CrypticConvo (Malware Family)

CrypticConvo

VTCollection

CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.

References

2016-01-24 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Robert Falcone
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
CrypticConvo Scarlet Mimic

Yara Rules

[TLP:WHITE] win_cryptic_convo_auto (20260504 | Detects win.cryptic_convo.)

rule win_cryptic_convo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cryptic_convo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b8???????? a4 8bf0 8a08 40 84c9 75f9 }
            // n = 7, score = 100
            //   b8????????           |                     
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8bf0                 | mov                 esi, eax
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb

        $sequence_1 = { 8945e0 8d4584 6a00 50 }
            // n = 4, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d4584               | lea                 eax, [ebp - 0x7c]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_2 = { 59 7e2d 8b4d8c 8b5584 49 4a }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   7e2d                 | jle                 0x2f
            //   8b4d8c               | mov                 ecx, dword ptr [ebp - 0x74]
            //   8b5584               | mov                 edx, dword ptr [ebp - 0x7c]
            //   49                   | dec                 ecx
            //   4a                   | dec                 edx

        $sequence_3 = { 8b45a0 2b4598 2bc3 40 99 2bc2 }
            // n = 6, score = 100
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   2b4598               | sub                 eax, dword ptr [ebp - 0x68]
            //   2bc3                 | sub                 eax, ebx
            //   40                   | inc                 eax
            //   99                   | cdq                 
            //   2bc2                 | sub                 eax, edx

        $sequence_4 = { 50 e8???????? 83c410 53 ff15???????? 59 8b4dfc }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_5 = { ff15???????? 53 57 894588 ff15???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   57                   | push                edi
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   ff15????????         |                     

        $sequence_6 = { be???????? 8d7dc8 a5 a4 8d7dc8 }
            // n = 5, score = 100
            //   be????????           |                     
            //   8d7dc8               | lea                 edi, [ebp - 0x38]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8d7dc8               | lea                 edi, [ebp - 0x38]

        $sequence_7 = { 397510 7e36 ff15???????? 6a19 59 99 f7f9 }
            // n = 7, score = 100
            //   397510               | cmp                 dword ptr [ebp + 0x10], esi
            //   7e36                 | jle                 0x38
            //   ff15????????         |                     
            //   6a19                 | push                0x19
            //   59                   | pop                 ecx
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx

        $sequence_8 = { be???????? 8d7dc8 a5 a4 8d7dc8 83c40c }
            // n = 6, score = 100
            //   be????????           |                     
            //   8d7dc8               | lea                 edi, [ebp - 0x38]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8d7dc8               | lea                 edi, [ebp - 0x38]
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { 83c008 50 ff33 ff15???????? 8b37 }
            // n = 5, score = 100
            //   83c008               | add                 eax, 8
            //   50                   | push                eax
            //   ff33                 | push                dword ptr [ebx]
            //   ff15????????         |                     
            //   8b37                 | mov                 esi, dword ptr [edi]

    condition:
        7 of them and filesize < 97280
}

Download all Yara Rules

CrypticConvo Propose Change

References

Yara Rules

CrypticConvo