DoorMe (Malware Family)

DoorMe

There is no description at this point.
References

2022-12-16 ⋅ Elastic ⋅ Samir Bousseaden, Andrew Pease, Daniel Stepanic, Salim Bitam, Seth Goodwin, Devon Kerr
SiestaGraph: New implant uncovered in ASEAN member foreign ministry
DoorMe SiestaGraph
2021-09-30 ⋅ PTSecurity ⋅ PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
DoorMe
Yara Rules

[TLP:WHITE] win_doorme_auto (20230125 | Detects win.doorme.)
rule win_doorme_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.doorme."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 90 488d8d70010000 e8???????? 90 488d8d10010000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | test                edi, edi
            //   488d8d70010000       | jne                 0x44d
            //   e8????????           |                     
            //   90                   | dec                 esp
            //   488d8d10010000       | mov                 esp, dword ptr [esp + 0x60]
            //   e8????????           |                     

        $sequence_1 = { 4157 4883ec20 488be9 4c8d3d3aca0100 33ff bee3000000 8d043e }
            // n = 7, score = 100
            //   4157                 | dec                 eax
            //   4883ec20             | lea                 ecx, [ebp + 0x190]
            //   488be9               | mov                 eax, esi
            //   4c8d3d3aca0100       | dec                 eax
            //   33ff                 | mov                 ecx, dword ptr [ebp + 0x22e0]
            //   bee3000000           | nop                 
            //   8d043e               | dec                 eax

        $sequence_2 = { 482bc1 4883c0f8 4883f81f 0f879a030000 e8???????? 660f6f05???????? f30f7f45c7 }
            // n = 7, score = 100
            //   482bc1               | mov                 dword ptr [esp + 4], eax
            //   4883c0f8             | movzx               eax, al
            //   4883f81f             | inc                 esp
            //   0f879a030000         | imul                edx, eax, 0x1b
            //   e8????????           |                     
            //   660f6f05????????     |                     
            //   f30f7f45c7           | movzx               eax, byte ptr [esp + 1]

        $sequence_3 = { 33c9 e8???????? 488bd8 4885db 488d0571b80100 }
            // n = 5, score = 100
            //   33c9                 | inc                 ecx
            //   e8????????           |                     
            //   488bd8               | rol                 ecx, 0x10
            //   4885db               | inc                 ebp
            //   488d0571b80100       | add                 ecx, eax

        $sequence_4 = { c70016000000 e8???????? e9???????? 458bf5 488d15ce490200 4d8bfa e9???????? }
            // n = 7, score = 100
            //   c70016000000         | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   458bf5               | mov                 dword ptr [esp + 0x20], eax
            //   488d15ce490200       | dec                 eax
            //   4d8bfa               | lea                 ebp, [0x150f7]
            //   e9????????           |                     

        $sequence_5 = { 4585ed 746b 498dbff0000000 4c89642460 492bfe 48ffcd 48c1ed04 }
            // n = 7, score = 100
            //   4585ed               | ja                  0xe61
            //   746b                 | mov                 dword ptr [ebp - 0x40], 0x68
            //   498dbff0000000       | xor                 edx, edx
            //   4c89642460           | inc                 esp
            //   492bfe               | lea                 eax, [edx + 0x60]
            //   48ffcd               | dec                 eax
            //   48c1ed04             | lea                 ecx, [ebp - 0x38]

        $sequence_6 = { 488d4d68 e8???????? 90 488d8d88000000 488bbd88000000 4c8bb5a0000000 4983fe10 }
            // n = 7, score = 100
            //   488d4d68             | inc                 eax
            //   e8????????           |                     
            //   90                   | dec                 ecx
            //   488d8d88000000       | sub                 ecx, 1
            //   488bbd88000000       | jne                 0x16e3
            //   4c8bb5a0000000       | inc                 ecx
            //   4983fe10             | lea                 edx, [ecx + 4]

        $sequence_7 = { 48837f1810 7203 488b17 4c8b4710 488d4d97 e8???????? 488d550f }
            // n = 7, score = 100
            //   48837f1810           | inc                 ecx
            //   7203                 | mov                 byte ptr [edi], bl
            //   488b17               | dec                 ecx
            //   4c8b4710             | mov                 edx, dword ptr [esi + 0x18]
            //   488d4d97             | dec                 eax
            //   e8????????           |                     
            //   488d550f             | cmp                 edx, 0x10

        $sequence_8 = { 4032742402 4132d4 321424 4132f4 40323424 4132d0 }
            // n = 6, score = 100
            //   4032742402           | mov                 bl, byte ptr [esp + 0xa0]
            //   4132d4               | inc                 ecx
            //   321424               | mov                 ecx, 1
            //   4132f4               | dec                 esp
            //   40323424             | mov                 esi, dword ptr [ebx + 0x18]
            //   4132d0               | dec                 ecx

        $sequence_9 = { 4883ec28 488d0de56a0300 ff15???????? 488d0dc86b0300 ff15???????? 488d0d1b6b0300 ff15???????? }
            // n = 7, score = 100
            //   4883ec28             | mov                 byte ptr [ebp - 0x51], dh
            //   488d0de56a0300       | movdqu              xmmword ptr [ebp - 0x21], xmm0
            //   ff15????????         |                     
            //   488d0dc86b0300       | inc                 ecx
            //   ff15????????         |                     
            //   488d0d1b6b0300       | xor                 dl, 0x24
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 580608
}
Download all Yara Rules
DoorMe Propose Change

References

Yara Rules

DoorMe
