This artifact enables running Yara over processes in memory. Targeting detection of IDAT Loader and final payloads observed in field.
Note: may see some false positives on security tools, add to whitelist appropriately.
name: Windows.Detection.IdatLoader
author: Matt Green - @mgreen27
description: |
This artifact enables running Yara over processes in memory.
Targeting detection of IDAT Loader and final payloads
observed in field.
Note: may see some false positives on security tools,
add to whitelist appropriately.
type: CLIENT
reference:
- https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
parameters:
- name: ProcessRegex
default: .
type: regex
- name: PidRegex
default: .
type: regex
- name: UploadHits
type: bool
- name: YaraRule
type: yara
description: Final Yara option and the default if no other options provided.
default: |
rule MAL_Loader_IDAT_August_2023
{
meta:
description = "IDAT Loader August 2023"
author = "Natalie Zargarov"
strings:
$trait_0 = {C6 A5 79 EA F4 B4 07 9A}
$trait_1 = {3D ED C0 D3}
$trait_2 = {C6 45 FC 4D C6 45 FD 5A}
$trait_3 = {68 77 94 91 2C 8B 45 ?? 50 E8}
condition:
2 of ($trait_*)
}
rule MAL_Loader_IDAT_Shellcode_Dec_2023
{
meta:
author = "Thomas Elkins - Rapid7"
description = "Yara detects in memory IDAT Loader shellcode"
date = "20-12-2023"
strings:
$stage1_32_1 = { 8B D1 8D 04 09 D1 EA 33 D0 8D 04 09 56 81 E2 55 55 55 55 33 D0 8B F2 8B C2 C1 E0 02 C1 EE 02 33 } // function from IDAT API Hashing Routine
$stage1_32_2 = { 8A 44 0D 08 30 04 32 8D 41 01 83 E9 03 42 F7 D9 1B C9 23 C8 3B D7 72 E8 } // XOR encrpytion routine for creation of encrypted temp file
$stage1_64_1 = { 8B 44 24 08 25 55 55 55 55 D1 E0 8B 4C 24 08 D1 E9 81 E1 55 55 55 55 0B C1 89 44 24 08 } // function from IDAT API Hashing Routine
$stage1_64_2 = { 8B 04 24 8B 4C 24 04 0F B6 4C 0C 08 48 8B 54 24 20 0F B6 04 02 33 C1 8B 0C 24 48 8B 54 24 20 88 } // XOR encryption for creation of encrypted temp file
$stage2_1 = { FF 57 0C 33 D2 6A 1A 59 F7 F1 66 0F BE 44 15 DC 66 89 04 73 46 3B 75 FC 72 E6 } // Function turns computer name into UpperCase only characters using srand function
$stage2_2 = { 8B 00 33 04 8A 8B 4D E8 89 01 8B 55 E4 83 EA 01 39 55 F4 75 } // decryption loop for final payload
condition:
2 of ($stage1_32_*) or 2 of ($stage1_64_*) or 2 of ($stage2_*)
}
rule win_stealc_w0 {
meta:
malware = "Stealc"
description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
reference = "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/"
author = "crep1x"
notes = "removed MZ header condition"
strings:
$dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function
$str01 = "------" ascii
$str02 = "Network Info:" ascii
$str03 = "- IP: IP?" ascii
$str04 = "- Country: ISO?" ascii
$str05 = "- Display Resolution:" ascii
$str06 = "User Agents:" ascii
$str07 = "%s\\%s\\%s" ascii
condition:
($dec or 5 of ($str*))
}
rule win_lumma_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
description = "Detects win.lumma."
strings:
$sequence_0 = { 57 53 ff767c ff7678 }
$sequence_1 = { 53 49 83fc00 75e8 8b4508 49 89ca }
$sequence_2 = { e8???????? ff7614 e8???????? ff7608 e8???????? 83c414 83c8ff }
$sequence_3 = { 4d 6be404 49 83ec04 }
$sequence_4 = { 41 5b 41 5c }
$sequence_5 = { c1e002 50 e8???????? 894614 8b461c c1e002 }
$sequence_6 = { 0fb64203 83c204 33c1 c1e908 }
$sequence_7 = { 41 5a cb 55 89e5 8b550c }
$sequence_8 = { 4d 6bdb08 4c 01dc }
$sequence_9 = { 50 e8???????? 894604 8b461c }
$sequence_10 = { 41 8b0a 41 8b5204 }
$sequence_11 = { 4d 89f3 49 83eb04 }
$sequence_12 = { 57 8bf2 8bd9 6a2e 56 }
$sequence_13 = { 03c0 3bc2 0f47d0 e8???????? 85c0 }
$sequence_14 = { c1e002 50 e8???????? 89460c 8b461c c1e002 }
condition:
7 of them
}
rule win_amadey_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
description = "Detects win.amadey."
strings:
$sequence_0 = { 8945f4 837df408 744f 8d85e8fdffff 890424 e8???????? c70424???????? }
$sequence_1 = { c745fc00000000 e8???????? 84c0 750c c7042401000000 e8???????? e8???????? }
$sequence_2 = { 89442404 891424 e8???????? 85c0 7510 8b45fc 40 }
$sequence_3 = { 890424 e8???????? c7042400000000 e8???????? 81c424040000 }
$sequence_4 = { e8???????? 8945f4 837df40a 0f842e010000 }
$sequence_5 = { e8???????? c7442404???????? 8b4508 890424 e8???????? 85c0 7e75 }
$sequence_6 = { 890424 e8???????? c7042401000000 e8???????? 89442404 8d85e8fbffff 890424 }
$sequence_7 = { e8???????? 8b4508 c60000 c9 }
$sequence_8 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 }
$sequence_9 = { 83fa10 722f 8b8d78feffff 42 8bc1 81fa00100000 7214 }
$sequence_10 = { 52 51 e8???????? 83c408 8b955cfeffff }
$sequence_11 = { 50 68???????? 83ec18 8bcc 68???????? }
$sequence_12 = { 8b7dfc 8d4201 3bcb 7ccb 837e1410 }
$sequence_13 = { 83c408 8b554c c7453000000000 c745340f000000 c6452000 83fa10 0f8204ffffff }
$sequence_14 = { 68e8030000 ff15???????? 8b551c 83fa10 7228 8b4d08 }
$sequence_15 = { 83fa10 722f 8b8d60feffff 42 }
$sequence_16 = { 68???????? e8???????? 8d4db4 e8???????? 83c418 }
$sequence_17 = { c78514feffff0f000000 c68500feffff00 83fa10 722f 8b8de8fdffff 42 }
$sequence_18 = { 83c408 8b95fcfdffff c78510feffff00000000 c78514feffff0f000000 c68500feffff00 83fa10 }
condition:
7 of them
}
rule MALWARE_Win_RedLine {
meta:
author = "ditekSHen"
description = "Detects RedLine infostealer"
clamav_sig = "MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2"
strings:
$s1 = { 23 00 2b 00 33 00 3b 00 43 00 53 00 63 00 73 00 }
$s2 = { 68 10 84 2d 2c 71 ea 7e 2c 71 ea 7e 2c 71 ea 7e
32 23 7f 7e 3f 71 ea 7e 0b b7 91 7e 2b 71 ea 7e
2c 71 eb 7e 5c 71 ea 7e 32 23 6e 7e 1c 71 ea 7e
32 23 69 7e a2 71 ea 7e 32 23 7b 7e 2d 71 ea 7e }
$s3 = { 83 ec 38 53 b0 ?? 88 44 24 2b 88 44 24 2f b0 ??
88 44 24 30 88 44 24 31 88 44 24 33 55 56 8b f1
b8 0c 00 fe ff 2b c6 89 44 24 14 b8 0d 00 fe ff
2b c6 89 44 24 1c b8 02 00 fe ff 2b c6 89 44 24
18 b3 32 b8 0e 00 fe ff 2b c6 88 5c 24 32 88 5c
24 41 89 44 24 28 57 b1 ?? bb 0b 00 fe ff b8 03
00 fe ff 2b de 2b c6 bf 00 00 fe ff b2 ?? 2b fe
88 4c 24 38 88 4c 24 42 88 4c 24 47 c6 44 24 34
78 c6 44 24 35 61 88 54 24 3a c6 44 24 3e 66 c6
44 24 41 33 c6 44 24 43 ?? c6 44 24 44 74 88 54
24 46 c6 44 24 40 ?? c6 44 24 39 62 c7 44 24 10 }
$s4 = "B|BxBtBpBlBhBdB`B\\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B" fullword wide
$s5 = " delete[]" fullword ascii
$s6 = "constructor or from DllMain." ascii
$x1 = "RedLine.Reburn" ascii
$x2 = "RedLine.Client." ascii
$x3 = "hostIRemotePanel, CommandLine: " fullword wide
$u1 = "<ParseCoinomi>" ascii
$u2 = "<ParseBrowsers>" ascii
$u3 = "<GrabScreenshot>" ascii
$u4 = "UserLog" ascii nocase
$u5 = "FingerPrintT" fullword ascii
$u6 = "InstalledBrowserInfoT" fullword ascii
$u7 = "RunPE" fullword ascii
$u8 = "DownloadAndEx" fullword ascii
$u9 = ".Data.Applications.Wallets" ascii
$u10 = ".Data.Browsers" ascii
$u11 = ".Models.WMI" ascii
$u12 = "DefenderSucks" wide
$pat1 = "(((([0-9.])\\d)+){1})" fullword wide
$pat2 = "^(?:2131|1800|35\\\\d{3})\\\\d{11}$" fullword wide
$pat3 = "6(?:011|5[0-9]{2})[0-9]{12}$/C" fullword wide
$pat4 = "Telegramprofiles^(6304|6706|6709|6771)[0-9]{12,15}$" fullword wide
$pat5 = "host_key^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$" fullword wide
$pat6 = "^3(?:0[0-5]|[68][0-9])[0-9]{11}$" wide
$pat7 = "settingsprotocol^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$" wide
$pat8 = "Opera GX4[0-9]{12}(?:[0-9]{3})?$cookies" wide
$pat9 = "^9[0-9]{15}$Coinomi" wide
$pat10 = "wallets^(62[0-9]{14,17})$" wide
$pat11 = "hostpasswordUsername_value" wide
$pat12 = "credit_cards^389[0-9]{11}$" wide
$pat13 = "NWinordVWinpn.eWinxe*WinhostUsername_value" wide
$pat14 = /(\/|,\s)CommandLine:/ wide
// another variant
$v2_1 = "ListOfProcesses" fullword ascii
$v2_2 = /get_Scan(ned)?(Browsers|ChromeBrowsersPaths|Discord|FTP|GeckoBrowsersPaths|Screen|Steam|Telegram|VPN|Wallets)/ fullword ascii
$v2_3 = "GetArguments" fullword ascii
$v2_4 = "VerifyUpdate" fullword ascii
$v2_5 = "VerifyScanRequest" fullword ascii
$v2_6 = "GetUpdates" fullword ascii
// yet another variant
$v3_1 = "localhost.IUserServiceu" fullword ascii
$v3_2 = "ParseNetworkInterfaces" fullword ascii
$v3_3 = "ReplyAction0http://tempuri.org/IUserService/GetUsersResponse" fullword ascii
$v3_4 = "Action(http://tempuri.org/IUserService/GetUsersT" fullword ascii
$v3_5 = "basicCfg" fullword wide
// more variants
$vx4_1 = "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\AddInProcess32.exe" fullword wide
$v4_2 = "isWow64" fullword ascii
$v4_3 = "base64str" fullword ascii
$v4_4 = "stringKey" fullword ascii
$v4_5 = "BytesToStringConverted" fullword ascii
$v4_6 = "FromBase64" fullword ascii
$v4_7 = "xoredString" fullword ascii
$v4_8 = "procName" fullword ascii
$v4_9 = "base64EncodedData" fullword ascii
// another variant 2021-10-23
$v5_1 = "DownloadAndExecuteUpdate" fullword ascii
$v5_2 = "ITaskProcessor" fullword ascii
$v5_3 = "CommandLineUpdate" fullword ascii
$v5_4 = "DownloadUpdate" fullword ascii
$v5_5 = "FileScanning" fullword ascii
$v5_6 = "GetLenToPosState" fullword ascii
$v5_7 = "RecordHeaderField" fullword ascii
$v5_8 = "EndpointConnection" fullword ascii
$v5_9 = "BCRYPT_KEY_LENGTHS_STRUCT" fullword ascii
// another variant (v11?)
$v6_1 = "%localappdata%\\" fullword wide
$v6_2 = "GetDecoded" fullword ascii
$v6_3 = "//settinString.Removeg[@name=\\PasswString.Removeord\\]/valuString.RemoveeROOT\\SecurityCenter" fullword wide
$v6_4 = "AppData\\Roaming\\ //settString.Replaceing[@name=\\UString.Replacesername\\]/vaString.Replaceluemoz_cookies" wide
$v6_5 = "<GetWindowsVersion>g__HKLM_GetString|11_0" fullword ascii
$v6_6 = "net.tcp://" fullword wide
condition:
(all of ($s*) or 2 of ($x*) or 7 of ($u*) or 7 of ($pat*) or (1 of ($x*) and (5 of ($u*) or 2 of ($pat*))) or 5 of ($v2*) or 4 of ($v3*) or (3 of ($v2*) and (2 of ($pat*) or 2 of ($u*)) or (1 of ($vx4*) and 5 of ($v4*)) or 5 of ($v4*) or 6 of ($v5*)) or 5 of ($v6*) or (4 of ($v6*) and 3 of them )) or ((all of ($x*) and 4 of ($s*)) or (4 of ($v6*) and 4 of them))
}
- name: NumberOfHits
description: THis artifact will stop by default at one hit. This setting allows additional hits
default: 1
type: int
- name: ContextBytes
description: Include this amount of bytes around hit as context.
default: 0
type: int64
- name: ExePathWhitelist
description: Regex of ProcessPaths to exclude
type: regex
default: "C:\\Program Files\\Sophos\\"
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT Pid,ProcessName,ExePath,CommandLine,
Rule,Meta,YaraString,HitOffset, HitContext,
process_tracker_callchain(id=Pid).data as ProcessChain
FROM Artifact.Windows.Detection.Yara.Process(
PidRegex=PidRegex,
ProcessRegex=ProcessRegex,
YaraRule=YaraRule,
YaraRule=YaraRule,
NumberOfHits=str(str=NumberOfHits),
ContextBytes=ContextBytes,
ExePathWhitelist=ExePathWhitelist )
column_types:
- name: HitContext
type: preview_upload