 2]
            //   c1e208               | shl                 edx, 8
            //   0bc2                 | or                  eax, edx
            //   c1e008               | shl                 eax, 8
            //   0bc1                 | or                  eax, ecx
            //   3d1e480000           | cmp                 eax, 0x481e

        $sequence_6 = { e8???????? 8bd8 85db 7419 8d75f0 e8???????? 8d75e0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7419                 | je                  0x1b
            //   8d75f0               | lea                 esi, [ebp - 0x10]
            //   e8????????           |                     
            //   8d75e0               | lea                 esi, [ebp - 0x20]

        $sequence_7 = { c78574faffff25da3f2e c78578fafffffafe28be c7857cfaffffaff05b42 c78580faffff0973699c c78584faffffb195ef80 c78588faffffdccc6129 c7858cfaffff2b44064a }
            // n = 7, score = 100
            //   c78574faffff25da3f2e     | mov    dword ptr [ebp - 0x58c], 0x2e3fda25
            //   c78578fafffffafe28be     | mov    dword ptr [ebp - 0x588], 0xbe28fefa
            //   c7857cfaffffaff05b42     | mov    dword ptr [ebp - 0x584], 0x425bf0af
            //   c78580faffff0973699c     | mov    dword ptr [ebp - 0x580], 0x9c697309
            //   c78584faffffb195ef80     | mov    dword ptr [ebp - 0x57c], 0x80ef95b1
            //   c78588faffffdccc6129     | mov    dword ptr [ebp - 0x578], 0x2961ccdc
            //   c7858cfaffff2b44064a     | mov    dword ptr [ebp - 0x574], 0x4a06442b

        $sequence_8 = { 0fb6d9 0fb61c9d18164300 c1e908 81e2000000ff 250000ff00 33c2 0fb6c9 }
            // n = 7, score = 100
            //   0fb6d9               | movzx               ebx, cl
            //   0fb61c9d18164300     | movzx               ebx, byte ptr [ebx*4 + 0x431618]
            //   c1e908               | shr                 ecx, 8
            //   81e2000000ff         | and                 edx, 0xff000000
            //   250000ff00           | and                 eax, 0xff0000
            //   33c2                 | xor                 eax, edx
            //   0fb6c9               | movzx               ecx, cl

        $sequence_9 = { e8???????? 83c408 85c0 0f888c000000 8b550c 52 56 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f888c000000         | js                  0x92
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   52                   | push                edx
            //   56                   | push                esi

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules