SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_action (Back to overview)

ZeusAction

VTCollection    

There is no description at this point.

References
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2019-06-07Twitter (@benkow_)Benoît Ancel
Tweet on ZeusAction hashes
ZeusAction
Yara Rules
[TLP:WHITE] win_zeus_action_auto (20260504 | Detects win.zeus_action.)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.zeus_action."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 56 57 8bf0 e8???????? 8bf8 85ff }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

        $sequence_1 = { 0f84d1000000 53 6800040000 e8???????? 8bd8 59 85db }
            // n = 7, score = 300
            //   0f84d1000000         | je                  0xd7
            //   53                   | push                ebx
            //   6800040000           | push                0x400
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   59                   | pop                 ecx
            //   85db                 | test                ebx, ebx

        $sequence_2 = { ebdd 8b45ec 25ff000000 8b4dfc 8801 8b45fc 40 }
            // n = 7, score = 300
            //   ebdd                 | jmp                 0xffffffdf
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   25ff000000           | and                 eax, 0xff
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8801                 | mov                 byte ptr [ecx], al
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   40                   | inc                 eax

        $sequence_3 = { ffb3c4020000 8d45e0 6a05 50 ffb360010000 e8???????? 83c410 }
            // n = 7, score = 300
            //   ffb3c4020000         | push                dword ptr [ebx + 0x2c4]
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   6a05                 | push                5
            //   50                   | push                eax
            //   ffb360010000         | push                dword ptr [ebx + 0x160]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_4 = { f7fe 8945bc 8b4508 0fafc1 99 f7fe }
            // n = 6, score = 300
            //   f7fe                 | idiv                esi
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fafc1               | imul                eax, ecx
            //   99                   | cdq                 
            //   f7fe                 | idiv                esi

        $sequence_5 = { 3b45bc 0f85a4000000 33c0 40 6bc005 8b4df0 0fb60401 }
            // n = 7, score = 300
            //   3b45bc               | cmp                 eax, dword ptr [ebp - 0x44]
            //   0f85a4000000         | jne                 0xaa
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   6bc005               | imul                eax, eax, 5
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   0fb60401             | movzx               eax, byte ptr [ecx + eax]

        $sequence_6 = { 8b7df0 49 3bdf 7507 894dec 8bc1 eb03 }
            // n = 7, score = 300
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   49                   | dec                 ecx
            //   3bdf                 | cmp                 ebx, edi
            //   7507                 | jne                 9
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8bc1                 | mov                 eax, ecx
            //   eb03                 | jmp                 5

        $sequence_7 = { 6a01 ff750c ff75f4 ff15???????? 8365e000 6a02 8d45e0 }
            // n = 7, score = 300
            //   6a01                 | push                1
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   8365e000             | and                 dword ptr [ebp - 0x20], 0
            //   6a02                 | push                2
            //   8d45e0               | lea                 eax, [ebp - 0x20]

        $sequence_8 = { 57 8d45f4 50 68???????? 33ff 6a01 57 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   68????????           |                     
            //   33ff                 | xor                 edi, edi
            //   6a01                 | push                1
            //   57                   | push                edi

        $sequence_9 = { 51 50 0fb74304 50 52 56 e8???????? }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   50                   | push                eax
            //   0fb74304             | movzx               eax, word ptr [ebx + 4]
            //   50                   | push                eax
            //   52                   | push                edx
            //   56                   | push                esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules