SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_action (Back to overview)

ZeusAction

There is no description at this point.

References
2019-06-07Twitter (@benkow_)Benoît Ancel
@online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } Tweet on ZeusAction hashes
ZeusAction
Yara Rules
[TLP:WHITE] win_zeus_action_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8b3d???????? 6a38 6a01 ffd7 8bf0 59 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   6a38                 | push                0x38
            //   6a01                 | push                1
            //   ffd7                 | call                edi
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_1 = { bf???????? eb0d bf???????? 57 ff15???????? 59 50 }
            // n = 7, score = 300
            //   bf????????           |                     
            //   eb0d                 | jmp                 0xf
            //   bf????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   50                   | push                eax

        $sequence_2 = { 84c0 668b8318780000 b90000feff bafffe0000 0f45ca 894dfc 741c }
            // n = 7, score = 300
            //   84c0                 | test                al, al
            //   668b8318780000       | mov                 ax, word ptr [ebx + 0x7818]
            //   b90000feff           | mov                 ecx, 0xfffe0000
            //   bafffe0000           | mov                 edx, 0xfeff
            //   0f45ca               | cmovne              ecx, edx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   741c                 | je                  0x1e

        $sequence_3 = { c1e008 33f0 0fa4fb08 b8ff00ff00 c1ea08 23f0 c1e708 }
            // n = 7, score = 300
            //   c1e008               | shl                 eax, 8
            //   33f0                 | xor                 esi, eax
            //   0fa4fb08             | shld                ebx, edi, 8
            //   b8ff00ff00           | mov                 eax, 0xff00ff
            //   c1ea08               | shr                 edx, 8
            //   23f0                 | and                 esi, eax
            //   c1e708               | shl                 edi, 8

        $sequence_4 = { 8b550c 03c8 038b08030000 8b420c 894dfc 0fafc6 8b4df0 }
            // n = 7, score = 300
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   03c8                 | add                 ecx, eax
            //   038b08030000         | add                 ecx, dword ptr [ebx + 0x308]
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   0fafc6               | imul                eax, esi
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_5 = { eb4c 53 56 e8???????? 8b37 8bd8 8d4714 }
            // n = 7, score = 300
            //   eb4c                 | jmp                 0x4e
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   8bd8                 | mov                 ebx, eax
            //   8d4714               | lea                 eax, [edi + 0x14]

        $sequence_6 = { a1???????? 33c9 41 85c0 0f44c1 a3???????? a1???????? }
            // n = 7, score = 300
            //   a1????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   85c0                 | test                eax, eax
            //   0f44c1               | cmove               eax, ecx
            //   a3????????           |                     
            //   a1????????           |                     

        $sequence_7 = { 8b83a8020000 39848dc8feffff 741c 41 3bca 72f2 eb23 }
            // n = 7, score = 300
            //   8b83a8020000         | mov                 eax, dword ptr [ebx + 0x2a8]
            //   39848dc8feffff       | cmp                 dword ptr [ebp + ecx*4 - 0x138], eax
            //   741c                 | je                  0x1e
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx
            //   72f2                 | jb                  0xfffffff4
            //   eb23                 | jmp                 0x25

        $sequence_8 = { 0fb7d3 8b5dec 8955cc 3bc2 8b55f8 7514 8b5510 }
            // n = 7, score = 300
            //   0fb7d3               | movzx               edx, bx
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx
            //   3bc2                 | cmp                 eax, edx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   7514                 | jne                 0x16
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_9 = { 33db 837e10ff 7567 6a10 ff36 e8???????? 59 }
            // n = 7, score = 300
            //   33db                 | xor                 ebx, ebx
            //   837e10ff             | cmp                 dword ptr [esi + 0x10], -1
            //   7567                 | jne                 0x69
            //   6a10                 | push                0x10
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules