SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_action (Back to overview)

ZeusAction

There is no description at this point.

References
2019-06-07Twitter (@benkow_)Benoît Ancel
@online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } Tweet on ZeusAction hashes
ZeusAction
Yara Rules
[TLP:WHITE] win_zeus_action_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8b86d8750000 88ac06a8000000 ff86d8750000 8b8ed8750000 8a45d6 88840ea8000000 ff86d8750000 }
            // n = 7, score = 100
            //   8b86d8750000         | mov                 eax, dword ptr [esi + 0x75d8]
            //   88ac06a8000000       | mov                 byte ptr [esi + eax + 0xa8], ch
            //   ff86d8750000         | inc                 dword ptr [esi + 0x75d8]
            //   8b8ed8750000         | mov                 ecx, dword ptr [esi + 0x75d8]
            //   8a45d6               | mov                 al, byte ptr [ebp - 0x2a]
            //   88840ea8000000       | mov                 byte ptr [esi + ecx + 0xa8], al
            //   ff86d8750000         | inc                 dword ptr [esi + 0x75d8]

        $sequence_1 = { 897df4 33db 85c9 0f8ecb010000 8945e4 8b0498 8945e8 }
            // n = 7, score = 100
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   33db                 | xor                 ebx, ebx
            //   85c9                 | test                ecx, ecx
            //   0f8ecb010000         | jle                 0x1d1
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b0498               | mov                 eax, dword ptr [eax + ebx*4]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_2 = { 8986d8750000 895dec 395514 0f8e07020000 8b4d10 8b450c }
            // n = 6, score = 100
            //   8986d8750000         | mov                 dword ptr [esi + 0x75d8], eax
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   395514               | cmp                 dword ptr [ebp + 0x14], edx
            //   0f8e07020000         | jle                 0x20d
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_3 = { 68b0504300 57 8945f4 ffd6 68c0504300 57 8945d0 }
            // n = 7, score = 100
            //   68b0504300           | push                0x4350b0
            //   57                   | push                edi
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   ffd6                 | call                esi
            //   68c0504300           | push                0x4350c0
            //   57                   | push                edi
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_4 = { 6a01 ffb34c070000 ff15???????? 68b0904300 ff15???????? 50 ffb34c070000 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   ffb34c070000         | push                dword ptr [ebx + 0x74c]
            //   ff15????????         |                     
            //   68b0904300           | push                0x4390b0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ffb34c070000         | push                dword ptr [ebx + 0x74c]

        $sequence_5 = { 59 8b8ff0000000 85c9 7408 8981f4000000 eb05 a3???????? }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   8b8ff0000000         | mov                 ecx, dword ptr [edi + 0xf0]
            //   85c9                 | test                ecx, ecx
            //   7408                 | je                  0xa
            //   8981f4000000         | mov                 dword ptr [ecx + 0xf4], eax
            //   eb05                 | jmp                 7
            //   a3????????           |                     

        $sequence_6 = { 037df4 48 897d14 894524 85c0 0f8f6effffff }
            // n = 6, score = 100
            //   037df4               | add                 edi, dword ptr [ebp - 0xc]
            //   48                   | dec                 eax
            //   897d14               | mov                 dword ptr [ebp + 0x14], edi
            //   894524               | mov                 dword ptr [ebp + 0x24], eax
            //   85c0                 | test                eax, eax
            //   0f8f6effffff         | jg                  0xffffff74

        $sequence_7 = { 8b450c 53 8a08 8b5d08 56 }
            // n = 5, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi

        $sequence_8 = { 83c9fc 41 83630400 03c1 89430c 0fafc6 8b7508 }
            // n = 7, score = 100
            //   83c9fc               | or                  ecx, 0xfffffffc
            //   41                   | inc                 ecx
            //   83630400             | and                 dword ptr [ebx + 4], 0
            //   03c1                 | add                 eax, ecx
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax
            //   0fafc6               | imul                eax, esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_9 = { 59 59 898688010000 83f8ff 750e 8b4d08 43 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   898688010000         | mov                 dword ptr [esi + 0x188], eax
            //   83f8ff               | cmp                 eax, -1
            //   750e                 | jne                 0x10
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   43                   | inc                 ebx

    condition:
        7 of them
}
Download all Yara Rules