SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wpbrutebot (Back to overview)

WpBruteBot


There is no description at this point.

References
2020-09-16ZscalerAvinash Kumar, Aditya Sharma
@online{kumar:20200916:malware:60f39c3, author = {Avinash Kumar and Aditya Sharma}, title = {{Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites}}, date = {2020-09-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites}, language = {English}, urldate = {2020-09-23} } Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites
WpBruteBot
Yara Rules
[TLP:WHITE] win_wpbrutebot_auto (20230715 | Detects win.wpbrutebot.)
rule win_wpbrutebot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.wpbrutebot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb6c2 89442434 41 03c1 03c6 50 ff15???????? }
            // n = 7, score = 100
            //   0fb6c2               | movzx               eax, dl
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   41                   | inc                 ecx
            //   03c1                 | add                 eax, ecx
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_1 = { e8???????? 68d4010000 68???????? 57 e8???????? 83c424 5f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   68d4010000           | push                0x1d4
            //   68????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   5f                   | pop                 edi

        $sequence_2 = { 8b442418 8b0485382b6200 33048d382b6200 3304b538376200 33442454 33c2 898424ec000000 }
            // n = 7, score = 100
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b0485382b6200       | mov                 eax, dword ptr [eax*4 + 0x622b38]
            //   33048d382b6200       | xor                 eax, dword ptr [ecx*4 + 0x622b38]
            //   3304b538376200       | xor                 eax, dword ptr [esi*4 + 0x623738]
            //   33442454             | xor                 eax, dword ptr [esp + 0x54]
            //   33c2                 | xor                 eax, edx
            //   898424ec000000       | mov                 dword ptr [esp + 0xec], eax

        $sequence_3 = { 8d8dccebffff e9???????? 8b8d8cf4ffff e9???????? e8???????? c3 8b542408 }
            // n = 7, score = 100
            //   8d8dccebffff         | lea                 ecx, [ebp - 0x1434]
            //   e9????????           |                     
            //   8b8d8cf4ffff         | mov                 ecx, dword ptr [ebp - 0xb74]
            //   e9????????           |                     
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]

        $sequence_4 = { ff15???????? ffb794070000 c7879007000000000000 ff15???????? c7879407000000000000 83c408 8b4604 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ffb794070000         | push                dword ptr [edi + 0x794]
            //   c7879007000000000000     | mov    dword ptr [edi + 0x790], 0
            //   ff15????????         |                     
            //   c7879407000000000000     | mov    dword ptr [edi + 0x794], 0
            //   83c408               | add                 esp, 8
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_5 = { c3 8b442414 898694070000 80bf020b000000 743c 8d44240c c7869007000000000000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   898694070000         | mov                 dword ptr [esi + 0x794], eax
            //   80bf020b000000       | cmp                 byte ptr [edi + 0xb02], 0
            //   743c                 | je                  0x3e
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   c7869007000000000000     | mov    dword ptr [esi + 0x790], 0

        $sequence_6 = { 8d8df4fcffff 40 50 56 e8???????? 8d8df4fcffff c78508fdffff0f000000 }
            // n = 7, score = 100
            //   8d8df4fcffff         | lea                 ecx, [ebp - 0x30c]
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d8df4fcffff         | lea                 ecx, [ebp - 0x30c]
            //   c78508fdffff0f000000     | mov    dword ptr [ebp - 0x2f8], 0xf

        $sequence_7 = { 6a0a 6a00 55 e8???????? 83c410 85c0 746b }
            // n = 7, score = 100
            //   6a0a                 | push                0xa
            //   6a00                 | push                0
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   746b                 | je                  0x6d

        $sequence_8 = { 40 84c9 75f9 2b442414 83c502 8b5204 03e8 }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   2b442414             | sub                 eax, dword ptr [esp + 0x14]
            //   83c502               | add                 ebp, 2
            //   8b5204               | mov                 edx, dword ptr [edx + 4]
            //   03e8                 | add                 ebp, eax

        $sequence_9 = { e8???????? 83c460 c3 8b742414 80bf3e10000000 0f8420010000 83fe01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c460               | add                 esp, 0x60
            //   c3                   | ret                 
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   80bf3e10000000       | cmp                 byte ptr [edi + 0x103e], 0
            //   0f8420010000         | je                  0x126
            //   83fe01               | cmp                 esi, 1

    condition:
        7 of them and filesize < 5134336
}
Download all Yara Rules