SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whitebird (Back to overview)

WhiteBird

VTCollection    

According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

References
2020-09-25Dr.WebDr.Web
Spear phishing campaigns threaten Russian fuel and energy companies
WhiteBird
2020-07-20Dr.WebDr.Web
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
Yara Rules
[TLP:WHITE] win_whitebird_auto (20260504 | Detects win.whitebird.)
rule win_whitebird_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.whitebird."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb09 80f92f 0f95c1 80c13f }
            // n = 4, score = 400
            //   eb09                 | jmp                 0xb
            //   80f92f               | cmp                 cl, 0x2f
            //   0f95c1               | setne               cl
            //   80c13f               | add                 cl, 0x3f

        $sequence_1 = { 83ff0b 0f8e2d010000 488d842460030000 488d8c2470030000 488b10 }
            // n = 5, score = 200
            //   83ff0b               | dec                 eax
            //   0f8e2d010000         | mov                 dword ptr [ecx + 0x210], edi
            //   488d842460030000     | dec                 eax
            //   488d8c2470030000     | mov                 esi, edx
            //   488b10               | lea                 ebp, [ebx + 5]

        $sequence_2 = { 51 e8???????? 59 8985a8fdffff }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8985a8fdffff         | mov                 dword ptr [ebp - 0x258], eax

        $sequence_3 = { 418d5003 8d7aff 8bcf ff15???????? 33c9 }
            // n = 5, score = 200
            //   418d5003             | inc                 ecx
            //   8d7aff               | lea                 edx, [eax + 3]
            //   8bcf                 | lea                 edi, [edx - 1]
            //   ff15????????         |                     
            //   33c9                 | mov                 ecx, edi

        $sequence_4 = { 834dfcff 8bc8 a3???????? e8???????? bf???????? 57 ff15???????? }
            // n = 7, score = 200
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8bc8                 | mov                 ecx, eax
            //   a3????????           |                     
            //   e8????????           |                     
            //   bf????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_5 = { a1???????? 83c410 85c0 7405 8b4004 eb02 }
            // n = 6, score = 200
            //   a1????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   eb02                 | jmp                 4

        $sequence_6 = { 56 43 53 e8???????? 53 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   43                   | inc                 ebx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_7 = { 48895c2428 4c895c2420 ff5718 3bc3 0f8c3a010000 }
            // n = 5, score = 200
            //   48895c2428           | dec                 esp
            //   4c895c2420           | mov                 esp, eax
            //   ff5718               | dec                 eax
            //   3bc3                 | test                eax, eax
            //   0f8c3a010000         | dec                 eax

        $sequence_8 = { e9???????? ba20000000 488bcf ff15???????? 4c8be0 4885c0 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   ba20000000           | xor                 ecx, ecx
            //   488bcf               | mov                 edx, 0x20
            //   ff15????????         |                     
            //   4c8be0               | dec                 eax
            //   4885c0               | mov                 ecx, edi

        $sequence_9 = { 488bf2 8d6b05 4863cd e8???????? 488bf8 }
            // n = 5, score = 200
            //   488bf2               | jl                  0x145
            //   8d6b05               | dec                 eax
            //   4863cd               | lea                 eax, [0xffffbdd4]
            //   e8????????           |                     
            //   488bf8               | xor                 edi, edi

        $sequence_10 = { be05000000 403833 7551 8a4301 }
            // n = 4, score = 200
            //   be05000000           | dec                 esp
            //   403833               | mov                 ebp, ecx
            //   7551                 | dec                 eax
            //   8a4301               | mov                 dword ptr [ecx], eax

        $sequence_11 = { 488d05d4bdffff 33ff 4c8be9 488901 4889b910020000 }
            // n = 5, score = 200
            //   488d05d4bdffff       | mov                 dword ptr [esp + 0x28], ebx
            //   33ff                 | dec                 esp
            //   4c8be9               | mov                 dword ptr [esp + 0x20], ebx
            //   488901               | call                dword ptr [edi + 0x18]
            //   4889b910020000       | cmp                 eax, ebx

        $sequence_12 = { 68???????? 57 ff15???????? 8bf0 59 33c0 59 }
            // n = 7, score = 200
            //   68????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   59                   | pop                 ecx

        $sequence_13 = { 899da0f5ffff c78594f5ffff64000000 e8???????? 53 6a01 8d85d7f5ffff 50 }
            // n = 7, score = 200
            //   899da0f5ffff         | mov                 dword ptr [ebp - 0xa60], ebx
            //   c78594f5ffff64000000     | mov    dword ptr [ebp - 0xa6c], 0x64
            //   e8????????           |                     
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   8d85d7f5ffff         | lea                 eax, [ebp - 0xa29]
            //   50                   | push                eax

        $sequence_14 = { eb3f 6a54 ebd2 83e864 742a 48 }
            // n = 6, score = 200
            //   eb3f                 | jmp                 0x41
            //   6a54                 | push                0x54
            //   ebd2                 | jmp                 0xffffffd4
            //   83e864               | sub                 eax, 0x64
            //   742a                 | je                  0x2c
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules