Wslink (Malware Family)

Wslink

aka: FinickyFrogfish
There is no description at this point.
References

2022-03 ⋅ ESET Research ⋅ Vladislav Hrčka
Under the hood of Wslink’s multilayered virtual machine
Wslink
2021-10-27 ⋅ ESET Research ⋅ Vladislav Hrčka
Wslink: Unique and undocumented malicious loader that runs as a server
Wslink
2021-10-27 ⋅ Twitter (@darienhuss) ⋅ Darien Huss
Tweet on FinickyFrogfish/Wslink malware used by TA444
Wslink
Yara Rules

[TLP:WHITE] win_wslink_auto (20230125 | Detects win.wslink.)
rule win_wslink_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.wslink."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 750c c7430c04000000 e9???????? bab1000000 4c8d0d5eaf0700 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | jg                  0xa79
            //   750c                 | cmp                 eax, 0x3ec
            //   c7430c04000000       | jne                 0xa52
            //   e9????????           |                     
            //   bab1000000           | inc                 esp
            //   4c8d0d5eaf0700       | mov                 ecx, ebx

        $sequence_1 = { 8b542430 448b442470 33c9 4183e520 e8???????? 8bf8 eb03 }
            // n = 7, score = 100
            //   8b542430             | cmp                 esi, eax
            //   448b442470           | jl                  0x10a3
            //   33c9                 | jmp                 0x10e7
            //   4183e520             | or                  edi, 0xffffffff
            //   e8????????           |                     
            //   8bf8                 | jmp                 0x10e7
            //   eb03                 | mov                 edi, 0xfffffffe

        $sequence_2 = { b828000000 e8???????? 482be0 488b4920 4533c0 488d05355e0600 48394210 }
            // n = 7, score = 100
            //   b828000000           | push                edi
            //   e8????????           |                     
            //   482be0               | dec                 esp
            //   488b4920             | mov                 ebx, dword ptr [edx]
            //   4533c0               | dec                 ebp
            //   488d05355e0600       | mov                 edx, dword ptr [eax]
            //   48394210             | dec                 eax

        $sequence_3 = { 7e66 488d1509cd0700 41b801000000 488bcb e8???????? 85c0 7e4d }
            // n = 7, score = 100
            //   7e66                 | dec                 esp
            //   488d1509cd0700       | mov                 eax, edi
            //   41b801000000         | dec                 ecx
            //   488bcb               | mov                 edx, esp
            //   e8????????           |                     
            //   85c0                 | dec                 ecx
            //   7e4d                 | mov                 ecx, esp

        $sequence_4 = { 7e76 488b4b08 ffc6 e8???????? 3bf0 7cd0 488b03 }
            // n = 7, score = 100
            //   7e76                 | mov                 edi, edi
            //   488b4b08             | test                eax, eax
            //   ffc6                 | jne                 0x1c31
            //   e8????????           |                     
            //   3bf0                 | je                  0x1d07
            //   7cd0                 | dec                 eax
            //   488b03               | mov                 edx, dword ptr [esp + 0xb0]

        $sequence_5 = { 8d4aeb e8???????? 85db 742e 33d2 488bcf e8???????? }
            // n = 7, score = 100
            //   8d4aeb               | sub                 edi, esp
            //   e8????????           |                     
            //   85db                 | mov                 dword ptr [ebx + 0x10], eax
            //   742e                 | jne                 0xbae
            //   33d2                 | cmp                 esi, 8
            //   488bcf               | jne                 0xbae
            //   e8????????           |                     

        $sequence_6 = { e8???????? 488bcf e8???????? 4c8b642478 8b9424a0000000 488bcb e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bcf               | movzx               eax, byte ptr [ebp + 0x56]
            //   e8????????           |                     
            //   4c8b642478           | inc                 esp
            //   8b9424a0000000       | or                  eax, eax
            //   488bcb               | movzx               eax, byte ptr [esi + 0xa]
            //   e8????????           |                     

        $sequence_7 = { 8bd7 498bcc 4889442420 e8???????? 85c0 0f8887010000 85ff }
            // n = 7, score = 100
            //   8bd7                 | movzx               ecx, bh
            //   498bcc               | dec                 eax
            //   4889442420           | add                 edx, eax
            //   e8????????           |                     
            //   85c0                 | dec                 ebx
            //   0f8887010000         | lea                 eax, [ecx + eax]
            //   85ff                 | dec                 eax

        $sequence_8 = { 384500 7414 0f1f00 3d00000080 730a 49ffc3 ffc0 }
            // n = 7, score = 100
            //   384500               | dec                 eax
            //   7414                 | sar                 ecx, 0x20
            //   0f1f00               | dec                 eax
            //   3d00000080           | lea                 edx, [ecx + eax*2]
            //   730a                 | inc                 ecx
            //   49ffc3               | mov                 eax, dword ptr [ebp + 0xc]
            //   ffc0                 | dec                 eax

        $sequence_9 = { 8bef e8???????? 85c0 7e33 448d6703 488b0b 8bd5 }
            // n = 7, score = 100
            //   8bef                 | add                 eax, edi
            //   e8????????           |                     
            //   85c0                 | inc                 ecx
            //   7e33                 | movzx               eax, byte ptr [esi + 0x2d]
            //   448d6703             | rol                 edi, 0x1e
            //   488b0b               | shl                 eax, 0x10
            //   8bd5                 | inc                 edx

    condition:
        7 of them and filesize < 2007040
}
Download all Yara Rules
Wslink Propose Change

References

Yara Rules

Wslink
