SYMBOLCOMMON_NAMEaka. SYNONYMS
win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, APT17, Leviathan, Stone Panda

VTCollection    

A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References
2021-07-07Trend MicroGloria Chen, Jaromír Hořejší, Joseph C Chen, Kenney Lu
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2020-12-26CYBER GEEKS All Things InfosecCyberMasterV
Analyzing APT19 malware using a step-by-step method
Derusbi
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-01SecureworksSecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2020-01-01SecureworksSecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2020-01-01SecureworksSecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2017-05-31MITREMITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2016-03-02RSA ConferenceVanja Svajcer
Dissecting Derusbi
Derusbi
2015-12-15Airbus Defence & SpaceFabien Perigaud
Newcomers in the Derusbi family
Derusbi
2015-10-08Virus BulletinEric Leung, Micky Pun, Neo Tan
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-02-27ThreatConnectThreatConnect Research Team
The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-28NovettaNovetta
Derusbi (Server Variant) Analysis
Derusbi
2014-01-01RSARSA Research
RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi
Yara Rules
[TLP:WHITE] win_derusbi_auto (20230808 | Detects win.derusbi.)
rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.derusbi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b819c000000 8d4de8 51 8d4dec 51 ffb00c010000 c745e810000000 }
            // n = 7, score = 200
            //   8b819c000000         | mov                 eax, dword ptr [ecx + 0x9c]
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   51                   | push                ecx
            //   ffb00c010000         | push                dword ptr [eax + 0x10c]
            //   c745e810000000       | mov                 dword ptr [ebp - 0x18], 0x10

        $sequence_1 = { 8d55ec e8???????? 8d4f08 56 8d55f3 e8???????? 59 }
            // n = 7, score = 200
            //   8d55ec               | lea                 edx, [ebp - 0x14]
            //   e8????????           |                     
            //   8d4f08               | lea                 ecx, [edi + 8]
            //   56                   | push                esi
            //   8d55f3               | lea                 edx, [ebp - 0xd]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_2 = { 8913 ff15???????? 83c40c e8???????? b301 57 ff15???????? }
            // n = 7, score = 200
            //   8913                 | mov                 dword ptr [ebx], edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   e8????????           |                     
            //   b301                 | mov                 bl, 1
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_3 = { 33c5 8945f8 8b4508 66833800 53 56 57 }
            // n = 7, score = 200
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   66833800             | cmp                 word ptr [eax], 0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_4 = { 8945f8 8b4508 56 57 50 8d8de4fbffff 899590f9ffff }
            // n = 7, score = 200
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d8de4fbffff         | lea                 ecx, [ebp - 0x41c]
            //   899590f9ffff         | mov                 dword ptr [ebp - 0x670], edx

        $sequence_5 = { 64a300000000 8b5d0c 8b4508 894c2414 89442418 85db 0f8457050000 }
            // n = 7, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   85db                 | test                ebx, ebx
            //   0f8457050000         | je                  0x55d

        $sequence_6 = { 50 ffd6 b903010000 2bc8 51 8d85ecfdffff 68???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   b903010000           | mov                 ecx, 0x103
            //   2bc8                 | sub                 ecx, eax
            //   51                   | push                ecx
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]
            //   68????????           |                     

        $sequence_7 = { 56 56 56 6a03 56 68???????? 6800040000 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   6a03                 | push                3
            //   56                   | push                esi
            //   68????????           |                     
            //   6800040000           | push                0x400

        $sequence_8 = { ffd3 50 57 ffb5f8fbffff ff15???????? 83c410 85c0 }
            // n = 7, score = 200
            //   ffd3                 | call                ebx
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffb5f8fbffff         | push                dword ptr [ebp - 0x408]
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax

        $sequence_9 = { ffb5d4fdffff 898db8fdffff ffb5ecfdffff ffb5f0fdffff ff15???????? 3bc7 }
            // n = 6, score = 200
            //   ffb5d4fdffff         | push                dword ptr [ebp - 0x22c]
            //   898db8fdffff         | mov                 dword ptr [ebp - 0x248], ecx
            //   ffb5ecfdffff         | push                dword ptr [ebp - 0x214]
            //   ffb5f0fdffff         | push                dword ptr [ebp - 0x210]
            //   ff15????????         |                     
            //   3bc7                 | cmp                 eax, edi

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules