SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doorme (Back to overview)

DoorMe

There is no description at this point.

References
2021-09-30PTSecurityPT Expert Security Center
@online{center:20210930:masters:a5ec8ee, author = {PT Expert Security Center}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/}, language = {English}, urldate = {2021-10-22} } Masters of Mimicry: new APT group ChamelGang and its arsenal
DoorMe
Yara Rules
[TLP:WHITE] win_doorme_auto (20220808 | Detects win.doorme.)
rule win_doorme_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.doorme."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7872 3b1d???????? 736a 488bfb 4c8d352a090200 83e73f 488bf3 }
            // n = 7, score = 100
            //   7872                 | dec                 eax
            //   3b1d????????         |                     
            //   736a                 | mov                 dword ptr [ebx + 0x10], edi
            //   488bfb               | dec                 eax
            //   4c8d352a090200       | mov                 dword ptr [esi + 0x18], edi
            //   83e73f               | movups              xmm0, xmmword ptr [ebx]
            //   488bf3               | movups              xmmword ptr [esi], xmm0

        $sequence_1 = { 4883f81f 775a 498bc8 e8???????? 49895e10 49c746180f000000 }
            // n = 6, score = 100
            //   4883f81f             | not                 ecx
            //   775a                 | rol                 edx, 0xe
            //   498bc8               | inc                 ecx
            //   e8????????           |                     
            //   49895e10             | and                 ecx, eax
            //   49c746180f000000     | add                 ecx, dword ptr [esp + 0x3c]

        $sequence_2 = { 0f87d7000000 e8???????? 4c8b7318 4983fe10 7231 488b0b }
            // n = 6, score = 100
            //   0f87d7000000         | dec                 eax
            //   e8????????           |                     
            //   4c8b7318             | mov                 eax, dword ptr [ebx - 0xb0]
            //   4983fe10             | dec                 eax
            //   7231                 | arpl                word ptr [eax + 4], cx
            //   488b0b               | dec                 eax

        $sequence_3 = { 89540c5c 488d4c2470 e8???????? 488b442460 48634804 488d050e360300 }
            // n = 6, score = 100
            //   89540c5c             | dec                 eax
            //   488d4c2470           | lea                 edx, [ebp + 0x17]
            //   e8????????           |                     
            //   488b442460           | call                dword ptr [eax + 0x10]
            //   48634804             | nop                 
            //   488d050e360300       | dec                 eax

        $sequence_4 = { 4533c9 4c8d4588 488d5580 488d4c2478 ff15???????? }
            // n = 5, score = 100
            //   4533c9               | mov                 byte ptr [edi + ebx], 0
            //   4c8d4588             | jmp                 0xd31
            //   488d5580             | dec                 eax
            //   488d4c2478           | mov                 dword ptr [esp + 0x20], edi
            //   ff15????????         |                     

        $sequence_5 = { e8???????? 4c896310 48c743180f000000 c60300 498b5518 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4c896310             | xor                 ecx, ecx
            //   48c743180f000000     | inc                 esp
            //   c60300               | mov                 dword ptr [esp + 0x20], eax
            //   498b5518             | mov                 edx, 0x40000000

        $sequence_6 = { 44885c2427 4c897f10 48c747180f000000 44881f 488d442421 49c7c0ffffffff 0f1f8000000000 }
            // n = 7, score = 100
            //   44885c2427           | mov                 byte ptr [ecx + 1], al
            //   4c897f10             | movzx               eax, byte ptr [edx + 2]
            //   48c747180f000000     | mov                 byte ptr [ecx + 2], al
            //   44881f               | mov                 byte ptr [ebx], al
            //   488d442421           | dec                 eax
            //   49c7c0ffffffff       | inc                 edi
            //   0f1f8000000000       | dec                 eax

        $sequence_7 = { 0f28442420 660f7f442420 0f284c2440 660f7f4c2440 4c8d442420 488d542440 488d4d70 }
            // n = 7, score = 100
            //   0f28442420           | lea                 edx, [ebp + 0x68]
            //   660f7f442420         | dec                 eax
            //   0f284c2440           | lea                 ecx, [ebp + 0x70]
            //   660f7f4c2440         | nop                 
            //   4c8d442420           | dec                 eax
            //   488d542440           | lea                 esi, [esp + 0x70]
            //   488d4d70             | dec                 eax

        $sequence_8 = { eb05 1bc0 83c801 85c0 7569 488d95f0000000 }
            // n = 6, score = 100
            //   eb05                 | mov                 edx, ebx
            //   1bc0                 | dec                 eax
            //   83c801               | mov                 ecx, edi
            //   85c0                 | dec                 eax
            //   7569                 | test                eax, eax
            //   488d95f0000000       | dec                 eax

        $sequence_9 = { 498b0e 4881fa00100000 0f8295feffff 4883c227 }
            // n = 4, score = 100
            //   498b0e               | dec                 eax
            //   4881fa00100000       | mov                 eax, ecx
            //   0f8295feffff         | dec                 eax
            //   4883c227             | sar                 eax, 6

    condition:
        7 of them and filesize < 580608
}
Download all Yara Rules