SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clambling (Back to overview)

Clambling

VTCollection    

Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

References
2021-01-04ProferoProfero, SecurityJoes
APT27 Turns to Ransomware
Clambling
2021-01-04Bleeping ComputerIonut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX
2020-02-18Trend MicroCedric Pernet, Daniel Lunghi, Jamz Yaneza, Kenney Lu
Uncovering DRBControl
Clambling
Yara Rules
[TLP:WHITE] win_clambling_auto (20260504 | Detects win.clambling.)
rule win_clambling_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.clambling."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8be0 89742420 ff15???????? 488bf0 }
            // n = 4, score = 300
            //   4c8be0               | jmp                 0x1811
            //   89742420             | xor                 ecx, ecx
            //   ff15????????         |                     
            //   488bf0               | dec                 eax

        $sequence_1 = { 4883ec30 488b4108 458bc8 4533c0 498943e8 }
            // n = 5, score = 300
            //   4883ec30             | mov                 dword ptr [ebx + 0x4100], eax
            //   488b4108             | dec                 eax
            //   458bc8               | add                 esp, 0x20
            //   4533c0               | pop                 ebx
            //   498943e8             | mov                 dword ptr [ebx + 0x408c], 7

        $sequence_2 = { 8b442450 83f801 7419 83f802 7414 83f803 7508 }
            // n = 7, score = 300
            //   8b442450             | mov                 dword ptr [esp + 0x30], esi
            //   83f801               | dec                 esp
            //   7419                 | lea                 edi, [0x24795]
            //   83f802               | dec                 esp
            //   7414                 | mov                 dword ptr [esp + 0x20], edi
            //   83f803               | dec                 esp
            //   7508                 | mov                 ecx, esi

        $sequence_3 = { 4883ec30 33db 488bf9 215c2448 48215c2458 ff15???????? 4c8d442458 }
            // n = 7, score = 300
            //   4883ec30             | mov                 ecx, esp
            //   33db                 | mov                 word ptr [ebp + 4], si
            //   488bf9               | dec                 eax
            //   215c2448             | mov                 ebx, dword ptr [esp + 0x40]
            //   48215c2458           | dec                 eax
            //   ff15????????         |                     
            //   4c8d442458           | mov                 ebp, dword ptr [esp + 0x48]

        $sequence_4 = { ff15???????? 83f8ff 7524 ff15???????? 418bd7 488bcf 8bd8 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   83f8ff               | inc                 sp
            //   7524                 | mov                 dword ptr [esp + 0x60], esp
            //   ff15????????         |                     
            //   418bd7               | xor                 ecx, ecx
            //   488bcf               | dec                 eax
            //   8bd8                 | lea                 edx, [esp + 0x60]

        $sequence_5 = { ff15???????? 488b742478 8bc3 488b5c2470 4883c460 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   488b742478           | dec                 eax
            //   8bc3                 | mov                 dword ptr [edi + 0x14], ecx
            //   488b5c2470           | dec                 eax
            //   4883c460             | mov                 eax, dword ptr [esp + 0x2c]

        $sequence_6 = { 33f6 33d2 4c8bc3 6689b0c8fbffff }
            // n = 4, score = 300
            //   33f6                 | inc                 esp
            //   33d2                 | lea                 ecx, [ecx + 4]
            //   4c8bc3               | inc                 ecx
            //   6689b0c8fbffff       | mov                 eax, 0x1000

        $sequence_7 = { 33d2 c744242038020000 895818 8bf3 e8???????? }
            // n = 5, score = 300
            //   33d2                 | je                  0x1423
            //   c744242038020000     | cmp                 dword ptr [ebx + 0x1c8], 1
            //   895818               | je                  0x1462
            //   8bf3                 | mov                 ecx, dword ptr [ebx + 0x190]
            //   e8????????           |                     

        $sequence_8 = { 83f802 7414 83f803 7508 }
            // n = 4, score = 300
            //   83f802               | dec                 eax
            //   7414                 | lea                 ebx, [edi + 0x20]
            //   83f803               | dec                 eax
            //   7508                 | mov                 ecx, ebx

        $sequence_9 = { 89442428 4533c0 488bd6 48897c2420 ff15???????? 488b4c2450 }
            // n = 6, score = 300
            //   89442428             | mov                 eax, dword ptr [edi]
            //   4533c0               | inc                 esp
            //   488bd6               | mov                 eax, dword ptr [esp + 0xd0]
            //   48897c2420           | dec                 eax
            //   ff15????????         |                     
            //   488b4c2450           | mov                 edx, ebp

    condition:
        7 of them and filesize < 412672
}
Download all Yara Rules