ZeusAction (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.zeus_action (Back to overview)
ZeusAction

There is no description at this point.
References

2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2019-06-07 ⋅ Twitter (@benkow_) ⋅ Benoît Ancel
Tweet on ZeusAction hashes
ZeusAction
Yara Rules

[TLP:WHITE] win_zeus_action_auto (20230125 | Detects win.zeus_action.)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.zeus_action."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb702 894d08 8b4908 2bc8 0fb707 83c418 3bc1 }
            // n = 7, score = 300
            //   0fb702               | movzx               eax, word ptr [edx]
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   2bc8                 | sub                 ecx, eax
            //   0fb707               | movzx               eax, word ptr [edi]
            //   83c418               | add                 esp, 0x18
            //   3bc1                 | cmp                 eax, ecx

        $sequence_1 = { ff742420 89742428 ff15???????? 85c0 7422 57 e8???????? }
            // n = 7, score = 300
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   89742428             | mov                 dword ptr [esp + 0x28], esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7422                 | je                  0x24
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_2 = { 743b ff7310 ff7710 e8???????? 59 59 85c0 }
            // n = 7, score = 300
            //   743b                 | je                  0x3d
            //   ff7310               | push                dword ptr [ebx + 0x10]
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_3 = { 7409 ff7610 e8???????? 59 6a06 8bfe }
            // n = 6, score = 300
            //   7409                 | je                  0xb
            //   ff7610               | push                dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6a06                 | push                6
            //   8bfe                 | mov                 edi, esi

        $sequence_4 = { 33f1 33b388feffff 33d0 33938cfeffff 33b3c8000000 3393cc000000 }
            // n = 6, score = 300
            //   33f1                 | xor                 esi, ecx
            //   33b388feffff         | xor                 esi, dword ptr [ebx - 0x178]
            //   33d0                 | xor                 edx, eax
            //   33938cfeffff         | xor                 edx, dword ptr [ebx - 0x174]
            //   33b3c8000000         | xor                 esi, dword ptr [ebx + 0xc8]
            //   3393cc000000         | xor                 edx, dword ptr [ebx + 0xcc]

        $sequence_5 = { 8981f4000000 eb05 a3???????? 85c0 7406 8988f0000000 57 }
            // n = 7, score = 300
            //   8981f4000000         | mov                 dword ptr [ecx + 0xf4], eax
            //   eb05                 | jmp                 7
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   8988f0000000         | mov                 dword ptr [eax + 0xf0], ecx
            //   57                   | push                edi

        $sequence_6 = { 8b5d24 2bce 89451c 85db 0f8e80000000 8d0409 8b4d14 }
            // n = 7, score = 300
            //   8b5d24               | mov                 ebx, dword ptr [ebp + 0x24]
            //   2bce                 | sub                 ecx, esi
            //   89451c               | mov                 dword ptr [ebp + 0x1c], eax
            //   85db                 | test                ebx, ebx
            //   0f8e80000000         | jle                 0x86
            //   8d0409               | lea                 eax, [ecx + ecx]
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]

        $sequence_7 = { 8b431c 8bd0 81e200fc0000 81fa00dc0000 7516 baff030000 23ca }
            // n = 7, score = 300
            //   8b431c               | mov                 eax, dword ptr [ebx + 0x1c]
            //   8bd0                 | mov                 edx, eax
            //   81e200fc0000         | and                 edx, 0xfc00
            //   81fa00dc0000         | cmp                 edx, 0xdc00
            //   7516                 | jne                 0x18
            //   baff030000           | mov                 edx, 0x3ff
            //   23ca                 | and                 ecx, edx

        $sequence_8 = { 32db ff742410 e8???????? 59 397c2434 740a ff742434 }
            // n = 7, score = 300
            //   32db                 | xor                 bl, bl
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   397c2434             | cmp                 dword ptr [esp + 0x34], edi
            //   740a                 | je                  0xc
            //   ff742434             | push                dword ptr [esp + 0x34]

        $sequence_9 = { 40 393481 74f5 48 3bfa 7507 8945f0 }
            // n = 7, score = 300
            //   40                   | inc                 eax
            //   393481               | cmp                 dword ptr [ecx + eax*4], esi
            //   74f5                 | je                  0xfffffff7
            //   48                   | dec                 eax
            //   3bfa                 | cmp                 edi, edx
            //   7507                 | jne                 9
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules
ZeusAction Propose Change

References

Yara Rules

ZeusAction
