SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wslink (Back to overview)

Wslink

aka: FinickyFrogfish

There is no description at this point.

References
2022-03ESET ResearchVladislav Hrčka
@techreport{hrka:202203:under:04f52d9, author = {Vladislav Hrčka}, title = {{Under the hood of Wslink’s multilayered virtual machine}}, date = {2022-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf}, language = {English}, urldate = {2022-03-30} } Under the hood of Wslink’s multilayered virtual machine
Wslink
2021-10-27ESET ResearchVladislav Hrčka
@online{hrka:20211027:wslink:39610dc, author = {Vladislav Hrčka}, title = {{Wslink: Unique and undocumented malicious loader that runs as a server}}, date = {2021-10-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/}, language = {English}, urldate = {2021-12-06} } Wslink: Unique and undocumented malicious loader that runs as a server
Wslink
2021-10-27Twitter (@darienhuss)Darien Huss
@online{huss:20211027:finickyfrogfishwslink:ad743d9, author = {Darien Huss}, title = {{Tweet on FinickyFrogfish/Wslink malware used by TA444}}, date = {2021-10-27}, organization = {Twitter (@darienhuss)}, url = {https://twitter.com/darienhuss/status/1453342652682981378}, language = {English}, urldate = {2021-12-06} } Tweet on FinickyFrogfish/Wslink malware used by TA444
Wslink
Yara Rules
[TLP:WHITE] win_wslink_auto (20220808 | Detects win.wslink.)
rule win_wslink_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.wslink."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7507 48ffc0 85c9 75ed 85d2 757a 488b4d00 }
            // n = 7, score = 100
            //   7507                 | mov                 edx, esi
            //   48ffc0               | dec                 eax
            //   85c9                 | mov                 ecx, edi
            //   75ed                 | dec                 ecx
            //   85d2                 | arpl                cx, ax
            //   757a                 | dec                 eax
            //   488b4d00             | add                 eax, eax

        $sequence_1 = { 8845f1 418bc0 c1e808 8845f4 418bc0 41c1e818 c1e810 }
            // n = 7, score = 100
            //   8845f1               | mov                 ebx, eax
            //   418bc0               | dec                 eax
            //   c1e808               | mov                 esi, ecx
            //   8845f4               | inc                 ecx
            //   418bc0               | push                esp
            //   41c1e818             | mov                 eax, 0x30
            //   c1e810               | dec                 eax

        $sequence_2 = { e8???????? 488be8 4885c0 750a 4883c430 415d 415c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488be8               | dec                 eax
            //   4885c0               | add                 ebx, edi
            //   750a                 | dec                 esp
            //   4883c430             | add                 eax, eax
            //   415d                 | dec                 eax
            //   415c                 | cmp                 ebx, edi

        $sequence_3 = { 498b5008 49ffc1 4a8b0cca 4a894ccaf8 4d3bca 7ceb 41ff08 }
            // n = 7, score = 100
            //   498b5008             | dec                 eax
            //   49ffc1               | cmovb               esi, ecx
            //   4a8b0cca             | lea                 ecx, [esi + 0xa]
            //   4a894ccaf8           | dec                 eax
            //   4d3bca               | lea                 edx, [0x8eace]
            //   7ceb                 | sar                 eax, 3
            //   41ff08               | dec                 eax

        $sequence_4 = { e8???????? 4c8bf8 4889442440 4885c0 7525 498bcc e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8bf8               | dec                 esp
            //   4889442440           | mov                 esp, eax
            //   4885c0               | dec                 eax
            //   7525                 | sub                 esp, eax
            //   498bcc               | xor                 ebx, ebx
            //   e8????????           |                     

        $sequence_5 = { 85c0 7424 ffcf 75be b801000000 488b7c2440 488b5c2448 }
            // n = 7, score = 100
            //   85c0                 | lea                 ecx, [ebx + 5]
            //   7424                 | inc                 esp
            //   ffcf                 | lea                 eax, [ebx + 0x70]
            //   75be                 | mov                 dword ptr [esp + 0x20], 0x2df
            //   b801000000           | cmp                 eax, 0x7ffffffe
            //   488b7c2440           | ja                  0xe80
            //   488b5c2448           | dec                 eax

        $sequence_6 = { 83fd02 7531 488bce e8???????? 4c8be0 4885c0 }
            // n = 6, score = 100
            //   83fd02               | inc                 esp
            //   7531                 | mov                 eax, dword ptr [edi + 0x50]
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   4c8be0               | add                 edx, dword ptr [edi + 0x48]
            //   4885c0               | dec                 eax

        $sequence_7 = { e8???????? 488b4d08 e8???????? 488d153fbe0700 488d0d6f620800 83f801 4c8d0d66620800 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4d08             | sub                 dword ptr [eax + ecx], edx
            //   e8????????           |                     
            //   488d153fbe0700       | dec                 eax
            //   488d0d6f620800       | mov                 eax, dword ptr [ebx]
            //   83f801               | inc                 ebp
            //   4c8d0d66620800       | mov                 ecx, eax

        $sequence_8 = { e8???????? 482be0 488bf9 e8???????? 488b05???????? 33c9 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   482be0               | jne                 0x10ca
            //   488bf9               | dec                 eax
            //   e8????????           |                     
            //   488b05????????       |                     
            //   33c9                 | mov                 esi, dword ptr [eax + 8]

        $sequence_9 = { 7f4c 0f8529030000 488b8424a0000000 41ffc7 c1e002 443bf8 0f8cf6fdffff }
            // n = 7, score = 100
            //   7f4c                 | mov                 eax, dword ptr [esi + ebx*8]
            //   0f8529030000         | xor                 eax, eax
            //   488b8424a0000000     | jmp                 0x1cdb
            //   41ffc7               | inc                 esp
            //   c1e002               | mov                 eax, ebp
            //   443bf8               | mov                 edx, eax
            //   0f8cf6fdffff         | inc                 ecx

    condition:
        7 of them and filesize < 2007040
}
Download all Yara Rules