Actor(s): Lunar Spider
There is no description at this point.
https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf |
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak |
https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/ |
http://thehackernews.com/2017/01/neverquest-fbi-hacker.html |
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/ |
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/ |
rule win_vawtrak_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2018-11-23"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak"
malpedia_version = "20180607"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { c3 6a33 e800000000 83042405 cb 49 }
// n = 6, score = 14000
// c3 | ret
// 6a33 | push 0x33
// e800000000 | call 0x1f1c15e
// 83042405 | add dword ptr [esp], 5
// cb | retf
// 49 | dec ecx
$sequence_1 = { c3 6a33 e800000000 83042405 cb 49 8b442460 }
// n = 7, score = 14000
// c3 | ret
// 6a33 | push 0x33
// e800000000 | call 0x1f1c15e
// 83042405 | add dword ptr [esp], 5
// cb | retf
// 49 | dec ecx
// 8b442460 | mov eax, dword ptr [esp + 0x60]
$sequence_2 = { 33c9 870b 5f 8bc6 }
// n = 4, score = 13000
// 33c9 | xor ecx, ecx
// 870b | xchg dword ptr [ebx], ecx
// 5f | pop edi
// 8bc6 | mov eax, esi
$sequence_3 = { 81e900100000 75f6 c20400 55 }
// n = 4, score = 13000
// 81e900100000 | sub ecx, 0x1000
// 75f6 | jne 0x1f1721f
// c20400 | ret 4
// 55 | push ebp
$sequence_4 = { 42 85c0 75f0 c3 }
// n = 4, score = 13000
// 42 | inc edx
// 85c0 | test eax, eax
// 75f0 | jne 0x1f11a36
// c3 | ret
$sequence_5 = { 8be5 5d c3 6a33 }
// n = 4, score = 13000
// 8be5 | mov esp, ebp
// 5d | pop ebp
// c3 | ret
// 6a33 | push 0x33
$sequence_6 = { c3 33c0 b900000080 40 }
// n = 4, score = 13000
// c3 | ret
// 33c0 | xor eax, eax
// b900000080 | mov ecx, 0x80000000
// 40 | inc eax
$sequence_7 = { 33c9 870e 5e c3 }
// n = 4, score = 13000
// 33c9 | xor ecx, ecx
// 870e | xchg dword ptr [esi], ecx
// 5e | pop esi
// c3 | ret
$sequence_8 = { 50 8d45fc 50 8d45d8 }
// n = 4, score = 13000
// 50 | push eax
// 8d45fc | lea eax, dword ptr [ebp - 4]
// 50 | push eax
// 8d45d8 | lea eax, dword ptr [ebp - 0x28]
$sequence_9 = { f7d8 eb02 33c0 8be5 }
// n = 4, score = 13000
// f7d8 | neg eax
// eb02 | jmp 0x1f11aaf
// 33c0 | xor eax, eax
// 8be5 | mov esp, ebp
condition:
7 of them
}