SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnespy (Back to overview)

DneSpy

VTCollection    

DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

References
2020-10-28Trend MicroAliakbar Zahravi, Cedric Pernet, Daniel Lunghi, Elliot Cao, Jaromír Hořejší, John Zhang, Joseph C Chen, William Gamazo Sanchez
Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB Earth Kitsune
Yara Rules
[TLP:WHITE] win_dnespy_auto (20260504 | Detects win.dnespy.)
rule win_dnespy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dnespy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 e8???????? 0f108558ddffff 83c408 }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   0f108558ddffff       | movups              xmm0, xmmword ptr [ebp - 0x22a8]
            //   83c408               | add                 esp, 8

        $sequence_1 = { e8???????? 8b956cffffff 8845a7 83fa10 722f 8b8d58ffffff 42 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b956cffffff         | mov                 edx, dword ptr [ebp - 0x94]
            //   8845a7               | mov                 byte ptr [ebp - 0x59], al
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d58ffffff         | mov                 ecx, dword ptr [ebp - 0xa8]
            //   42                   | inc                 edx

        $sequence_2 = { 894108 8bcb 8b4224 c1e908 89480c eb05 8bcb }
            // n = 7, score = 200
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   8bcb                 | mov                 ecx, ebx
            //   8b4224               | mov                 eax, dword ptr [edx + 0x24]
            //   c1e908               | shr                 ecx, 8
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   eb05                 | jmp                 7
            //   8bcb                 | mov                 ecx, ebx

        $sequence_3 = { 8d420c 8b8a60e9ffff 33c8 e8???????? 8b4af8 33c8 e8???????? }
            // n = 7, score = 200
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8b8a60e9ffff         | mov                 ecx, dword ptr [edx - 0x16a0]
            //   33c8                 | xor                 ecx, eax
            //   e8????????           |                     
            //   8b4af8               | mov                 ecx, dword ptr [edx - 8]
            //   33c8                 | xor                 ecx, eax
            //   e8????????           |                     

        $sequence_4 = { 8d4590 c645fc0b 50 8bcf e8???????? 8b55a4 83fa10 }
            // n = 7, score = 200
            //   8d4590               | lea                 eax, [ebp - 0x70]
            //   c645fc0b             | mov                 byte ptr [ebp - 4], 0xb
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b55a4               | mov                 edx, dword ptr [ebp - 0x5c]
            //   83fa10               | cmp                 edx, 0x10

        $sequence_5 = { 8b5d08 895dd8 c745d400000000 c7431000000000 c743140f000000 c60300 c745fc00000000 }
            // n = 7, score = 200
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   c745d400000000       | mov                 dword ptr [ebp - 0x2c], 0
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   c743140f000000       | mov                 dword ptr [ebx + 0x14], 0xf
            //   c60300               | mov                 byte ptr [ebx], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_6 = { 8b542414 83faff 0f83a0000000 8810 8bc5 0facc208 89542418 }
            // n = 7, score = 200
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   83faff               | cmp                 edx, -1
            //   0f83a0000000         | jae                 0xa6
            //   8810                 | mov                 byte ptr [eax], dl
            //   8bc5                 | mov                 eax, ebp
            //   0facc208             | shrd                edx, eax, 8
            //   89542418             | mov                 dword ptr [esp + 0x18], edx

        $sequence_7 = { 8d45e0 50 e8???????? 6a00 68???????? 68???????? 6a00 }
            // n = 7, score = 200
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   68????????           |                     
            //   68????????           |                     
            //   6a00                 | push                0

        $sequence_8 = { 7711 7207 3dffff0000 7308 89442410 894c2424 6804040000 }
            // n = 7, score = 200
            //   7711                 | ja                  0x13
            //   7207                 | jb                  9
            //   3dffff0000           | cmp                 eax, 0xffff
            //   7308                 | jae                 0xa
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx
            //   6804040000           | push                0x404

        $sequence_9 = { 5b 8be5 5d c20800 52 50 51 }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 794624
}
Download all Yara Rules