ZeusAction (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.zeus_action (Back to overview)
ZeusAction

There is no description at this point.
References

2019-06-07 ⋅ Twitter (@benkow_) ⋅ Benoît Ancel
Tweet on ZeusAction hashes
ZeusAction
Yara Rules

[TLP:WHITE] win_zeus_action_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_zeus_action_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 56 8b7508 eb35 8b4208 3b460c }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   eb35                 | jmp                 0x37
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   3b460c               | cmp                 eax, dword ptr [esi + 0xc]

        $sequence_1 = { 8b7508 56 e8???????? 59 59 84c0 742d }
            // n = 7, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al
            //   742d                 | je                  0x2f

        $sequence_2 = { 8945fc 85c0 747c 56 8bcb e8???????? 8b4d0c }
            // n = 7, score = 200
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c0                 | test                eax, eax
            //   747c                 | je                  0x7e
            //   56                   | push                esi
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_3 = { a5 8383d87500000c 53 e8???????? 59 f7d8 1bc0 }
            // n = 7, score = 200
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8383d87500000c       | add                 dword ptr [ebx + 0x75d8], 0xc
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax

        $sequence_4 = { 888c30a8000000 ff86d8750000 884de8 837ddc00 0f85e7000000 808c33a800000008 8b4dc8 }
            // n = 7, score = 200
            //   888c30a8000000       | mov                 byte ptr [eax + esi + 0xa8], cl
            //   ff86d8750000         | inc                 dword ptr [esi + 0x75d8]
            //   884de8               | mov                 byte ptr [ebp - 0x18], cl
            //   837ddc00             | cmp                 dword ptr [ebp - 0x24], 0
            //   0f85e7000000         | jne                 0xed
            //   808c33a800000008     | or                  byte ptr [ebx + esi + 0xa8], 8
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]

        $sequence_5 = { 897dcc 3bc1 7f0b 8b45d0 8945f4 8bc7 8945fc }
            // n = 7, score = 200
            //   897dcc               | mov                 dword ptr [ebp - 0x34], edi
            //   3bc1                 | cmp                 eax, ecx
            //   7f0b                 | jg                  0xd
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8bc7                 | mov                 eax, edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_6 = { 7422 57 e8???????? 0fb6c0 59 89442418 85c0 }
            // n = 7, score = 200
            //   7422                 | je                  0x24
            //   57                   | push                edi
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al
            //   59                   | pop                 ecx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   85c0                 | test                eax, eax

        $sequence_7 = { eb50 8b5604 66c745f80400 668b4208 84db 7415 8b4a08 }
            // n = 7, score = 200
            //   eb50                 | jmp                 0x52
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   66c745f80400         | mov                 word ptr [ebp - 8], 4
            //   668b4208             | mov                 ax, word ptr [edx + 8]
            //   84db                 | test                bl, bl
            //   7415                 | je                  0x17
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]

        $sequence_8 = { 894610 56 897e0c e8???????? 59 8b4e10 85c0 }
            // n = 7, score = 200
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   56                   | push                esi
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   85c0                 | test                eax, eax

        $sequence_9 = { 40 393481 74f5 8b75d8 48 3bde 7506 }
            // n = 7, score = 200
            //   40                   | inc                 eax
            //   393481               | cmp                 dword ptr [ecx + eax*4], esi
            //   74f5                 | je                  0xfffffff7
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   48                   | dec                 eax
            //   3bde                 | cmp                 ebx, esi
            //   7506                 | jne                 8

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules
ZeusAction Propose Change

References

Yara Rules

ZeusAction
