SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_action (Back to overview)

ZeusAction

There is no description at this point.

References
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2019-06-07Twitter (@benkow_)Benoît Ancel
@online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } Tweet on ZeusAction hashes
ZeusAction
Yara Rules
[TLP:WHITE] win_zeus_action_auto (20220808 | Detects win.zeus_action.)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.zeus_action."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895df4 3333 335304 3375f8 3355fc 8bc6 8bca }
            // n = 7, score = 300
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   3333                 | xor                 esi, dword ptr [ebx]
            //   335304               | xor                 edx, dword ptr [ebx + 4]
            //   3375f8               | xor                 esi, dword ptr [ebp - 8]
            //   3355fc               | xor                 edx, dword ptr [ebp - 4]
            //   8bc6                 | mov                 eax, esi
            //   8bca                 | mov                 ecx, edx

        $sequence_1 = { 8908 895ddc 894dd4 c7867c78000004000000 8955e8 395514 }
            // n = 6, score = 300
            //   8908                 | mov                 dword ptr [eax], ecx
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx
            //   c7867c78000004000000     | mov    dword ptr [esi + 0x787c], 4
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   395514               | cmp                 dword ptr [ebp + 0x14], edx

        $sequence_2 = { 51 ff10 8b4df0 85c9 0f84dd010000 8b01 51 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   ff10                 | call                dword ptr [eax]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   85c9                 | test                ecx, ecx
            //   0f84dd010000         | je                  0x1e3
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   51                   | push                ecx

        $sequence_3 = { ffb774070000 ffd3 3d02010000 0f85ad000000 f7473000200000 7524 ff15???????? }
            // n = 7, score = 300
            //   ffb774070000         | push                dword ptr [edi + 0x774]
            //   ffd3                 | call                ebx
            //   3d02010000           | cmp                 eax, 0x102
            //   0f85ad000000         | jne                 0xb3
            //   f7473000200000       | test                dword ptr [edi + 0x30], 0x2000
            //   7524                 | jne                 0x26
            //   ff15????????         |                     

        $sequence_4 = { 8b87d8750000 c1ea08 889438a8000000 ff87d8750000 c745fc01000000 894de0 eb0d }
            // n = 7, score = 300
            //   8b87d8750000         | mov                 eax, dword ptr [edi + 0x75d8]
            //   c1ea08               | shr                 edx, 8
            //   889438a8000000       | mov                 byte ptr [eax + edi + 0xa8], dl
            //   ff87d8750000         | inc                 dword ptr [edi + 0x75d8]
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   eb0d                 | jmp                 0xf

        $sequence_5 = { 7413 51 ff15???????? 8b5510 0fb7c0 8945fc 8b450c }
            // n = 7, score = 300
            //   7413                 | je                  0x15
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   0fb7c0               | movzx               eax, ax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_6 = { 740c ff766c e8???????? 59 895e6c 395e70 740c }
            // n = 7, score = 300
            //   740c                 | je                  0xe
            //   ff766c               | push                dword ptr [esi + 0x6c]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   895e6c               | mov                 dword ptr [esi + 0x6c], ebx
            //   395e70               | cmp                 dword ptr [esi + 0x70], ebx
            //   740c                 | je                  0xe

        $sequence_7 = { 6bc003 53 8b5d1c 56 8b7514 57 8b7d24 }
            // n = 7, score = 300
            //   6bc003               | imul                eax, eax, 3
            //   53                   | push                ebx
            //   8b5d1c               | mov                 ebx, dword ptr [ebp + 0x1c]
            //   56                   | push                esi
            //   8b7514               | mov                 esi, dword ptr [ebp + 0x14]
            //   57                   | push                edi
            //   8b7d24               | mov                 edi, dword ptr [ebp + 0x24]

        $sequence_8 = { 807d0c00 59 59 8b4df4 8945c8 7510 3901 }
            // n = 7, score = 300
            //   807d0c00             | cmp                 byte ptr [ebp + 0xc], 0
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   7510                 | jne                 0x12
            //   3901                 | cmp                 dword ptr [ecx], eax

        $sequence_9 = { 0fb645ec 83e804 745d 48 740c 56 e8???????? }
            // n = 7, score = 300
            //   0fb645ec             | movzx               eax, byte ptr [ebp - 0x14]
            //   83e804               | sub                 eax, 4
            //   745d                 | je                  0x5f
            //   48                   | dec                 eax
            //   740c                 | je                  0xe
            //   56                   | push                esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules