According to Deep Instinct, this information stealer is written in Rust and was observed in Operation Rusty Flag.
rule win_unidentified_110_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.unidentified_110." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff5638 4839d8 756f 488b37 ba08000000 4889f9 e8???????? } // n = 7, score = 100 // ff5638 | movsd dword ptr es:[edi], dword ptr [esi] // 4839d8 | inc ecx // 756f | mov eax, 0x260 // 488b37 | dec eax // ba08000000 | lea edi, [esp + 0x1a80] // 4889f9 | dec eax // e8???????? | $sequence_1 = { 7809 488d1542850a00 59 c3 b907000000 cd29 0f0b } // n = 7, score = 100 // 7809 | jne 0xb6 // 488d1542850a00 | dec eax // 59 | cmp dword ptr [esp + 0x30], 0 // c3 | jne 0xb6 // b907000000 | dec esp // cd29 | mov ecx, ebp // 0f0b | mov ecx, 0x5f0 $sequence_2 = { 8b842440010000 898424f0000000 0f28842420010000 0f288c2430010000 0f298c24e0000000 0f298424d0000000 8b8424c8000000 } // n = 7, score = 100 // 8b842440010000 | mov dword ptr [esp + 0x138], ecx // 898424f0000000 | dec eax // 0f28842420010000 | mov ecx, dword ptr [esp + 0x1c8] // 0f288c2430010000 | mov ecx, dword ptr [esp + 0x40] // 0f298c24e0000000 | mov dword ptr [esi + 0xa4], ecx // 0f298424d0000000 | dec eax // 8b8424c8000000 | mov ecx, dword ptr [esp + 0x150] $sequence_3 = { 884710 4883670800 c6471100 488d542428 48891a 4c8d052abf0e00 eb3e } // n = 7, score = 100 // 884710 | dec eax // 4883670800 | shl eax, cl // c6471100 | dec ecx // 488d542428 | xor dword ptr [esi + 8], eax // 48891a | dec eax // 4c8d052abf0e00 | add esp, 0x28 // eb3e | test al, al $sequence_4 = { 488d95100a0000 48c70208000000 488d8d70120000 e8???????? e9???????? 4c8bb568130000 6a0c } // n = 7, score = 100 // 488d95100a0000 | dec esp // 48c70208000000 | mov ecx, ebp // 488d8d70120000 | dec eax // e8???????? | // e9???????? | // 4c8bb568130000 | lea edx, [0xe59e8] // 6a0c | dec eax $sequence_5 = { 488d8c24f0010000 e8???????? 41bf01000000 e9???????? 488dac2460010000 488b4530 4889842400010000 } // n = 7, score = 100 // 488d8c24f0010000 | dec eax // e8???????? | // 41bf01000000 | lea esi, [esp + 0xc0] // e9???????? | // 488dac2460010000 | dec eax // 488b4530 | lea eax, [esp + 0x1a8] // 4889842400010000 | dec eax $sequence_6 = { 4c89fa 4989c0 e8???????? 488b8698000000 4801d8 483b8690000000 7763 } // n = 7, score = 100 // 4c89fa | lea eax, [0x7421f] // 4989c0 | dec eax // e8???????? | // 488b8698000000 | mov ebp, dword ptr [eax] // 4801d8 | dec eax // 483b8690000000 | mov edi, dword ptr [eax + 8] // 7763 | dec esp $sequence_7 = { 89ca b101 e9???????? b103 e9???????? 4c8b01 410fb64810 } // n = 7, score = 100 // 89ca | mov eax, dword ptr [esp + 0x328] // b101 | mov dword ptr [esp + 0xefc], eax // e9???????? | // b103 | dec eax // e9???????? | // 4c8b01 | mov eax, dword ptr [esp + 0x708] // 410fb64810 | dec eax $sequence_8 = { ffe1 31c9 4883bc241801000004 0f84f8620000 488b942448030000 488b32 4883fe02 } // n = 7, score = 100 // ffe1 | mov eax, dword ptr [ecx + 0x40] // 31c9 | dec eax // 4883bc241801000004 | movsd dword ptr es:[edi], dword ptr [esi] // 0f84f8620000 | cmp byte ptr [eax + 0x98], 0 // 488b942448030000 | je 0x300 // 488b32 | dec eax // 4883fe02 | add eax, 0x78 $sequence_9 = { eb02 31c0 4883c428 c3 4c8d0df4bf0900 4889c1 4c89c2 } // n = 7, score = 100 // eb02 | dec eax // 31c0 | lea ecx, [ebx + 8] // 4883c428 | dec eax // c3 | mov dword ptr [esp + 0x78], ecx // 4c8d0df4bf0900 | dec eax // 4889c1 | lea ecx, [0xfff72850] // 4c89c2 | dec eax condition: 7 of them and filesize < 3217408 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY