Spectre v4.0: the speed of malware threats after the pandemics - Yoroi
Tags
| cmtmf-attack-pattern: | Code Injection |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Models Botnet - T1583.005 Botnet - T1584.005 Code Injection - T1540 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Native Api - T1575 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Execution Through Api - T1106 |
Common Information
| Type | Value |
|---|---|
| UUID | d98d30a0-da4e-426a-b56d-20eba4159b71 |
| Fingerprint | a41529f9c9f60feb |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 22, 2021, 8:31 a.m. |
| Added to db | Sept. 26, 2022, 9:34 a.m. |
| Last updated | Nov. 17, 2024, 5:58 p.m. |
| Headline | Spectre v4.0: the speed of malware threats after the pandemics |
| Title | Spectre v4.0: the speed of malware threats after the pandemics - Yoroi |
| Detected Hints/Tags/Attributes | 53/3/19 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | libraries.zip |
|
| Details | Domain | 1 | voltaire-overproduction-bordering.cc |
|
| Details | Domain | 1 | balmlike-mends-officiates.cc |
|
| Details | Domain | 1 | archsatrap-uroxin-oarsman.cc |
|
| Details | Domain | 1 | enticement-reconclusion-pairedness.cc |
|
| Details | Domain | 1 | healthsomely-bone-idle-rufigallic.cc |
|
| Details | File | 1 | windows.vbs |
|
| Details | File | 1 | winpro.exe |
|
| Details | File | 1 | hbaropportunity.exe |
|
| Details | File | 291 | user32.dll |
|
| Details | File | 12 | unzip.exe |
|
| Details | File | 2 | libraries.zip |
|
| Details | sha256 | 1 | d99c7a4c9a5619f64f32a600a20f49907b0cdf933de307ae2b073d3a6e173b53 |
|
| Details | sha256 | 1 | 9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448 |
|
| Details | sha256 | 1 | 0fa4f066bdf3f4f7769afe4a01e4cba8680ac200743aaf24d0a3e9d1e76c83e3 |
|
| Details | sha256 | 1 | d0a9a0fc888a7c3aa49e0570d7878118a4e5933b16d8fe92626ff6c498c4781d |
|
| Details | IPv4 | 1 | 176.123.2.79 |
|
| Details | Url | 1 | http://176.123.2.79/upload/winpro.exe |
|
| Details | Yara rule | 1 | rule spectre_stealer {
meta:
description = "Yara Rule for Spectre RAT, versions 2,3,4"
author = "Yoroi Malware Zlab"
last_updated = "2021_10_08"
tlp = "white"
category = "informational"
strings:
$main = { FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 3D B7 00 00 00 75 06 57 E8 ?? 7? 00 00 E8 }
$c2_send_request = { FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4F 04 C7 07 01 00 00 00 E8 ?? ?? ?? ?? 8B [0-6] 00 10 00 00 83 F8 08 72 ?? 8B 4? [0-2] 8D 04 45 02 00 00 00 89 4? }
condition:
all of them and uint16(0) == 0x5A4D
} |