Unidentified 103 (FIN8) (Malware Family)

Unidentified 103 (FIN8)

aka: Sardonic
VTCollection
A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.
References

2023-07-18 ⋅ Symantec ⋅ Threat Hunter Team
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
BlackCat Unidentified 103 (FIN8)
2022-01-19 ⋅ AlienVault OTX ⋅ SVThreatIntel
White Rabbit Ransomware: Propagation, Exploitation, and Indicators of Compromise
Unidentified 103 (FIN8)
Yara Rules

[TLP:WHITE] win_unidentified_103_auto (20230808 | Detects win.unidentified_103.)
rule win_unidentified_103_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.unidentified_103."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 0f8506030000 8b442470 ffd0 8b542478 81c41c070000 }
            // n = 6, score = 100
            //   85db                 | mov                 ecx, dword ptr [ebp + eax*4]
            //   0f8506030000         | add                 ecx, edi
            //   8b442470             | test                ebx, ebx
            //   ffd0                 | je                  0x182
            //   8b542478             | call                dword ptr [esp + 0xb4]
            //   81c41c070000         | mov                 dword ptr [esp + 0xc], esi

        $sequence_1 = { 8954240c 8b9424e4000000 89742404 83ea04 89542408 8b8404cc0b0000 8b00 }
            // n = 7, score = 100
            //   8954240c             | mov                 dword ptr [esp], eax
            //   8b9424e4000000       | call                dword ptr [esp + 0x1f0]
            //   89742404             | sub                 esp, 0x10
            //   83ea04               | test                eax, eax
            //   89542408             | jne                 0x78
            //   8b8404cc0b0000       | mov                 ebx, dword ptr [esp + 0x1c]
            //   8b00                 | mov                 dword ptr [esp + 0xc], edx

        $sequence_2 = { 83ec08 85c0 7439 8b8424bc010000 890424 8b44246c ffd0 }
            // n = 7, score = 100
            //   83ec08               | je                  0xfffffadb
            //   85c0                 | mov                 eax, dword ptr [esp + 0x3b8]
            //   7439                 | mov                 dword ptr [esp + 0x10], 0x40
            //   8b8424bc010000       | mov                 dword ptr [esp + 0xc], 0x3000
            //   890424               | mov                 dword ptr [esp + 8], 0x7d00
            //   8b44246c             | sub                 esp, 8
            //   ffd0                 | test                eax, eax

        $sequence_3 = { 0fb613 89c3 8d6c11e0 01d1 }
            // n = 4, score = 100
            //   0fb613               | movzx               edx, byte ptr [ebx]
            //   89c3                 | mov                 ebx, eax
            //   8d6c11e0             | lea                 ebp, [ecx + edx - 0x20]
            //   01d1                 | add                 ecx, edx

        $sequence_4 = { 890424 8b842488000000 ffd0 83ec08 8b842484010000 890424 8b8424a4000000 }
            // n = 7, score = 100
            //   890424               | call                eax
            //   8b842488000000       | sub                 esp, 4
            //   ffd0                 | mov                 dword ptr [esp + 0x1a0], 0
            //   83ec08               | test                eax, eax
            //   8b842484010000       | je                  0x1bbd
            //   890424               | mov                 dword ptr [esp], eax
            //   8b8424a4000000       | mov                 eax, dword ptr [esp + 0x164]

        $sequence_5 = { 31db ffd6 c684249803000000 898424bc000000 b878650000 6689842496030000 b865000000 }
            // n = 7, score = 100
            //   31db                 | mov                 dword ptr [esp + 0xad], 0x7361736c
            //   ffd6                 | xor                 ebx, ebx
            //   c684249803000000     | mov                 ebx, dword ptr [eax + 4]
            //   898424bc000000       | movsx               edx, byte ptr [ebx]
            //   b878650000           | lea                 ecx, [edx - 0x30]
            //   6689842496030000     | cmp                 cl, 9
            //   b865000000           | mov                 ecx, 0

        $sequence_6 = { c744240804000000 89442404 8b842484010000 890424 8b8424ac000000 ffd0 }
            // n = 6, score = 100
            //   c744240804000000     | call                dword ptr [ebx + 0x20]
            //   89442404             | sub                 esp, 0xc
            //   8b842484010000       | call                ebp
            //   890424               | mov                 dword ptr [esp + 8], 0x8000
            //   8b8424ac000000       | mov                 dword ptr [esp + 4], 0
            //   ffd0                 | mov                 dword ptr [esp], eax

        $sequence_7 = { 0f84d3070000 81fd03030000 0f85d5060000 8b842484010000 c744240402000000 89fb be01000000 }
            // n = 7, score = 100
            //   0f84d3070000         | je                  0xae8
            //   81fd03030000         | cmp                 ebp, 0x17d
            //   0f85d5060000         | jne                 0x648
            //   8b842484010000       | mov                 dword ptr [esp + 0x1a0], 1
            //   c744240402000000     | test                cl, cl
            //   89fb                 | je                  0x5b
            //   be01000000           | lea                 eax, [ebx + 1]

        $sequence_8 = { 8bb4244c010000 01ca 880431 0fb68424a5010000 8844290a 0fb68424a6010000 8844290b }
            // n = 7, score = 100
            //   8bb4244c010000       | mov                 ecx, dword ptr [esp + 0x140]
            //   01ca                 | mov                 dword ptr [esp + 0x1c], edi
            //   880431               | mov                 edi, dword ptr [esp + 0x184]
            //   0fb68424a5010000     | mov                 dword ptr [esp + 0x20], esi
            //   8844290a             | mov                 esi, dword ptr [esp + 0x188]
            //   0fb68424a6010000     | mov                 esi, dword ptr [esp + 0x148]
            //   8844290b             | mov                 dword ptr [eax + 0x30], edi

        $sequence_9 = { 83ec08 0fb68c2450040000 84c9 741f 31d2 83c201 }
            // n = 6, score = 100
            //   83ec08               | mov                 ecx, dword ptr [ebp]
            //   0fb68c2450040000     | mov                 ecx, dword ptr [ecx + 0x24]
            //   84c9                 | sub                 esp, 4
            //   741f                 | jmp                 0x2a
            //   31d2                 | add                 eax, 1
            //   83c201               | cmp                 dl, cl

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules
Unidentified 103 (FIN8) Propose Change

References

Yara Rules

Unidentified 103 (FIN8)
