SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_076 (Back to overview)

Unidentified 076 (Higaisa LNK to Shellcode)

Actor(s): Higaisa


There is no description at this point.

References
2020-11-13Youtube (The Standoff)Alexey Zakharov, Positive Technologies
@online{zakharov:20201113:ff202eng:1d1222c, author = {Alexey Zakharov and Positive Technologies}, title = {{FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research}}, date = {2020-11-13}, organization = {Youtube (The Standoff)}, url = {https://www.youtube.com/watch?v=8x-pGlWpIYI}, language = {English}, urldate = {2020-11-23} } FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-11ZscalerSudeep Singh, Atinderpal Singh
@online{singh:20200611:return:3a58e44, author = {Sudeep Singh and Atinderpal Singh}, title = {{The Return of the Higaisa APT}}, date = {2020-06-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/return-higaisa-apt}, language = {English}, urldate = {2020-06-12} } The Return of the Higaisa APT
Unidentified 076 (Higaisa LNK to Shellcode)
Yara Rules
[TLP:WHITE] win_unidentified_076_auto (20211008 | Detects win.unidentified_076.)
rule win_unidentified_076_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.unidentified_076."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48898424c0000000 448bfe 448be6 c744245073706563 c7442454303a2570 66c74424580a00 48899c24c8000000 }
            // n = 7, score = 100
            //   48898424c0000000     | mov                 eax, dword ptr [ebx + 0xc8]
            //   448bfe               | dec                 eax
            //   448be6               | mov                 ecx, dword ptr [ebp - 0x10]
            //   c744245073706563     | dec                 eax
            //   c7442454303a2570     | mov                 ecx, dword ptr [ebp - 9]
            //   66c74424580a00       | dec                 eax
            //   48899c24c8000000     | test                ecx, ecx

        $sequence_1 = { 85c0 75a2 488b86c8000000 4421758f bf10000000 448bc7 33d2 }
            // n = 7, score = 100
            //   85c0                 | lea                 esi, dword ptr [ecx + 0x268]
            //   75a2                 | dec                 eax
            //   488b86c8000000       | lea                 ebp, dword ptr [ecx + 0x38c]
            //   4421758f             | push                edi
            //   bf10000000           | dec                 eax
            //   448bc7               | sub                 esp, 0x30
            //   33d2                 | dec                 eax

        $sequence_2 = { 488364243800 488b81c8000000 488364243000 8364242800 488364242000 4c8bc2 448bcb }
            // n = 7, score = 100
            //   488364243800         | inc                 esp
            //   488b81c8000000       | add                 dword ptr [ebx + 0x68], edx
            //   488364243000         | inc                 dword ptr [ebx + 0x60]
            //   8364242800           | mov                 eax, dword ptr [ebx]
            //   488364242000         | dec                 eax
            //   4c8bc2               | mov                 dword ptr [ebx + 0xb0], edx
            //   448bcb               | mov                 dword ptr [edx + 0x14], 0x51

        $sequence_3 = { 488bc8 48898390020000 4885c0 488b83c8000000 7530 ff9040040000 488b83c8000000 }
            // n = 7, score = 100
            //   488bc8               | mov                 ecx, dword ptr [esi]
            //   48898390020000       | mov                 dword ptr [ebp + 0x48], ecx
            //   4885c0               | dec                 eax
            //   488b83c8000000       | mov                 ecx, dword ptr [edi + 0x1e0]
            //   7530                 | dec                 esp
            //   ff9040040000         | mov                 ecx, dword ptr [edi + 0xc8]
            //   488b83c8000000       | dec                 esp

        $sequence_4 = { 75d4 488b8be0000000 bf00800000 4885c9 7412 }
            // n = 5, score = 100
            //   75d4                 | inc                 esp
            //   488b8be0000000       | mov                 eax, eax
            //   bf00800000           | dec                 eax
            //   4885c9               | mov                 edx, ebx
            //   7412                 | inc                 ecx

        $sequence_5 = { 488b87c8000000 8b9068050000 ebb6 4c8b06 488b8f68020000 41b900008000 ba0e660000 }
            // n = 7, score = 100
            //   488b87c8000000       | arpl                word ptr [esi + 4], cx
            //   8b9068050000         | mov                 ecx, dword ptr [edi + 0x348]
            //   ebb6                 | dec                 esp
            //   4c8b06               | mov                 eax, ebx
            //   488b8f68020000       | mov                 edx, 0x82
            //   41b900008000         | call                dword ptr [eax + 0x3a0]
            //   ba0e660000           | dec                 eax

        $sequence_6 = { 488b87c8000000 33d2 41b800040000 498bcf ff9020070000 488b87c8000000 33d2 }
            // n = 7, score = 100
            //   488b87c8000000       | dec                 eax
            //   33d2                 | mov                 ecx, ebx
            //   41b800040000         | call                dword ptr [eax + 0x7f0]
            //   498bcf               | dec                 eax
            //   ff9020070000         | mov                 eax, dword ptr [edi + 0xc8]
            //   488b87c8000000       | dec                 eax
            //   33d2                 | mov                 eax, dword ptr [edi + 0xc8]

        $sequence_7 = { 41b916000000 e9???????? 41c6470303 498b86c8000000 ff9080000000 498d4f05 488bd3 }
            // n = 7, score = 100
            //   41b916000000         | add                 esp, dword ptr [edi + 0x2c]
            //   e9????????           |                     
            //   41c6470303           | inc                 ecx
            //   498b86c8000000       | mov                 ebx, dword ptr [edi + 0x18]
            //   ff9080000000         | dec                 eax
            //   498d4f05             | mov                 dword ptr [ecx + 8], eax
            //   488bd3               | dec                 ecx

        $sequence_8 = { 85d2 0f8445ffffff 0fb74b02 0fb6c1 c1e908 c1e008 0bc1 }
            // n = 7, score = 100
            //   85d2                 | imul                ecx, dword ptr [eax + 4], 0x3e8
            //   0f8445ffffff         | call                dword ptr [edx + 0x10]
            //   0fb74b02             | dec                 eax
            //   0fb6c1               | mov                 ebx, dword ptr [esp + 0xc8]
            //   c1e908               | dec                 eax
            //   c1e008               | mov                 eax, dword ptr [edi + 0xc8]
            //   0bc1                 | mov                 ebx, esi

        $sequence_9 = { 488bcd ff9080000000 85c0 0f8eb8000000 488b87c8000000 488bcd ff9080000000 }
            // n = 7, score = 100
            //   488bcd               | lea                 edx, dword ptr [ebp + 0x70]
            //   ff9080000000         | dec                 eax
            //   85c0                 | lea                 ecx, dword ptr [ebx + edi]
            //   0f8eb8000000         | inc                 ecx
            //   488b87c8000000       | mov                 eax, 0x1370
            //   488bcd               | dec                 eax
            //   ff9080000000         | mov                 ecx, eax

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules