By Sean Wilson

UnpacMe Weekly: Hunting by Moonlight

Updated Yara Hunting to improve scan coverage and lookback, aded support for Yara 4.3, and updated support for bloated files

UnpacMe Weekly: Hunting by Moonlight

Highlights

  • [Improved] Updated Yara Hunting to improve scan coverage and lookback.
  • [New] Added support for Yara 4.3
  • [Fixed] Fixed issue with exports not being displayed correctly in some submissions.
  • [Fixed] Fixed issue with searching for related samples by yara name.
  • [Improved] Updated support for bloated files.
  • [Improved] Updated String search to improve performance.

We've made several updates and bug fixes over the past few weeks to improve the Yara hunt and search experience on UnpacMe. Most of the work was focused on improving the overall speed and coverage for scans, along with fixing some issues to improve the quality of results. We have also added support for Yara 4.3 which includes several improvements such as; parsing of .NET user types from .NET metadata stream, not (~) operator support, and improved PE certificate.

Weekly Threat Hunting

This week Redline Stealer submissions dropped, with AgentTesla, SmokeLoader, and Stealc taking the top spots. While Redline Stealer remains highly submitted, this is the first week in several, that it is not the most submitted family.

Last Week's Top Analyst Submitted Threats

We have observed a rise in submissions of Blackmoon (KRBanker) a legacy information stealer initially targeted at South Korean banks. A recent report from Rapid7 suggests that Blackmoon is being repurposed as a dropper, distributing payloads on compromised systems. We see a large daily volume of legacy Blackmoon samples bundled with old file infectors in our automated collection (excluded from this report), so it came as a surprise to see an increase in user submitted samples.

Threat Coverage

  • AgentTesla - We've updated our coverage for AgentTesla. Thanks to rony123 for reporting the issues.
  • CobianRat - Added coverage and a malware configuraiton extractor.
  • LimeRat - Updated coverage for LimeRat and added a malware configuration extractor.
  • PureCrypter - Updated coverage for Stage 1 of the PureCrypter downloader.
  • Stealc - Updated coverage for the Stealc information stealer.
  • XWorm - We've update our coverage for XWorm. Thanks to embee_research for reporting the issues.

Happy Hunting!