SYMBOLCOMMON_NAMEaka. SYNONYMS
win.calmthorn (Back to overview)

CALMTHORN

Actor(s): Tonto Team


There is no description at this point.

References
2021-02-05Twitter (@8th_grey_owl)8thGreyOwl
@online{8thgreyowl:20210205:calmthorn:8397a05, author = {8thGreyOwl}, title = {{Tweet on CALMTHORN, used by Tonto Team}}, date = {2021-02-05}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1357550261963689985}, language = {English}, urldate = {2021-02-09} } Tweet on CALMTHORN, used by Tonto Team
CALMTHORN
2019-05-09Youtube (FireEye Korea)Ryan Whelan
@online{whelan:20190509:over:e376af5, author = {Ryan Whelan}, title = {{Over the Horizon: Innovating to confront evolving cyber threats}}, date = {2019-05-09}, organization = {Youtube (FireEye Korea)}, url = {https://www.youtube.com/watch?v=3cUWjojQXWE}, language = {English}, urldate = {2021-02-09} } Over the Horizon: Innovating to confront evolving cyber threats
CALMTHORN
2019-04-25DATANETKim Seon-ae
@online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
Yara Rules
[TLP:WHITE] win_calmthorn_auto (20230715 | Detects win.calmthorn.)
rule win_calmthorn_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.calmthorn."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8bf0 83feff 74c2 6a02 6a00 6a00 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   74c2                 | je                  0xffffffc4
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { ebba 0fb68d2cfdffff 83f901 7552 c785a0c2ffff00000000 eb0f 8b95a0c2ffff }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb68d2cfdffff       | movzx               ecx, byte ptr [ebp - 0x2d4]
            //   83f901               | cmp                 ecx, 1
            //   7552                 | jne                 0x54
            //   c785a0c2ffff00000000     | mov    dword ptr [ebp - 0x3d60], 0
            //   eb0f                 | jmp                 0x11
            //   8b95a0c2ffff         | mov                 edx, dword ptr [ebp - 0x3d60]

        $sequence_2 = { ff7590 ff15???????? b801000000 5f 5e 5b 8b4dfc }
            // n = 7, score = 100
            //   ff7590               | push                dword ptr [ebp - 0x70]
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { eb1e 8b850452ffff 83c001 8b8d0852ffff 83d100 89850452ffff 898d0852ffff }
            // n = 7, score = 100
            //   eb1e                 | jmp                 0x20
            //   8b850452ffff         | mov                 eax, dword ptr [ebp - 0xadfc]
            //   83c001               | add                 eax, 1
            //   8b8d0852ffff         | mov                 ecx, dword ptr [ebp - 0xadf8]
            //   83d100               | adc                 ecx, 0
            //   89850452ffff         | mov                 dword ptr [ebp - 0xadfc], eax
            //   898d0852ffff         | mov                 dword ptr [ebp - 0xadf8], ecx

        $sequence_4 = { ebba 0fb68d21fdffff 83f901 7553 0f57c0 660f13850c2fffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb68d21fdffff       | movzx               ecx, byte ptr [ebp - 0x2df]
            //   83f901               | cmp                 ecx, 1
            //   7553                 | jne                 0x55
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13850c2fffff     | movlpd              qword ptr [ebp - 0xd0f4], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_5 = { ebba 0fb6953ffdffff 83fa01 7556 0f57c0 660f1385d451ffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb6953ffdffff       | movzx               edx, byte ptr [ebp - 0x2c1]
            //   83fa01               | cmp                 edx, 1
            //   7556                 | jne                 0x58
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1385d451ffff     | movlpd              qword ptr [ebp - 0xae2c], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_6 = { ebba 0fb69509fdffff 83fa01 7556 0f57c0 660f138574fdfeff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb69509fdffff       | movzx               edx, byte ptr [ebp - 0x2f7]
            //   83fa01               | cmp                 edx, 1
            //   7556                 | jne                 0x58
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f138574fdfeff     | movlpd              qword ptr [ebp - 0x1028c], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_7 = { ebba 0fb6952cfdffff 83fa01 7552 c7850cbfffff00000000 eb0f 8b850cbfffff }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb6952cfdffff       | movzx               edx, byte ptr [ebp - 0x2d4]
            //   83fa01               | cmp                 edx, 1
            //   7552                 | jne                 0x54
            //   c7850cbfffff00000000     | mov    dword ptr [ebp - 0x40f4], 0
            //   eb0f                 | jmp                 0x11
            //   8b850cbfffff         | mov                 eax, dword ptr [ebp - 0x40f4]

        $sequence_8 = { eb02 ebba 0fb68d73fdffff 83f901 7553 0f57c0 660f1385947cffff }
            // n = 7, score = 100
            //   eb02                 | jmp                 4
            //   ebba                 | jmp                 0xffffffbc
            //   0fb68d73fdffff       | movzx               ecx, byte ptr [ebp - 0x28d]
            //   83f901               | cmp                 ecx, 1
            //   7553                 | jne                 0x55
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1385947cffff     | movlpd              qword ptr [ebp - 0x836c], xmm0

        $sequence_9 = { ebb7 0fb69521fdffff 83fa01 7552 c785c8b8ffff00000000 eb0f 8b85c8b8ffff }
            // n = 7, score = 100
            //   ebb7                 | jmp                 0xffffffb9
            //   0fb69521fdffff       | movzx               edx, byte ptr [ebp - 0x2df]
            //   83fa01               | cmp                 edx, 1
            //   7552                 | jne                 0x54
            //   c785c8b8ffff00000000     | mov    dword ptr [ebp - 0x4738], 0
            //   eb0f                 | jmp                 0x11
            //   8b85c8b8ffff         | mov                 eax, dword ptr [ebp - 0x4738]

    condition:
        7 of them and filesize < 2322432
}
Download all Yara Rules