SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xpan (Back to overview)

Xpan

Actor(s): TeamXRat

VTCollection    

There is no description at this point.

References
2017-04-24Kaspersky LabsAnton Ivanov, Fabio Assolini, Fedor Sinitsyn, Santiago Pontiroli
XPan, I am your father
Xpan
2016-09-29Kaspersky LabsAnton Ivanov, Fedor Sinitsyn, GReAT
TeamXRat: Brazilian cybercrime meets ransomware
Xpan TeamXRat
Yara Rules
[TLP:WHITE] win_xpan_auto (20260504 | Detects win.xpan.)
rule win_xpan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.xpan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f861f010000 8b79f4 85ff 0f8514010000 8b4520 31d2 668910 }
            // n = 7, score = 300
            //   0f861f010000         | jbe                 0x125
            //   8b79f4               | mov                 edi, dword ptr [ecx - 0xc]
            //   85ff                 | test                edi, edi
            //   0f8514010000         | jne                 0x11a
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   31d2                 | xor                 edx, edx
            //   668910               | mov                 word ptr [eax], dx

        $sequence_1 = { e8???????? 85c0 0f84d5010000 29f0 8b75c0 8d50fa 83f810 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84d5010000         | je                  0x1db
            //   29f0                 | sub                 eax, esi
            //   8b75c0               | mov                 esi, dword ptr [ebp - 0x40]
            //   8d50fa               | lea                 edx, [eax - 6]
            //   83f810               | cmp                 eax, 0x10

        $sequence_2 = { 8b0b be16000000 85c9 740d 83f9ff 742b 8139edf0b1ba }
            // n = 7, score = 300
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   be16000000           | mov                 esi, 0x16
            //   85c9                 | test                ecx, ecx
            //   740d                 | je                  0xf
            //   83f9ff               | cmp                 ecx, -1
            //   742b                 | je                  0x2d
            //   8139edf0b1ba         | cmp                 dword ptr [ecx], 0xbab1f0ed

        $sequence_3 = { 8b5d84 89c7 8b458c 8d743030 8945a0 897594 }
            // n = 6, score = 300
            //   8b5d84               | mov                 ebx, dword ptr [ebp - 0x7c]
            //   89c7                 | mov                 edi, eax
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   8d743030             | lea                 esi, [eax + esi + 0x30]
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   897594               | mov                 dword ptr [ebp - 0x6c], esi

        $sequence_4 = { 31ff 8d4203 89d3 83f803 7742 89f0 e8???????? }
            // n = 7, score = 300
            //   31ff                 | xor                 edi, edi
            //   8d4203               | lea                 eax, [edx + 3]
            //   89d3                 | mov                 ebx, edx
            //   83f803               | cmp                 eax, 3
            //   7742                 | ja                  0x44
            //   89f0                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_5 = { 8b45c0 0fb65010 84d2 0f85c3020000 8b45c0 0fb77024 6639de }
            // n = 7, score = 300
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   0fb65010             | movzx               edx, byte ptr [eax + 0x10]
            //   84d2                 | test                dl, dl
            //   0f85c3020000         | jne                 0x2c9
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   0fb77024             | movzx               esi, word ptr [eax + 0x24]
            //   6639de               | cmp                 si, bx

        $sequence_6 = { 0f84ba020000 807db200 0f84b0050000 8b55c0 385a4c 7409 385a4d }
            // n = 7, score = 300
            //   0f84ba020000         | je                  0x2c0
            //   807db200             | cmp                 byte ptr [ebp - 0x4e], 0
            //   0f84b0050000         | je                  0x5b6
            //   8b55c0               | mov                 edx, dword ptr [ebp - 0x40]
            //   385a4c               | cmp                 byte ptr [edx + 0x4c], bl
            //   7409                 | je                  0xb
            //   385a4d               | cmp                 byte ptr [edx + 0x4d], bl

        $sequence_7 = { f7db f00118 892c24 ff15???????? 83ec04 b816000000 }
            // n = 6, score = 300
            //   f7db                 | neg                 ebx
            //   f00118               | lock add            dword ptr [eax], ebx
            //   892c24               | mov                 dword ptr [esp], ebp
            //   ff15????????         |                     
            //   83ec04               | sub                 esp, 4
            //   b816000000           | mov                 eax, 0x16

        $sequence_8 = { 85c0 751a c7459000000000 c7459418000000 c745a000000000 e9???????? }
            // n = 6, score = 300
            //   85c0                 | test                eax, eax
            //   751a                 | jne                 0x1c
            //   c7459000000000       | mov                 dword ptr [ebp - 0x70], 0
            //   c7459418000000       | mov                 dword ptr [ebp - 0x6c], 0x18
            //   c745a000000000       | mov                 dword ptr [ebp - 0x60], 0
            //   e9????????           |                     

        $sequence_9 = { c645bf01 85c9 0f85fbfdffff 90 8b4d10 85c9 0f843dfeffff }
            // n = 7, score = 300
            //   c645bf01             | mov                 byte ptr [ebp - 0x41], 1
            //   85c9                 | test                ecx, ecx
            //   0f85fbfdffff         | jne                 0xfffffe01
            //   90                   | nop                 
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   85c9                 | test                ecx, ecx
            //   0f843dfeffff         | je                  0xfffffe43

    condition:
        7 of them and filesize < 3232768
}
Download all Yara Rules