SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clambling (Back to overview)

Clambling

VTCollection    

Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

References
2021-01-04ProferoProfero, SecurityJoes
APT27 Turns to Ransomware
Clambling
2021-01-04Bleeping ComputerIonut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX
2020-02-18Trend MicroCedric Pernet, Daniel Lunghi, Jamz Yaneza, Kenney Lu
Uncovering DRBControl
Clambling
Yara Rules
[TLP:WHITE] win_clambling_auto (20230808 | Detects win.clambling.)
rule win_clambling_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.clambling."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6689bc24b0000000 ff15???????? 3bc7 7508 }
            // n = 4, score = 300
            //   6689bc24b0000000     | lea                 edx, [esp + 0x30]
            //   ff15????????         |                     
            //   3bc7                 | dec                 eax
            //   7508                 | mov                 edx, ebp

        $sequence_1 = { 488bd9 498d53e8 418d4802 498943f0 ff15???????? }
            // n = 5, score = 300
            //   488bd9               | dec                 esp
            //   498d53e8             | mov                 dword ptr [esp + 0x80], esp
            //   418d4802             | dec                 esp
            //   498943f0             | mov                 esp, dword ptr [esp + 0x98]
            //   ff15????????         |                     

        $sequence_2 = { 751b e9???????? bb46270000 eb0f ff15???????? 8bd8 eb05 }
            // n = 7, score = 300
            //   751b                 | lea                 edx, [0x1807d]
            //   e9????????           |                     
            //   bb46270000           | dec                 ecx
            //   eb0f                 | cmp                 eax, ebp
            //   ff15????????         |                     
            //   8bd8                 | jne                 0x49c
            //   eb05                 | dec                 eax

        $sequence_3 = { 3bc3 751f 8b4c2428 488d942490020000 ff15???????? }
            // n = 5, score = 300
            //   3bc3                 | je                  0x1adb
            //   751f                 | je                  0x1ada
            //   8b4c2428             | mov                 eax, ebx
            //   488d942490020000     | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { eb0f ff15???????? 8bd8 eb05 bbc7040000 }
            // n = 5, score = 300
            //   eb0f                 | repne scasd         eax, dword ptr es:[edi]
            //   ff15????????         |                     
            //   8bd8                 | dec                 eax
            //   eb05                 | not                 ecx
            //   bbc7040000           | dec                 eax

        $sequence_5 = { 7507 66893d???????? 488b0d???????? 488d542430 ff15???????? 448b442430 }
            // n = 6, score = 300
            //   7507                 | dec                 eax
            //   66893d????????       |                     
            //   488b0d????????       |                     
            //   488d542430           | or                  dword ptr [ebx + 0x80], 0xffffffff
            //   ff15????????         |                     
            //   448b442430           | and                 dword ptr [ebx + 0x10], 0

        $sequence_6 = { 7408 488bcb e8???????? 488b5c2458 }
            // n = 4, score = 300
            //   7408                 | cmp                 eax, edi
            //   488bcb               | je                  0x174e
            //   e8????????           |                     
            //   488b5c2458           | dec                 eax

        $sequence_7 = { 4c8d442430 33d2 c744243001000000 c744243c02000000 ff15???????? 85c0 }
            // n = 6, score = 300
            //   4c8d442430           | mov                 byte ptr [esp + 0x79], 0x6f
            //   33d2                 | mov                 byte ptr [esp + 0x7a], 0x61
            //   c744243001000000     | mov                 byte ptr [esp + 0x76], 0x4e
            //   c744243c02000000     | mov                 byte ptr [esp + 0x77], 0x35
            //   ff15????????         |                     
            //   85c0                 | mov                 byte ptr [esp + 0x78], 0x71

        $sequence_8 = { b8b4050000 eb13 488b03 488bd7 488bcb }
            // n = 5, score = 300
            //   b8b4050000           | mov                 ecx, dword ptr [ecx + 0x10]
            //   eb13                 | test                eax, eax
            //   488b03               | dec                 eax
            //   488bd7               | test                ecx, ecx
            //   488bcb               | je                  0xfd7

        $sequence_9 = { 41b805000000 48894c2420 33c9 8bd5 }
            // n = 4, score = 300
            //   41b805000000         | mov                 esi, edx
            //   48894c2420           | dec                 esp
            //   33c9                 | mov                 dword ptr [esp + 0x80], esp
            //   8bd5                 | sub                 esi, dword ptr [ebx + 0x192ec]

    condition:
        7 of them and filesize < 412672
}
Download all Yara Rules