Derusbi (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, APT17, Leviathan, Stone Panda

VTCollection

A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References

2021-07-07 ⋅ Trend Micro ⋅ Gloria Chen, Jaromír Hořejší, Joseph C Chen, Kenney Lu
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi

2020-12-26 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Analyzing APT19 malware using a step-by-step method
Derusbi

2020-10-30 ⋅ YouTube (Kaspersky Tech) ⋅ Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19

2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell

2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17

2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer
Dissecting Derusbi
Derusbi

2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud
Newcomers in the Derusbi family
Derusbi

2015-10-08 ⋅ Virus Bulletin ⋅ Eric Leung, Micky Pun, Neo Tan
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi

2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
The Anthem Hack: All Roads Lead to China
Derusbi

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2014-10-28 ⋅ Novetta ⋅ Novetta
Derusbi (Server Variant) Analysis
Derusbi

2014-10-28 ⋅ Novetta ⋅ Novetta
Operation SMN: Axiom Threat Actor Group Report
BLACKCOFFEE Derusbi HiKit

2014-01-01 ⋅ RSA ⋅ RSA Research
RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi

Yara Rules

[TLP:WHITE] win_derusbi_auto (20260504 | Detects win.derusbi.)

rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.derusbi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 751a 398644040000 7512 3b864c040000 7722 7208 3b8e48040000 }
            // n = 7, score = 200
            //   751a                 | jne                 0x1c
            //   398644040000         | cmp                 dword ptr [esi + 0x444], eax
            //   7512                 | jne                 0x14
            //   3b864c040000         | cmp                 eax, dword ptr [esi + 0x44c]
            //   7722                 | ja                  0x24
            //   7208                 | jb                  0xa
            //   3b8e48040000         | cmp                 ecx, dword ptr [esi + 0x448]

        $sequence_1 = { a1???????? 33c5 8945fc 8b4508 53 56 8985d0fdffff }
            // n = 7, score = 200
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8985d0fdffff         | mov                 dword ptr [ebp - 0x230], eax

        $sequence_2 = { 50 ff15???????? 50 8d8424f8000000 50 ff15???????? 83c40c }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8d8424f8000000       | lea                 eax, [esp + 0xf8]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 8bf8 83ffff 7432 6a00 8d85d4fdffff 50 ff35???????? }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   7432                 | je                  0x34
            //   6a00                 | push                0
            //   8d85d4fdffff         | lea                 eax, [ebp - 0x22c]
            //   50                   | push                eax
            //   ff35????????         |                     

        $sequence_4 = { 56 68???????? 8d85fcfbffff 53 50 ff15???????? 8b3d???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   68????????           |                     
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b3d????????         |                     

        $sequence_5 = { 740b 2bd8 75dd 33c0 e9???????? ff15???????? 894604 }
            // n = 7, score = 200
            //   740b                 | je                  0xd
            //   2bd8                 | sub                 ebx, eax
            //   75dd                 | jne                 0xffffffdf
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   ff15????????         |                     
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_6 = { ff15???????? 85c0 752c ff15???????? ff75f8 8b35???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   752c                 | jne                 0x2e
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8b35????????         |                     

        $sequence_7 = { 0f84e0000000 8b442414 83c014 83f81c 7303 6a1c 58 }
            // n = 7, score = 200
            //   0f84e0000000         | je                  0xe6
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   83c014               | add                 eax, 0x14
            //   83f81c               | cmp                 eax, 0x1c
            //   7303                 | jae                 5
            //   6a1c                 | push                0x1c
            //   58                   | pop                 eax

        $sequence_8 = { 85db 0f8ead000000 8b85acf7ffff 8985b4f7ffff 6a2c 57 }
            // n = 6, score = 200
            //   85db                 | test                ebx, ebx
            //   0f8ead000000         | jle                 0xb3
            //   8b85acf7ffff         | mov                 eax, dword ptr [ebp - 0x854]
            //   8985b4f7ffff         | mov                 dword ptr [ebp - 0x84c], eax
            //   6a2c                 | push                0x2c
            //   57                   | push                edi

        $sequence_9 = { 8b3d???????? 8bf1 898558ffffff 8d9d64ffffff c78560ffffff18000000 6a00 ffb560ffffff }
            // n = 7, score = 200
            //   8b3d????????         |                     
            //   8bf1                 | mov                 esi, ecx
            //   898558ffffff         | mov                 dword ptr [ebp - 0xa8], eax
            //   8d9d64ffffff         | lea                 ebx, [ebp - 0x9c]
            //   c78560ffffff18000000     | mov    dword ptr [ebp - 0xa0], 0x18
            //   6a00                 | push                0
            //   ffb560ffffff         | push                dword ptr [ebp - 0xa0]

    condition:
        7 of them and filesize < 360448
}

Download all Yara Rules

Derusbi Propose Change

References

Yara Rules

Derusbi