SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_103 (Back to overview)

Unidentified 103 (FIN8)

aka: Sardonic

A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.

References
2023-07-18SymantecThreat Hunter Team
@online{team:20230718:fin8:6850531, author = {Threat Hunter Team}, title = {{FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware}}, date = {2023-07-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor}, language = {English}, urldate = {2023-07-20} } FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
BlackCat Unidentified 103 (FIN8)
2022-01-19AlienVault OTXSVThreatIntel
@online{svthreatintel:20220119:white:0e26f48, author = {SVThreatIntel}, title = {{White Rabbit Ransomware: Propagation, Exploitation, and Indicators of Compromise}}, date = {2022-01-19}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/61e7f74a936eea5d44026b8e}, language = {English}, urldate = {2023-04-26} } White Rabbit Ransomware: Propagation, Exploitation, and Indicators of Compromise
Unidentified 103 (FIN8)
Yara Rules
[TLP:WHITE] win_unidentified_103_auto (20230715 | Detects win.unidentified_103.)
rule win_unidentified_103_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.unidentified_103."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c9 0f84da000000 90 8db42600000000 0fb608 83c001 }
            // n = 6, score = 100
            //   85c9                 | mov                 dword ptr [esp + 0x5c], eax
            //   0f84da000000         | test                ecx, ecx
            //   90                   | je                  0x99
            //   8db42600000000       | mov                 edx, dword ptr [esp + 0x70]
            //   0fb608               | call                edx
            //   83c001               | mov                 eax, dword ptr [esp + 0x94]

        $sequence_1 = { e8???????? e9???????? 890424 8b8424c4000000 ffd0 31d2 83ec04 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   890424               | mov                 byte ptr [esp + 0xfe], 0
            //   8b8424c4000000       | mov                 dword ptr [esp + 0xf2], 0x64616f4c
            //   ffd0                 | mov                 ebx, eax
            //   31d2                 | lea                 eax, [esp + 0xf2]
            //   83ec04               | mov                 dword ptr [esp], ebx

        $sequence_2 = { 89842438010000 8d84244e030000 89442404 66898c245a030000 c784244e03000056697274 c784245203000075616c50 }
            // n = 6, score = 100
            //   89842438010000       | mov                 dword ptr [esp + 0x1b4], 0x65656c53
            //   8d84244e030000       | mov                 dword ptr [esp + 0x130], eax
            //   89442404             | lea                 eax, [esp + 0x4aa]
            //   66898c245a030000     | mov                 dword ptr [esp + 4], eax
            //   c784244e03000056697274     | mov    dword ptr [esp + 0x4aa], 0x4e746547
            //   c784245203000075616c50     | mov    dword ptr [esp + 0x4ae], 0x76697461

        $sequence_3 = { 8d4601 83c201 01ce eb14 0fb618 0fb60a 38cb }
            // n = 7, score = 100
            //   8d4601               | mov                 dword ptr [esp + 0x68], eax
            //   83c201               | mov                 dword ptr [esp + 0x6c], ecx
            //   01ce                 | mov                 dword ptr [esp + 8], esi
            //   eb14                 | mov                 dword ptr [esp + 4], eax
            //   0fb618               | lea                 eax, [ebp + 0x3c]
            //   0fb60a               | mov                 dword ptr [esp + 0xc], 0
            //   38cb                 | lea                 ecx, [ebp + 0x38]

        $sequence_4 = { 897c2408 66898c24a5030000 8b8c24d0000000 c784249903000053655463 c784249d03000062507269 c78424a103000076696c65 c68424a703000000 }
            // n = 7, score = 100
            //   897c2408             | mov                 eax, dword ptr [esp + 0x108]
            //   66898c24a5030000     | call                eax
            //   8b8c24d0000000       | sub                 esp, 8
            //   c784249903000053655463     | test    eax, eax
            //   c784249d03000062507269     | mov    dword ptr [esp + 4], edi
            //   c78424a103000076696c65     | test    dword ptr [esp + 0x20], 0xffff0000
            //   c68424a703000000     | je                  0x80

        $sequence_5 = { 89442408 8b8424b8030000 890424 8b842448010000 ffd0 83ec14 }
            // n = 6, score = 100
            //   89442408             | mov                 dword ptr [esp + 4], 0xc
            //   8b8424b8030000       | mov                 dword ptr [esp], eax
            //   890424               | mov                 eax, dword ptr [esp + 0x114]
            //   8b842448010000       | mov                 dword ptr [esp + 8], eax
            //   ffd0                 | mov                 eax, dword ptr [esp + 0xb0]
            //   83ec14               | mov                 dword ptr [esp + 4], eax

        $sequence_6 = { 8bbc2438010000 89780c 8bbc243c010000 897810 8bbc2440010000 897814 8bbc2444010000 }
            // n = 7, score = 100
            //   8bbc2438010000       | mov                 ebx, dword ptr [eax]
            //   89780c               | mov                 dword ptr [esp + 0x18], 0
            //   8bbc243c010000       | mov                 dword ptr [esp + 0x14], 0x80
            //   897810               | mov                 eax, dword ptr [esp + 0x100]
            //   8bbc2440010000       | mov                 edi, dword ptr [esp + 0x11c]
            //   897814               | mov                 dword ptr [eax + 4], edi
            //   8bbc2444010000       | mov                 edi, dword ptr [esp + 0x134]

        $sequence_7 = { 89742408 890424 8b442434 c744240400000000 ffd0 83ec18 8b842490000000 }
            // n = 7, score = 100
            //   89742408             | call                dword ptr [edi + 8]
            //   890424               | sub                 esp, 8
            //   8b442434             | cmp                 dword ptr [esp + 0x4c], 0x103
            //   c744240400000000     | jne                 0x156
            //   ffd0                 | mov                 dword ptr [esp + 4], esi
            //   83ec18               | mov                 dword ptr [esp], 0
            //   8b842490000000       | call                eax

        $sequence_8 = { 8b7c2464 896c240c 8b6c2468 895c2410 }
            // n = 4, score = 100
            //   8b7c2464             | mov                 edi, dword ptr [esp + 0x54]
            //   896c240c             | mov                 ebp, dword ptr [esp + 0x58]
            //   8b6c2468             | mov                 dword ptr [esp + 4], ebx
            //   895c2410             | mov                 edx, dword ptr [esp + 0x44]

        $sequence_9 = { 90 8db42600000000 0fb608 83c001 83c201 884aff }
            // n = 6, score = 100
            //   90                   | mov                 byte ptr [ebx - 1], cl
            //   8db42600000000       | nop                 
            //   0fb608               | lea                 esi, [esi]
            //   83c001               | movzx               edx, byte ptr [eax]
            //   83c201               | add                 eax, 1
            //   884aff               | add                 ecx, 1

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules