SYMBOLCOMMON_NAMEaka. SYNONYMS
win.calmthorn (Back to overview)

CALMTHORN

Actor(s): Tonto Team


There is no description at this point.

References
2021-02-05Twitter (@8th_grey_owl)8thGreyOwl
@online{8thgreyowl:20210205:calmthorn:8397a05, author = {8thGreyOwl}, title = {{Tweet on CALMTHORN, used by Tonto Team}}, date = {2021-02-05}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1357550261963689985}, language = {English}, urldate = {2021-02-09} } Tweet on CALMTHORN, used by Tonto Team
CALMTHORN
2019-05-09Youtube (FireEye Korea)Ryan Whelan
@online{whelan:20190509:over:e376af5, author = {Ryan Whelan}, title = {{Over the Horizon: Innovating to confront evolving cyber threats}}, date = {2019-05-09}, organization = {Youtube (FireEye Korea)}, url = {https://www.youtube.com/watch?v=3cUWjojQXWE}, language = {English}, urldate = {2021-02-09} } Over the Horizon: Innovating to confront evolving cyber threats
CALMTHORN
2019-04-25DATANETKim Seon-ae
@online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
Yara Rules
[TLP:WHITE] win_calmthorn_auto (20230125 | Detects win.calmthorn.)
rule win_calmthorn_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.calmthorn."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb1e 8b852c1affff 83c001 8b8d301affff 83d100 89852c1affff 898d301affff }
            // n = 7, score = 100
            //   eb1e                 | jmp                 0x20
            //   8b852c1affff         | mov                 eax, dword ptr [ebp - 0xe5d4]
            //   83c001               | add                 eax, 1
            //   8b8d301affff         | mov                 ecx, dword ptr [ebp - 0xe5d0]
            //   83d100               | adc                 ecx, 0
            //   89852c1affff         | mov                 dword ptr [ebp - 0xe5d4], eax
            //   898d301affff         | mov                 dword ptr [ebp - 0xe5d0], ecx

        $sequence_1 = { ff24856ee44f00 8bce e8???????? eb45 834e28ff 895e24 885e30 }
            // n = 7, score = 100
            //   ff24856ee44f00       | jmp                 dword ptr [eax*4 + 0x4fe46e]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   eb45                 | jmp                 0x47
            //   834e28ff             | or                  dword ptr [esi + 0x28], 0xffffffff
            //   895e24               | mov                 dword ptr [esi + 0x24], ebx
            //   885e30               | mov                 byte ptr [esi + 0x30], bl

        $sequence_2 = { eb1e 8b8d641cffff 83c101 8b95681cffff 83d200 898d641cffff 8995681cffff }
            // n = 7, score = 100
            //   eb1e                 | jmp                 0x20
            //   8b8d641cffff         | mov                 ecx, dword ptr [ebp - 0xe39c]
            //   83c101               | add                 ecx, 1
            //   8b95681cffff         | mov                 edx, dword ptr [ebp - 0xe398]
            //   83d200               | adc                 edx, 0
            //   898d641cffff         | mov                 dword ptr [ebp - 0xe39c], ecx
            //   8995681cffff         | mov                 dword ptr [ebp - 0xe398], edx

        $sequence_3 = { ebba 0fb69591fdffff 83fa01 7556 0f57c0 660f13853c8effff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb69591fdffff       | movzx               edx, byte ptr [ebp - 0x26f]
            //   83fa01               | cmp                 edx, 1
            //   7556                 | jne                 0x58
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13853c8effff     | movlpd              qword ptr [ebp - 0x71c4], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_4 = { ebba 0fb6952cfdffff 83fa01 7552 c78500c2ffff00000000 eb0f 8b8500c2ffff }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb6952cfdffff       | movzx               edx, byte ptr [ebp - 0x2d4]
            //   83fa01               | cmp                 edx, 1
            //   7552                 | jne                 0x54
            //   c78500c2ffff00000000     | mov    dword ptr [ebp - 0x3e00], 0
            //   eb0f                 | jmp                 0x11
            //   8b8500c2ffff         | mov                 eax, dword ptr [ebp - 0x3e00]

        $sequence_5 = { ebba 0fb69546fdffff 83fa01 7552 c785c8d1ffff00000000 eb0f 8b85c8d1ffff }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb69546fdffff       | movzx               edx, byte ptr [ebp - 0x2ba]
            //   83fa01               | cmp                 edx, 1
            //   7552                 | jne                 0x54
            //   c785c8d1ffff00000000     | mov    dword ptr [ebp - 0x2e38], 0
            //   eb0f                 | jmp                 0x11
            //   8b85c8d1ffff         | mov                 eax, dword ptr [ebp - 0x2e38]

        $sequence_6 = { e8???????? 83c404 398514f6ffff 7d20 8b85f89dffff 83c001 8985f89dffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   398514f6ffff         | cmp                 dword ptr [ebp - 0x9ec], eax
            //   7d20                 | jge                 0x22
            //   8b85f89dffff         | mov                 eax, dword ptr [ebp - 0x6208]
            //   83c001               | add                 eax, 1
            //   8985f89dffff         | mov                 dword ptr [ebp - 0x6208], eax

        $sequence_7 = { ebba 0fb68d7afdffff 83f901 7556 0f57c0 660f13852487ffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb68d7afdffff       | movzx               ecx, byte ptr [ebp - 0x286]
            //   83f901               | cmp                 ecx, 1
            //   7556                 | jne                 0x58
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13852487ffff     | movlpd              qword ptr [ebp - 0x78dc], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_8 = { eb1e 8b95d47effff 83c201 8b85d87effff 83d000 8995d47effff 8985d87effff }
            // n = 7, score = 100
            //   eb1e                 | jmp                 0x20
            //   8b95d47effff         | mov                 edx, dword ptr [ebp - 0x812c]
            //   83c201               | add                 edx, 1
            //   8b85d87effff         | mov                 eax, dword ptr [ebp - 0x8128]
            //   83d000               | adc                 eax, 0
            //   8995d47effff         | mov                 dword ptr [ebp - 0x812c], edx
            //   8985d87effff         | mov                 dword ptr [ebp - 0x8128], eax

        $sequence_9 = { ebba 0fb68d9efdffff 83f901 7556 0f57c0 660f13858c94ffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb68d9efdffff       | movzx               ecx, byte ptr [ebp - 0x262]
            //   83f901               | cmp                 ecx, 1
            //   7556                 | jne                 0x58
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13858c94ffff     | movlpd              qword ptr [ebp - 0x6b74], xmm0
            //   eb1e                 | jmp                 0x20

    condition:
        7 of them and filesize < 2322432
}
Download all Yara Rules