SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doorme (Back to overview)

DoorMe

VTCollection    

There is no description at this point.

References
2023-08-18TEAMT5Still Hsu, Zih-Cing Liao
Unmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia
CatB Cobalt Strike DoorMe GIMMICK
2023-02-02ElasticAndrew Pease, Cyril François, Devon Kerr, Remco Sprooten, Salim Bitam, Seth Goodwin
Update to the REF2924 intrusion set and related campaigns
DoorMe ShadowPad SiestaGraph
2022-12-16ElasticAndrew Pease, Daniel Stepanic, Devon Kerr, Salim Bitam, Samir Bousseaden, Seth Goodwin
SiestaGraph: New implant uncovered in ASEAN member foreign ministry
DoorMe SiestaGraph
2021-09-30PTSecurityPT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
DoorMe Chamelgang
Yara Rules
[TLP:WHITE] win_doorme_auto (20260504 | Detects win.doorme.)
rule win_doorme_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.doorme."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b908000000 488bda e8???????? 488d0d9ee90200 }
            // n = 4, score = 100
            //   b908000000           | dec                 eax
            //   488bda               | mov                 eax, ebx
            //   e8????????           |                     
            //   488d0d9ee90200       | dec                 ecx

        $sequence_1 = { e8???????? 90 c645a707 b063 b162 b261 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   c645a707             | arpl                ax, dx
            //   b063                 | dec                 esp
            //   b162                 | lea                 ecx, [0x2fbe7]
            //   b261                 | cmp                 ecx, 1

        $sequence_2 = { 41884c383a 83fa02 7211 8a03 4903d9 498b8cf480120400 }
            // n = 6, score = 100
            //   41884c383a           | dec                 eax
            //   83fa02               | lea                 eax, [0x3611f]
            //   7211                 | dec                 eax
            //   8a03                 | cmove               ebx, eax
            //   4903d9               | jmp                 0x1268
            //   498b8cf480120400     | inc                 esp

        $sequence_3 = { 488bfa 48895588 48895d88 c745b068000000 33d2 448d4260 488d4db8 }
            // n = 7, score = 100
            //   488bfa               | dec                 eax
            //   48895588             | cmp                 dword ptr [esp + 0x70], 0x10
            //   48895d88             | dec                 eax
            //   c745b068000000       | cmovae              edx, dword ptr [esp + 0x58]
            //   33d2                 | dec                 esp
            //   448d4260             | mov                 eax, dword ptr [esp + 0x68]
            //   488d4db8             | dec                 eax

        $sequence_4 = { 48895c2460 a804 7409 488d1d01610300 eb14 a802 488d1d0e610300 }
            // n = 7, score = 100
            //   48895c2460           | movups              xmmword ptr [ebx], xmm0
            //   a804                 | inc                 ebp
            //   7409                 | xor                 eax, eax
            //   488d1d01610300       | dec                 eax
            //   eb14                 | mov                 ecx, dword ptr [ebp - 0x39]
            //   a802                 | test                eax, eax
            //   488d1d0e610300       | jne                 0x1033

        $sequence_5 = { 0f104810 410f114d10 48897810 48c740180f000000 c60000 488b55cf 4883fa10 }
            // n = 7, score = 100
            //   0f104810             | dec                 eax
            //   410f114d10           | lea                 eax, [ebp - 0x10]
            //   48897810             | dec                 ecx
            //   48c740180f000000     | mov                 eax, 0xffffffff
            //   c60000               | dec                 ecx
            //   488b55cf             | inc                 eax
            //   4883fa10             | inc                 edx

        $sequence_6 = { 488d1550c80200 f6423d01 7415 e8???????? c70016000000 e8???????? }
            // n = 6, score = 100
            //   488d1550c80200       | mov                 ecx, dword ptr [ebp - 9]
            //   f6423d01             | dec                 eax
            //   7415                 | mov                 eax, ecx
            //   e8????????           |                     
            //   c70016000000         | dec                 eax
            //   e8????????           |                     

        $sequence_7 = { 488d742470 48837df000 7505 498bf7 eb1f }
            // n = 5, score = 100
            //   488d742470           | test                eax, eax
            //   48837df000           | je                  0xec1
            //   7505                 | mov                 cl, 0x7b
            //   498bf7               | mov                 dword ptr [esp + 0x40], 0x2832327b
            //   eb1f                 | mov                 dword ptr [esp + 0x44], 0x8081e28

        $sequence_8 = { c5f1eb0d???????? 4c8d0d46c20000 c5f35cca c4c173590cc1 4c8d0d850f0100 c5f359c1 c5fb101d???????? }
            // n = 7, score = 100
            //   c5f1eb0d????????     |                     
            //   4c8d0d46c20000       | dec                 eax
            //   c5f35cca             | cmp                 edx, 0x1000
            //   c4c173590cc1         | jb                  0x143f
            //   4c8d0d850f0100       | dec                 eax
            //   c5f359c1             | add                 edx, 0x27
            //   c5fb101d????????     |                     

        $sequence_9 = { 410fb6c2 460fb6942020860300 428d04ad04000000 4983c704 }
            // n = 4, score = 100
            //   410fb6c2             | inc                 ecx
            //   460fb6942020860300     | movzx    eax, dh
            //   428d04ad04000000     | inc                 esi
            //   4983c704             | movzx               esi, byte ptr [eax + 0x38620]

    condition:
        7 of them and filesize < 580608
}
Download all Yara Rules