ZeusAction (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.zeus_action (Back to overview)
ZeusAction

There is no description at this point.
References

2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2019-06-07 ⋅ Twitter (@benkow_) ⋅ Benoît Ancel
Tweet on ZeusAction hashes
ZeusAction
Yara Rules

[TLP:WHITE] win_zeus_action_auto (20230407 | Detects win.zeus_action.)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.zeus_action."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bcf 8b048a 3b048e 750b 41 83f903 }
            // n = 6, score = 300
            //   8bcf                 | mov                 ecx, edi
            //   8b048a               | mov                 eax, dword ptr [edx + ecx*4]
            //   3b048e               | cmp                 eax, dword ptr [esi + ecx*4]
            //   750b                 | jne                 0xd
            //   41                   | inc                 ecx
            //   83f903               | cmp                 ecx, 3

        $sequence_1 = { 57 8bfb ab ab ab ab 894dfc }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8bfb                 | mov                 edi, ebx
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx

        $sequence_2 = { 68???????? 8d85d4fdffff 50 ff15???????? 85c0 7451 68???????? }
            // n = 7, score = 300
            //   68????????           |                     
            //   8d85d4fdffff         | lea                 eax, [ebp - 0x22c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7451                 | je                  0x53
            //   68????????           |                     

        $sequence_3 = { 8d45e8 50 8d45fc 68???????? 50 e8???????? 83c410 }
            // n = 7, score = 300
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_4 = { 50 e8???????? 59 59 8944240c 85c0 745b }
            // n = 7, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   85c0                 | test                eax, eax
            //   745b                 | je                  0x5d

        $sequence_5 = { 53 e8???????? 8bf8 59 85ff 0f843e010000 }
            // n = 6, score = 300
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi
            //   0f843e010000         | je                  0x144

        $sequence_6 = { 81ecf0010000 53 33db 395d08 7441 803d????????01 7638 }
            // n = 7, score = 300
            //   81ecf0010000         | sub                 esp, 0x1f0
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   7441                 | je                  0x43
            //   803d????????01       |                     
            //   7638                 | jbe                 0x3a

        $sequence_7 = { 7e06 899374010000 ff7510 52 53 e8???????? 83c40c }
            // n = 7, score = 300
            //   7e06                 | jle                 8
            //   899374010000         | mov                 dword ptr [ebx + 0x174], edx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   52                   | push                edx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_8 = { 8b45f0 8b4ddc 03c2 2bf3 8b5dd4 8945cc 3bd0 }
            // n = 7, score = 300
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   03c2                 | add                 eax, edx
            //   2bf3                 | sub                 esi, ebx
            //   8b5dd4               | mov                 ebx, dword ptr [ebp - 0x2c]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   3bd0                 | cmp                 edx, eax

        $sequence_9 = { 42 3bd3 72f0 8b4d24 8b7d20 8b4514 03f0 }
            // n = 7, score = 300
            //   42                   | inc                 edx
            //   3bd3                 | cmp                 edx, ebx
            //   72f0                 | jb                  0xfffffff2
            //   8b4d24               | mov                 ecx, dword ptr [ebp + 0x24]
            //   8b7d20               | mov                 edi, dword ptr [ebp + 0x20]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   03f0                 | add                 esi, eax

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules
ZeusAction Propose Change

References

Yara Rules

ZeusAction
