SYMBOLCOMMON_NAMEaka. SYNONYMS
win.calmthorn (Back to overview)

CALMTHORN

Actor(s): Tonto Team


There is no description at this point.

References
2021-02-05Twitter (@8th_grey_owl)8thGreyOwl
@online{8thgreyowl:20210205:calmthorn:8397a05, author = {8thGreyOwl}, title = {{Tweet on CALMTHORN, used by Tonto Team}}, date = {2021-02-05}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1357550261963689985}, language = {English}, urldate = {2021-02-09} } Tweet on CALMTHORN, used by Tonto Team
CALMTHORN
2019-05-09Youtube (FireEye Korea)Ryan Whelan
@online{whelan:20190509:over:e376af5, author = {Ryan Whelan}, title = {{Over the Horizon: Innovating to confront evolving cyber threats}}, date = {2019-05-09}, organization = {Youtube (FireEye Korea)}, url = {https://www.youtube.com/watch?v=3cUWjojQXWE}, language = {English}, urldate = {2021-02-09} } Over the Horizon: Innovating to confront evolving cyber threats
CALMTHORN
2019-04-25DATANETKim Seon-ae
@online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
Yara Rules
[TLP:WHITE] win_calmthorn_auto (20220411 | Detects win.calmthorn.)
rule win_calmthorn_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.calmthorn."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ebba 0fb69573fdffff 83fa01 7556 0f57c0 660f13850c81ffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb69573fdffff       | movzx               edx, byte ptr [ebp - 0x28d]
            //   83fa01               | cmp                 edx, 1
            //   7556                 | jne                 0x58
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13850c81ffff     | movlpd              qword ptr [ebp - 0x7ef4], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_1 = { ebba 0fb69509fdffff 83fa01 7553 0f57c0 660f1385b408ffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb69509fdffff       | movzx               edx, byte ptr [ebp - 0x2f7]
            //   83fa01               | cmp                 edx, 1
            //   7553                 | jne                 0x55
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1385b408ffff     | movlpd              qword ptr [ebp - 0xf74c], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_2 = { ebba 0fb6957afdffff 83fa01 7553 0f57c0 660f1385f484ffff eb1e }
            // n = 7, score = 100
            //   ebba                 | jmp                 0xffffffbc
            //   0fb6957afdffff       | movzx               edx, byte ptr [ebp - 0x286]
            //   83fa01               | cmp                 edx, 1
            //   7553                 | jne                 0x55
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1385f484ffff     | movlpd              qword ptr [ebp - 0x7b0c], xmm0
            //   eb1e                 | jmp                 0x20

        $sequence_3 = { eb0f 8b854ce1ffff 83c001 89854ce1ffff 8b8deceeffff 51 e8???????? }
            // n = 7, score = 100
            //   eb0f                 | jmp                 0x11
            //   8b854ce1ffff         | mov                 eax, dword ptr [ebp - 0x1eb4]
            //   83c001               | add                 eax, 1
            //   89854ce1ffff         | mov                 dword ptr [ebp - 0x1eb4], eax
            //   8b8deceeffff         | mov                 ecx, dword ptr [ebp - 0x1114]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_4 = { e8???????? 83c404 3985ecb7ffff 7d20 8b85e4d5ffff 83c001 8985e4d5ffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   3985ecb7ffff         | cmp                 dword ptr [ebp - 0x4814], eax
            //   7d20                 | jge                 0x22
            //   8b85e4d5ffff         | mov                 eax, dword ptr [ebp - 0x2a1c]
            //   83c001               | add                 eax, 1
            //   8985e4d5ffff         | mov                 dword ptr [ebp - 0x2a1c], eax

        $sequence_5 = { e8???????? 83c404 398570dbffff 7d20 8b95d8dfffff 83c201 8995d8dfffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   398570dbffff         | cmp                 dword ptr [ebp - 0x2490], eax
            //   7d20                 | jge                 0x22
            //   8b95d8dfffff         | mov                 edx, dword ptr [ebp - 0x2028]
            //   83c201               | add                 edx, 1
            //   8995d8dfffff         | mov                 dword ptr [ebp - 0x2028], edx

        $sequence_6 = { 83c404 398580ddffff 7d20 8b9504f4ffff 83c201 899504f4ffff 8b8504f4ffff }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   398580ddffff         | cmp                 dword ptr [ebp - 0x2280], eax
            //   7d20                 | jge                 0x22
            //   8b9504f4ffff         | mov                 edx, dword ptr [ebp - 0xbfc]
            //   83c201               | add                 edx, 1
            //   899504f4ffff         | mov                 dword ptr [ebp - 0xbfc], edx
            //   8b8504f4ffff         | mov                 eax, dword ptr [ebp - 0xbfc]

        $sequence_7 = { 8b8560faffff 50 e8???????? 83c404 398560b5ffff 7d20 8b8d60faffff }
            // n = 7, score = 100
            //   8b8560faffff         | mov                 eax, dword ptr [ebp - 0x5a0]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   398560b5ffff         | cmp                 dword ptr [ebp - 0x4aa0], eax
            //   7d20                 | jge                 0x22
            //   8b8d60faffff         | mov                 ecx, dword ptr [ebp - 0x5a0]

        $sequence_8 = { eb02 ebba 0fb68d68fdffff 83f901 7553 0f57c0 660f13858c75ffff }
            // n = 7, score = 100
            //   eb02                 | jmp                 4
            //   ebba                 | jmp                 0xffffffbc
            //   0fb68d68fdffff       | movzx               ecx, byte ptr [ebp - 0x298]
            //   83f901               | cmp                 ecx, 1
            //   7553                 | jne                 0x55
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13858c75ffff     | movlpd              qword ptr [ebp - 0x8a74], xmm0

        $sequence_9 = { eb1e 8b8d4414ffff 83c101 8b954814ffff 83d200 898d4414ffff 89954814ffff }
            // n = 7, score = 100
            //   eb1e                 | jmp                 0x20
            //   8b8d4414ffff         | mov                 ecx, dword ptr [ebp - 0xebbc]
            //   83c101               | add                 ecx, 1
            //   8b954814ffff         | mov                 edx, dword ptr [ebp - 0xebb8]
            //   83d200               | adc                 edx, 0
            //   898d4414ffff         | mov                 dword ptr [ebp - 0xebbc], ecx
            //   89954814ffff         | mov                 dword ptr [ebp - 0xebb8], edx

    condition:
        7 of them and filesize < 2322432
}
Download all Yara Rules