Loup ATM Malware Download

Loup is a small cli-tool to cash out NCR devices. The Loup malware injects code into the application for kernel32 operations, thus it seems to use the debugger with a pdb file and a section of the portable executable (PE) to obtain the code to inject.

Loup ATM Malware Signatures

Family: Trojan:Win32/Ymacco.AA6C
MD5: 4f0a81fcdf3a2cb354b3d17c5039a910
SHA256: 6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196

Loup ATM Malware Download

Loup ATM Malware YARA Rule

rule ATM_Malware_Loup {
meta:
	description = "Detects ATM Malware Loup"
	author = "Frank Boldewin (@r3c0nst)"
	reference = "https://twitter.com/r3c0nst/status/1295275546780327936"
	date = "2020-08-17"
	hash = "6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196"

strings:
	$String1 = "C:∖∖Users∖∖muham∖∖source∖∖repos∖∖loup∖∖Debug∖∖loup.pdb" ascii nocase
	$String2 = "CurrencyDispenser1" ascii nocase
	$Code = {50 68 C0 D4 01 00 8D 4D E8 51 68 2E 01 00 00 0F B7 55 08 52 E8} // Dispense

condition:
	uint16(0) == 0x5A4D and filesize < 100KB and all of ($String*) and $Code
}