SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chiser_client (Back to overview)

ChiserClient

Actor(s): Pirate Panda

There is no description at this point.

References
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack
Yara Rules
[TLP:WHITE] win_chiser_client_auto (20220808 | Detects win.chiser_client.)
rule win_chiser_client_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.chiser_client."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { cc 488d4c2420 e8???????? 488d15bd460200 488d4c2420 }
            // n = 5, score = 100
            //   cc                   | push                edi
            //   488d4c2420           | dec                 eax
            //   e8????????           |                     
            //   488d15bd460200       | sub                 esp, 0x20
            //   488d4c2420           | dec                 eax

        $sequence_1 = { 488bf2 488d0d44190200 ff15???????? 488bc8 488d158c8d0200 ff15???????? }
            // n = 6, score = 100
            //   488bf2               | dec                 eax
            //   488d0d44190200       | mov                 dword ptr [ecx], eax
            //   ff15????????         |                     
            //   488bc8               | dec                 eax
            //   488d158c8d0200       | mov                 ebx, edx
            //   ff15????????         |                     

        $sequence_2 = { 48832300 4883c308 488d0579080400 483bd8 75d8 4883c420 }
            // n = 6, score = 100
            //   48832300             | dec                 eax
            //   4883c308             | mov                 ecx, dword ptr [esi]
            //   488d0579080400       | dec                 eax
            //   483bd8               | lea                 eax, [0x111bf]
            //   75d8                 | dec                 eax
            //   4883c420             | mov                 dword ptr [ebx], eax

        $sequence_3 = { 488d2dcf840100 33db 458bf8 448bf2 488bf1 443b7500 }
            // n = 6, score = 100
            //   488d2dcf840100       | arpl                bx, bx
            //   33db                 | dec                 eax
            //   458bf8               | add                 ebx, ebx
            //   448bf2               | je                  0x7c
            //   488bf1               | dec                 eax
            //   443b7500             | test                eax, eax

        $sequence_4 = { 33c0 48894110 488d055bed0200 48894108 488d0540ed0200 }
            // n = 5, score = 100
            //   33c0                 | mov                 dword ptr [ecx + 0x24c], 0x92b6655d
            //   48894110             | mov                 dword ptr [ecx + 0x250], 0x5048706c
            //   488d055bed0200       | mov                 dword ptr [ecx + 0x254], 0xdab9edfd
            //   48894108             | mov                 dword ptr [ecx + 0x14c], 0x842fe329
            //   488d0540ed0200       | mov                 dword ptr [ecx + 0x150], 0xed00d153

        $sequence_5 = { 488d4de0 e8???????? 488d15a2790200 488d4de0 e8???????? cc e8???????? }
            // n = 7, score = 100
            //   488d4de0             | mov                 dword ptr [ebp + 7], ecx
            //   e8????????           |                     
            //   488d15a2790200       | dec                 esp
            //   488d4de0             | lea                 ecx, [ebp + 0xf]
            //   e8????????           |                     
            //   cc                   | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { 488bf9 49beffffffffffffff1f 4885d2 7504 33db eb45 493bf6 }
            // n = 7, score = 100
            //   488bf9               | shl                 edi, 8
            //   49beffffffffffffff1f     | inc    esp
            //   4885d2               | or                  edi, eax
            //   7504                 | inc                 esp
            //   33db                 | movzx               edx, byte ptr [eax + ecx + 0x100]
            //   eb45                 | movzx               eax, bl
            //   493bf6               | inc                 esp

        $sequence_7 = { 6690 420fb6440c58 49ffc1 420fb60c28 43880c22 49ffc2 }
            // n = 6, score = 100
            //   6690                 | mov                 dword ptr [ecx + 8], eax
            //   420fb6440c58         | dec                 eax
            //   49ffc1               | mov                 dword ptr [ecx + 0x10], eax
            //   420fb60c28           | dec                 eax
            //   43880c22             | lea                 eax, [0x285ab]
            //   49ffc2               | dec                 eax

        $sequence_8 = { 488d5108 e8???????? 488b4e10 e8???????? 488b4e08 e8???????? 488b0e }
            // n = 7, score = 100
            //   488d5108             | inc                 ebp
            //   e8????????           |                     
            //   488b4e10             | pop                 es
            //   e8????????           |                     
            //   488b4e08             | dec                 eax
            //   e8????????           |                     
            //   488b0e               | mov                 dword ptr [eax + 8], ebx

        $sequence_9 = { e8???????? cc 488d4c2420 e8???????? 488d1567370300 488d4c2420 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   cc                   | mov                 dword ptr [ebp - 9], edi
            //   488d4c2420           | test                eax, eax
            //   e8????????           |                     
            //   488d1567370300       | jne                 0x881
            //   488d4c2420           | dec                 esp

    condition:
        7 of them and filesize < 714752
}
Download all Yara Rules