SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whitebird (Back to overview)

WhiteBird

VTCollection    

According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

References
2020-09-25Dr.WebDr.Web
Spear phishing campaigns threaten Russian fuel and energy companies
WhiteBird
2020-07-20Dr.WebDr.Web
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
Yara Rules
[TLP:WHITE] win_whitebird_auto (20230808 | Detects win.whitebird.)
rule win_whitebird_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.whitebird."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a4302 84c0 7408 3c01 7404 }
            // n = 5, score = 400
            //   8a4302               | push                eax
            //   84c0                 | push                dword ptr [ebp + 8]
            //   7408                 | push                ebx
            //   3c01                 | push                1
            //   7404                 | lea                 eax, [ebp - 0x11]

        $sequence_1 = { 8a4301 3c01 7404 3c02 }
            // n = 4, score = 400
            //   8a4301               | mov                 word ptr [ebp - 0xc2], ax
            //   3c01                 | pop                 eax
            //   7404                 | push                0x32
            //   3c02                 | mov                 word ptr [ebp - 0xc0], ax

        $sequence_2 = { 8a4302 84c0 7408 3c01 7404 3c02 }
            // n = 6, score = 400
            //   8a4302               | mov                 dword ptr [esp + 0x38], 0xfffffffe
            //   84c0                 | dec                 eax
            //   7408                 | mov                 dword ptr [eax + 8], ebx
            //   3c01                 | dec                 eax
            //   7404                 | xor                 eax, esp
            //   3c02                 | push                edi

        $sequence_3 = { eb09 80f92f 0f95c1 80c13f }
            // n = 4, score = 400
            //   eb09                 | jbe                 0xcec
            //   80f92f               | cmp                 byte ptr [edi + ebx - 1], 0
            //   0f95c1               | jne                 0xcec
            //   80c13f               | cmp                 edi, 0xb

        $sequence_4 = { 8a4302 84c0 7408 3c01 }
            // n = 4, score = 400
            //   8a4302               | mov                 word ptr [ebp - 0xc0], ax
            //   84c0                 | pop                 eax
            //   7408                 | push                0x77
            //   3c01                 | mov                 word ptr [ebp - 0xbe], ax

        $sequence_5 = { ffb5c0fbffff 8930 ff15???????? 01b5c4fbffff ff8dbcfbffff 75dd ffb5c0fbffff }
            // n = 7, score = 200
            //   ffb5c0fbffff         | lea                 eax, [ebp - 0x5da]
            //   8930                 | push                ebx
            //   ff15????????         |                     
            //   01b5c4fbffff         | push                eax
            //   ff8dbcfbffff         | push                -0x10
            //   75dd                 | push                edi
            //   ffb5c0fbffff         | mov                 dword ptr [ebp - 0x40c], eax

        $sequence_6 = { ff15???????? 488bcb ff15???????? b801000000 488b8c2480040000 4833cc e8???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488bcb               | mov                 word ptr [ebp - 0xf6], dx
            //   ff15????????         |                     
            //   b801000000           | pop                 edx
            //   488b8c2480040000     | push                0x65
            //   4833cc               | mov                 word ptr [ebp - 0xf4], dx
            //   e8????????           |                     

        $sequence_7 = { 8b4d08 836d0808 d3e3 095d0c 46 3bf7 72ec }
            // n = 7, score = 200
            //   8b4d08               | cmp                 word ptr [ebx + ecx*2 - 4], 0x5c
            //   836d0808             | jne                 0xcc6
            //   d3e3                 | mov                 word ptr [ebx + ecx*2 - 4], si
            //   095d0c               | mov                 edi, 0x104
            //   46                   | dec                 eax
            //   3bf7                 | lea                 ecx, [esp + 0x270]
            //   72ec                 | dec                 esp

        $sequence_8 = { 488d542468 498bcd ffd0 3bc3 8bd0 7c28 8b442478 }
            // n = 7, score = 200
            //   488d542468           | push                esi
            //   498bcd               | lea                 eax, [ebp - 0x2410]
            //   ffd0                 | push                edi
            //   3bc3                 | push                eax
            //   8bd0                 | add                 esp, 0xc
            //   7c28                 | jle                 0x90e
            //   8b442478             | cmp                 eax, 3

        $sequence_9 = { 4833c4 4889842450250000 418bf9 458be0 448bf2 89542454 4c8be9 }
            // n = 7, score = 200
            //   4833c4               | mov                 ecx, dword ptr [ebp - 4]
            //   4889842450250000     | jmp                 0x409
            //   418bf9               | inc                 edi
            //   458be0               | dec                 eax
            //   448bf2               | lea                 ecx, [eax + 2]
            //   89542454             | dec                 eax
            //   4c8be9               | mov                 edx, esi

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules