SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_098 (Back to overview)

Unidentified 098 (APT29 Slack Downloader)

Actor(s): APT29


There is no description at this point.

References
2022-11-30Qianxin Threat Intelligence CenterRed Raindrop Team
@online{team:20221130:analysis:aa1ce2e, author = {Red Raindrop Team}, title = {{Analysis of APT29's attack activities against Italy}}, date = {2022-11-30}, organization = {Qianxin Threat Intelligence Center}, url = {https://ti.qianxin.com/blog/articles/analysis-of-apt29%27s-attack-activities-against-italy/}, language = {Chinese}, urldate = {2022-12-20} } Analysis of APT29's attack activities against Italy
Unidentified 098 (APT29 Slack Downloader)
2022-07-20FreebufQi Anxin Threat Intelligence Center
@online{center:20220720:abused:27d014d, author = {Qi Anxin Threat Intelligence Center}, title = {{Abused Slack Service: Analysis of APT29's Attack on Italy}}, date = {2022-07-20}, organization = {Freebuf}, url = {https://www.freebuf.com/articles/paper/339618.html}, language = {English}, urldate = {2022-10-19} } Abused Slack Service: Analysis of APT29's Attack on Italy
Unidentified 098 (APT29 Slack Downloader)
2022-07-19R136a1Dominik Reichel
@online{reichel:20220719:look:84e1e01, author = {Dominik Reichel}, title = {{A look into APT29's new early-stage Google Drive downloader}}, date = {2022-07-19}, organization = {R136a1}, url = {https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/}, language = {English}, urldate = {2022-10-19} } A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-07-08Cert-AgIDCert-AgID
@online{certagid:20220708:il:c02e771, author = {Cert-AgID}, title = {{Il malware EnvyScout (APT29) è stato veicolato anche in Italia}}, date = {2022-07-08}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/}, language = {Italian}, urldate = {2022-10-19} } Il malware EnvyScout (APT29) è stato veicolato anche in Italia
EnvyScout Unidentified 098 (APT29 Slack Downloader)
Yara Rules
[TLP:WHITE] win_unidentified_098_auto (20230715 | Detects win.unidentified_098.)
rule win_unidentified_098_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.unidentified_098."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_098"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c89c3 4989cc 488931 4c8b12 4d8d0442 4c89d2 e8???????? }
            // n = 7, score = 300
            //   4c89c3               | dec                 eax
            //   4989cc               | inc                 eax
            //   488931               | dec                 eax
            //   4c8b12               | cmp                 eax, 8
            //   4d8d0442             | jne                 0x43
            //   4c89d2               | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 488b8c2488000000 48894c2428 0fbe8c2480000000 894c2420 4c89e1 ff5010 4c89e0 }
            // n = 7, score = 300
            //   488b8c2488000000     | dec                 eax
            //   48894c2428           | sub                 esp, 0x38
            //   0fbe8c2480000000     | vmovups             xmmword ptr [esp + 0x20], xmm0
            //   894c2420             | test                al, al
            //   4c89e1               | je                  0x75
            //   ff5010               | dec                 eax
            //   4c89e0               | lea                 eax, [0x17cd9c]

        $sequence_2 = { 488b4500 488d7e10 48c7430800000000 488906 488b40e8 48897c2420 48891406 }
            // n = 7, score = 300
            //   488b4500             | pop                 edi
            //   488d7e10             | ret                 
            //   48c7430800000000     | dec                 eax
            //   488906               | lea                 ecx, [0x16d1ec]
            //   488b40e8             | test                eax, eax
            //   48897c2420           | dec                 eax
            //   48891406             | add                 esp, 0x38

        $sequence_3 = { e8???????? 4d85e4 740d 4c89e1 e8???????? e8???????? 488b4f08 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   4d85e4               | mov                 edx, dword ptr [eax]
            //   740d                 | dec                 eax
            //   4c89e1               | add                 eax, dword ptr [edx - 0x18]
            //   e8????????           |                     
            //   e8????????           |                     
            //   488b4f08             | dec                 eax

        $sequence_4 = { 8903 488b742420 4883c304 483b742428 0f8494000000 4839df 0f84b9000000 }
            // n = 7, score = 300
            //   8903                 | test                al, al
            //   488b742420           | je                  0x97a6
            //   4883c304             | je                  0xd16
            //   483b742428           | mov                 word ptr [esp + 0x124], 0xa189
            //   0f8494000000         | mov                 byte ptr [esp + 0x126], 0x77
            //   4839df               | test                al, al
            //   0f84b9000000         | je                  0x1a9d2

        $sequence_5 = { 88450a 4c896b10 488b4c2458 48897328 4c897b38 4c897348 c6436f01 }
            // n = 7, score = 300
            //   88450a               | lea                 ecx, [0x13d5cc]
            //   4c896b10             | mov                 word ptr [esp + 0x124], 0xc040
            //   488b4c2458           | mov                 byte ptr [esp + 0x126], 0x9e
            //   48897328             | test                al, al
            //   4c897b38             | je                  0x13871
            //   4c897348             | je                  0x766
            //   c6436f01             | mov                 word ptr [esp + 0x124], 0xc040

        $sequence_6 = { 4c89d2 e8???????? 488903 4883c430 5b c3 4989c9 }
            // n = 7, score = 300
            //   4c89d2               | je                  0x1a26
            //   e8????????           |                     
            //   488903               | dec                 eax
            //   4883c430             | lea                 edx, [0x150eca]
            //   5b                   | cmp                 byte ptr [eax + 9], 0
            //   c3                   | dec                 ecx
            //   4989c9               | mov                 ebp, eax

        $sequence_7 = { 4c89fa 89c1 4429f9 4084ff 0f8549ffffff 41f7c200020000 0f843cffffff }
            // n = 7, score = 300
            //   4c89fa               | lea                 edx, [0x13d616]
            //   89c1                 | cmp                 byte ptr [eax + 0xe], 0
            //   4429f9               | dec                 ecx
            //   4084ff               | mov                 ebp, eax
            //   0f8549ffffff         | je                  0x1db7
            //   41f7c200020000       | dec                 eax
            //   0f843cffffff         | lea                 ecx, [esp + 0xe200]

        $sequence_8 = { 8944242c 498b0424 488b40e8 4d8bac04e8000000 498b6d18 4d8b7d10 4889e9 }
            // n = 7, score = 300
            //   8944242c             | mov                 dword ptr [esp + 0x120], 0x6269d8d6
            //   498b0424             | je                  0x1e39
            //   488b40e8             | dec                 eax
            //   4d8bac04e8000000     | mov                 ecx, eax
            //   498b6d18             | dec                 eax
            //   4d8b7d10             | lea                 ecx, [esp + 0xa540]
            //   4889e9               | dec                 esp

        $sequence_9 = { e8???????? 418b442414 83f80a 7580 0f1f00 49ff442430 49c744242800000000 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   418b442414           | test                al, al
            //   83f80a               | je                  0xf6d
            //   7580                 | dec                 eax
            //   0f1f00               | lea                 eax, [0x15f857]
            //   49ff442430           | dec                 eax
            //   49c744242800000000     | add    esp, 0x48

    condition:
        7 of them and filesize < 3345408
}
Download all Yara Rules