SYMBOLCOMMON_NAMEaka. SYNONYMS
win.veiledsignal (Back to overview)

VEILEDSIGNAL

Actor(s): Lazarus Group


There is no description at this point.

References
2023-04-21SymantecThreat Hunter Team
@online{team:20230421:xtrader:f5f0e26, author = {Threat Hunter Team}, title = {{X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe}}, date = {2023-04-21}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain}, language = {English}, urldate = {2023-05-26} } X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
VEILEDSIGNAL
Yara Rules
[TLP:WHITE] win_veiledsignal_auto (20230715 | Detects win.veiledsignal.)
rule win_veiledsignal_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.veiledsignal."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b825000000 0f05 c3 4c8bd1 b824000000 0f05 }
            // n = 6, score = 100
            //   b825000000           | lea                 eax, [0x4b173]
            //   0f05                 | dec                 ebx
            //   c3                   | inc                 eax
            //   4c8bd1               | push                ebx
            //   b824000000           | dec                 eax
            //   0f05                 | sub                 esp, 0x20

        $sequence_1 = { 41b806000000 488d15d9470400 483950f0 740c 488b10 4885d2 }
            // n = 6, score = 100
            //   41b806000000         | dec                 eax
            //   488d15d9470400       | test                ecx, ecx
            //   483950f0             | je                  0x3ca
            //   740c                 | dec                 eax
            //   488b10               | cmp                 ecx, -1
            //   4885d2               | dec                 eax

        $sequence_2 = { 48894547 8bf9 e8???????? 85c0 }
            // n = 4, score = 100
            //   48894547             | mov                 eax, 8
            //   8bf9                 | dec                 eax
            //   e8????????           |                     
            //   85c0                 | imul                eax, eax, 0

        $sequence_3 = { c3 83f801 7571 488d058a000000 }
            // n = 4, score = 100
            //   c3                   | syscall             
            //   83f801               | ret                 
            //   7571                 | dec                 esp
            //   488d058a000000       | mov                 edx, ecx

        $sequence_4 = { 488975cf 488975e7 4889753f ff15???????? }
            // n = 4, score = 100
            //   488975cf             | dec                 eax
            //   488975e7             | and                 dword ptr [esp + 0x30], 0
            //   4889753f             | dec                 eax
            //   ff15????????         |                     

        $sequence_5 = { 4533c0 488d0daeb10400 baa00f0000 e8???????? }
            // n = 4, score = 100
            //   4533c0               | inc                 eax
            //   488d0daeb10400       | push                ebx
            //   baa00f0000           | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { 4885c0 7509 488d0517820400 eb04 }
            // n = 4, score = 100
            //   4885c0               | mov                 ecx, dword ptr [esp + 0x140]
            //   7509                 | dec                 eax
            //   488d0517820400       | xor                 ecx, esp
            //   eb04                 | dec                 eax

        $sequence_7 = { e8???????? 488db328010000 bd06000000 488d7b38 488d052e490400 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488db328010000       | sar                 ecx, 6
            //   bd06000000           | dec                 eax
            //   488d7b38             | mov                 ebx, eax
            //   488d052e490400       | dec                 eax

        $sequence_8 = { 7513 488d15ad940000 488d0d86940000 e8???????? }
            // n = 4, score = 100
            //   7513                 | lea                 edx, [0xac62]
            //   488d15ad940000       | mov                 ecx, ebx
            //   488d0d86940000       | dec                 eax
            //   e8????????           |                     

        $sequence_9 = { 4c8d0d44880000 f20f5cca f2410f590cc1 660f28d1 }
            // n = 4, score = 100
            //   4c8d0d44880000       | dec                 eax
            //   f20f5cca             | mov                 ecx, ebx
            //   f2410f590cc1         | dec                 eax
            //   660f28d1             | lea                 eax, [0x9d]

    condition:
        7 of them and filesize < 667648
}
Download all Yara Rules