Wslink (Malware Family)

Wslink

aka: FinickyFrogfish
There is no description at this point.
References

2022-03 ⋅ ESET Research ⋅ Vladislav Hrčka
Under the hood of Wslink’s multilayered virtual machine
Wslink
2021-10-27 ⋅ ESET Research ⋅ Vladislav Hrčka
Wslink: Unique and undocumented malicious loader that runs as a server
Wslink
2021-10-27 ⋅ Twitter (@darienhuss) ⋅ Darien Huss
Tweet on FinickyFrogfish/Wslink malware used by TA444
Wslink
Yara Rules

[TLP:WHITE] win_wslink_auto (20230808 | Detects win.wslink.)
rule win_wslink_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.wslink."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488bf0 4885c0 0f85ab000000 c7442420ec000000 4c8d0dcfbc0600 ba94000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bf0               | dec                 eax
            //   4885c0               | add                 ecx, edx
            //   0f85ab000000         | jmp                 ecx
            //   c7442420ec000000     | inc                 ebp
            //   4c8d0dcfbc0600       | test                eax, eax
            //   ba94000000           | jne                 0x11d8

        $sequence_1 = { e9???????? 488d15beaf0700 41b804000000 488bce e8???????? 85c0 750c }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d15beaf0700       | lea                 ecx, [0xa78f0]
            //   41b804000000         | dec                 eax
            //   488bce               | mov                 eax, dword ptr [esp + 0x38]
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   750c                 | mov                 ecx, esi

        $sequence_2 = { eb2a 8b4718 85c0 750b 488b4f08 e8???????? ffc8 }
            // n = 7, score = 100
            //   eb2a                 | mov                 dword ptr [esp + 0x20], esi
            //   8b4718               | inc                 ecx
            //   85c0                 | push                esp
            //   750b                 | mov                 eax, 0x20
            //   488b4f08             | dec                 eax
            //   e8????????           |                     
            //   ffc8                 | test                ecx, ecx

        $sequence_3 = { 48894710 4885c0 7514 c744242085010000 4c8d0d88440a00 e9???????? 8b542460 }
            // n = 7, score = 100
            //   48894710             | lea                 ecx, [0x9cc12]
            //   4885c0               | lea                 ecx, [eax + 0xd]
            //   7514                 | je                  0x16c
            //   c744242085010000     | dec                 eax
            //   4c8d0d88440a00       | mov                 ecx, dword ptr [esi + 8]
            //   e9????????           |                     
            //   8b542460             | dec                 eax

        $sequence_4 = { e8???????? 85c0 0f848a000000 ffcf ffc3 85ff 7fd3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | ret                 
            //   0f848a000000         | mov                 dword ptr [esi], eax
            //   ffcf                 | dec                 eax
            //   ffc3                 | add                 esp, 0x28
            //   85ff                 | dec                 eax
            //   7fd3                 | jmp                 eax

        $sequence_5 = { 830f04 be01000000 488bcd e8???????? 488bcd e8???????? 488b5c2450 }
            // n = 7, score = 100
            //   830f04               | mov                 ecx, esi
            //   be01000000           | cmp                 eax, edi
            //   488bcd               | jle                 0x901
            //   e8????????           |                     
            //   488bcd               | dec                 esp
            //   e8????????           |                     
            //   488b5c2450           | lea                 eax, [0x68211]

        $sequence_6 = { e8???????? 85c0 0f84c9fdffff 8b8c2400010000 418bc4 85c9 0f94c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | pop                 edi
            //   0f84c9fdffff         | pop                 esi
            //   8b8c2400010000       | pop                 ebp
            //   418bc4               | ret                 
            //   85c9                 | mov                 eax, 1
            //   0f94c0               | dec                 esp

        $sequence_7 = { ba70000000 4c8d0d82120a00 c744242067000000 8d4a94 448d42fa e8???????? 83c8ff }
            // n = 7, score = 100
            //   ba70000000           | mov                 eax, dword ptr [esi + 8]
            //   4c8d0d82120a00       | dec                 eax
            //   c744242067000000     | lea                 edx, [ebp - 0x30]
            //   8d4a94               | inc                 ecx
            //   448d42fa             | mov                 eax, 0xfe
            //   e8????????           |                     
            //   83c8ff               | dec                 ecx

        $sequence_8 = { e8???????? 85c0 0f8424feffff 488b03 4d8bcc 4d8bc7 498bd7 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f8424feffff         | add                 ebx, 0x28
            //   488b03               | inc                 ecx
            //   4d8bcc               | movzx               eax, word ptr [eax + 6]
            //   4d8bc7               | inc                 esp
            //   498bd7               | cmp                 esi, eax

        $sequence_9 = { f70300010000 7407 e8???????? eb05 e8???????? 8b5718 33c9 }
            // n = 7, score = 100
            //   f70300010000         | dec                 eax
            //   7407                 | test                esi, esi
            //   e8????????           |                     
            //   eb05                 | je                  0xba9
            //   e8????????           |                     
            //   8b5718               | dec                 eax
            //   33c9                 | mov                 ebx, dword ptr [esi]

    condition:
        7 of them and filesize < 2007040
}
Download all Yara Rules
Wslink Propose Change

References

Yara Rules

Wslink
