SYMBOLCOMMON_NAMEaka. SYNONYMS
win.donot (Back to overview)

DONOT

Actor(s): VICEROY TIGER

VTCollection    

Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.

References
2024-05-14Check Point ResearchAntonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm
2023-02-23K7 SecurityVigneshwaran P
The DoNot APT
DONOT
2022-08-11MorphisecArnold Osipov, Hido Cohen
APT-C-35 GETS A NEW UPGRADE
DONOT
Yara Rules
[TLP:WHITE] win_donot_auto (20260504 | Detects win.donot.)
rule win_donot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.donot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f438528ffffff 03f0 56 e8???????? 8b85c8fcffff 83c40c c6043000 }
            // n = 7, score = 100
            //   0f438528ffffff       | cmovae              eax, dword ptr [ebp - 0xd8]
            //   03f0                 | add                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b85c8fcffff         | mov                 eax, dword ptr [ebp - 0x338]
            //   83c40c               | add                 esp, 0xc
            //   c6043000             | mov                 byte ptr [eax + esi], 0

        $sequence_1 = { 52 51 e8???????? 83c408 8b4f10 b8ffffff7f 2bc1 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b4f10               | mov                 ecx, dword ptr [edi + 0x10]
            //   b8ffffff7f           | mov                 eax, 0x7fffffff
            //   2bc1                 | sub                 eax, ecx

        $sequence_2 = { 8d8dd8fcffff c645fc04 e8???????? 8885d4fcffff c645fc05 8b85d8fcffff 8b4804 }
            // n = 7, score = 100
            //   8d8dd8fcffff         | lea                 ecx, [ebp - 0x328]
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   e8????????           |                     
            //   8885d4fcffff         | mov                 byte ptr [ebp - 0x32c], al
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   8b85d8fcffff         | mov                 eax, dword ptr [ebp - 0x328]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]

        $sequence_3 = { 7409 8b34bd20b80310 eb07 8b34bdecb70310 53 46 e8???????? }
            // n = 7, score = 100
            //   7409                 | je                  0xb
            //   8b34bd20b80310       | mov                 esi, dword ptr [edi*4 + 0x1003b820]
            //   eb07                 | jmp                 9
            //   8b34bdecb70310       | mov                 esi, dword ptr [edi*4 + 0x1003b7ec]
            //   53                   | push                ebx
            //   46                   | inc                 esi
            //   e8????????           |                     

        $sequence_4 = { 51 e8???????? 83c408 0f108db8fcffff 83bdccfcffff10 8db5f8feffff f30f7e85c8fcffff }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   0f108db8fcffff       | movups              xmm1, xmmword ptr [ebp - 0x348]
            //   83bdccfcffff10       | cmp                 dword ptr [ebp - 0x334], 0x10
            //   8db5f8feffff         | lea                 esi, [ebp - 0x108]
            //   f30f7e85c8fcffff     | movq                xmm0, qword ptr [ebp - 0x338]

        $sequence_5 = { 2bc6 8975f8 3bc2 0f8210010000 8d0416 8b7314 }
            // n = 6, score = 100
            //   2bc6                 | sub                 eax, esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   3bc2                 | cmp                 eax, edx
            //   0f8210010000         | jb                  0x116
            //   8d0416               | lea                 eax, [esi + edx]
            //   8b7314               | mov                 esi, dword ptr [ebx + 0x14]

        $sequence_6 = { 83c0fc 83f81f 0f87600a0000 52 51 e8???????? }
            // n = 6, score = 100
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f87600a0000         | ja                  0xa66
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { c744243c0f000000 ff15???????? 8bf0 85f6 7416 ff15???????? }
            // n = 6, score = 100
            //   c744243c0f000000     | mov                 dword ptr [esp + 0x3c], 0xf
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7416                 | je                  0x18
            //   ff15????????         |                     

        $sequence_8 = { 8b048d187b0410 f644382848 7427 8a55ff 8d4601 8945e4 80fa0a }
            // n = 7, score = 100
            //   8b048d187b0410       | mov                 eax, dword ptr [ecx*4 + 0x10047b18]
            //   f644382848           | test                byte ptr [eax + edi + 0x28], 0x48
            //   7427                 | je                  0x29
            //   8a55ff               | mov                 dl, byte ptr [ebp - 1]
            //   8d4601               | lea                 eax, [esi + 1]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   80fa0a               | cmp                 dl, 0xa

        $sequence_9 = { 0f871c070000 8bc2 51 50 e8???????? 83c408 }
            // n = 6, score = 100
            //   0f871c070000         | ja                  0x722
            //   8bc2                 | mov                 eax, edx
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

    condition:
        7 of them and filesize < 626688
}
Download all Yara Rules