-
Notifications
You must be signed in to change notification settings - Fork 0
/
malware_bumblebee_packed.yar
38 lines (35 loc) · 2.03 KB
/
malware_bumblebee_packed.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
rule malware_bumblebee_packed {
meta:
author = "Marc Salinas @ CheckPoint Research"
malware_family = "BumbleBee"
yarahub_reference_md5 = "e2e58c6b4fc6aa36eb5f6b5e6b8743ff"
yarahub_uuid = "5f1f0757-0b17-4cbc-ab0d-b8a7f6bd9cbd"
yarahub_license = "CC0 1.0"
yarahub_rule_matching_tlp = "TLP:WHITE"
yarahub_rule_sharing_tlp = "TLP:WHITE"
date = "2022-07-13"
description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic."
dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db"
dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb"
dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c"
iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa"
iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78"
iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e"
zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad"
zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce"
strings:
$heapalloc = {
48 8? EC [1-6] // sub rsp, 80h
FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap
33 D2 // xor edx, edx ; dwFlags
4? [2-5] // mov rcx, rax ; hHeap
4? ?? ?? // mov r8d, ebx ; dwBytes
FF 15 ?? ?? 0? 00 // call cs:HeapAlloc
[8 - 11] // (load params)
48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax
E8 ?? ?? ?? ?? // call memset
4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr
}
condition:
$heapalloc
}