SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chiser_client (Back to overview)

ChiserClient

Actor(s): Pirate Panda

There is no description at this point.

References
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack
Yara Rules
[TLP:WHITE] win_chiser_client_auto (20230715 | Detects win.chiser_client.)
rule win_chiser_client_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.chiser_client."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f20f581d???????? f20f58c2 f20f59dc f20f58c3 81f902fcffff 488d15edcf0000 4c8d1de6d30000 }
            // n = 7, score = 100
            //   f20f581d????????     |                     
            //   f20f58c2             | jmp                 0x92d
            //   f20f59dc             | xor                 ebx, ebx
            //   f20f58c3             | dec                 eax
            //   81f902fcffff         | lea                 eax, [0x231ad]
            //   488d15edcf0000       | dec                 eax
            //   4c8d1de6d30000       | mov                 dword ptr [ebx], eax

        $sequence_1 = { 48894a08 488d4c2420 e8???????? 488d0546840200 488903 488bc3 4883c430 }
            // n = 7, score = 100
            //   48894a08             | mov                 dword ptr [ebp - 0x21], eax
            //   488d4c2420           | dec                 eax
            //   e8????????           |                     
            //   488d0546840200       | lea                 eax, [0x1e0cf]
            //   488903               | dec                 eax
            //   488bc3               | mov                 dword ptr [ebp - 0x29], eax
            //   4883c430             | dec                 eax

        $sequence_2 = { 488d9da0010000 bf0a000000 488bd3 488d4c2430 e8???????? 4883c302 4883ef01 }
            // n = 7, score = 100
            //   488d9da0010000       | lea                 ecx, [ebp + 0x80]
            //   bf0a000000           | int3                
            //   488bd3               | movzx               edx, ax
            //   488d4c2430           | dec                 eax
            //   e8????????           |                     
            //   4883c302             | lea                 ecx, [ebp + 0xa0]
            //   4883ef01             | dec                 eax

        $sequence_3 = { ff15???????? 488d0d189dfeff 483bc8 7433 41b804010000 488d542440 ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d0d189dfeff       | dec                 eax
            //   483bc8               | mov                 ecx, ebx
            //   7433                 | dec                 eax
            //   41b804010000         | mov                 ecx, eax
            //   488d542440           | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 7506 4c877608 eb73 8364242800 488d056764feff 4889442430 }
            // n = 6, score = 100
            //   7506                 | jae                 0x1951
            //   4c877608             | dec                 eax
            //   eb73                 | add                 eax, eax
            //   8364242800           | dec                 eax
            //   488d056764feff       | lea                 ecx, [0x27c46]
            //   4889442430           | mov                 eax, dword ptr [ecx + eax*8]

        $sequence_5 = { 81fa00000100 7708 33c0 4883c420 5b c3 }
            // n = 6, score = 100
            //   81fa00000100         | lea                 eax, [0x3ca9c]
            //   7708                 | mov                 dword ptr [ebx + 0x28], 0x4e0020
            //   33c0                 | mov                 edx, 0x50
            //   4883c420             | mov                 dword ptr [ebx + 0x2c], 0x54
            //   5b                   | dec                 eax
            //   c3                   | mov                 ecx, ebx

        $sequence_6 = { 488b09 4885c9 745c 488b4310 48baffffffffffffff1f 482bc1 }
            // n = 6, score = 100
            //   488b09               | mov                 ebx, ecx
            //   4885c9               | dec                 eax
            //   745c                 | mov                 ecx, dword ptr [ebx + 0x30]
            //   488b4310             | dec                 eax
            //   48baffffffffffffff1f     | test    ecx, ecx
            //   482bc1               | dec                 eax

        $sequence_7 = { c70016000000 e8???????? eb13 8b05???????? 8901 0fb705???????? }
            // n = 6, score = 100
            //   c70016000000         | mov                 ecx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   eb13                 | or                  edx, 0xffffffff
            //   8b05????????         |                     
            //   8901                 | inc                 esp
            //   0fb705????????       |                     

        $sequence_8 = { e8???????? cc 488d0436 483d00100000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   cc                   | jne                 0x17a
            //   488d0436             | test                esi, esi
            //   483d00100000         | js                  0x19f

        $sequence_9 = { 4c8d4d0f 4889442420 488bd9 e8???????? 85c0 740a }
            // n = 6, score = 100
            //   4c8d4d0f             | dec                 eax
            //   4889442420           | lea                 edx, [0x2aad2]
            //   488bd9               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ebx, eax
            //   740a                 | dec                 eax

    condition:
        7 of them and filesize < 714752
}
Download all Yara Rules