SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doorme (Back to overview)

DoorMe

VTCollection    

There is no description at this point.

References
2023-08-18TEAMT5Still Hsu, Zih-Cing Liao
Unmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia
CatB Cobalt Strike DoorMe GIMMICK
2023-02-02ElasticAndrew Pease, Cyril François, Devon Kerr, Remco Sprooten, Salim Bitam, Seth Goodwin
Update to the REF2924 intrusion set and related campaigns
DoorMe ShadowPad SiestaGraph
2022-12-16ElasticAndrew Pease, Daniel Stepanic, Devon Kerr, Salim Bitam, Samir Bousseaden, Seth Goodwin
SiestaGraph: New implant uncovered in ASEAN member foreign ministry
DoorMe SiestaGraph
2021-09-30PTSecurityPT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
DoorMe Chamelgang
Yara Rules
[TLP:WHITE] win_doorme_auto (20230808 | Detects win.doorme.)
rule win_doorme_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.doorme."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48837e1810 7203 488b16 4c8b4610 488d4d58 e8???????? 488d5558 }
            // n = 7, score = 100
            //   48837e1810           | dec                 eax
            //   7203                 | lea                 edx, [0x35a4f]
            //   488b16               | dec                 eax
            //   4c8b4610             | mov                 ecx, ebx
            //   488d4d58             | movapd              xmm0, xmm1
            //   e8????????           |                     
            //   488d5558             | dec                 esp

        $sequence_1 = { 75f6 488bd7 488d4d68 e8???????? 90 4c8d8d10010000 }
            // n = 6, score = 100
            //   75f6                 | dec                 eax
            //   488bd7               | lea                 eax, [ebp - 0x39]
            //   488d4d68             | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [esp + 0x20], eax
            //   4c8d8d10010000       | inc                 ecx

        $sequence_2 = { 41b111 41b207 450fb6da b312 0fb6f9 40b618 4533e4 }
            // n = 7, score = 100
            //   41b111               | cmp                 eax, 0x1f
            //   41b207               | ja                  0x47b
            //   450fb6da             | dec                 eax
            //   b312                 | mov                 ebp, ebx
            //   0fb6f9               | dec                 ecx
            //   40b618               | cmp                 dword ptr [eax + 0x18], 0x10
            //   4533e4               | dec                 eax

        $sequence_3 = { 488b05???????? 4833c4 48894537 488bda 488bf9 4889552f c6459700 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | inc                 ecx
            //   48894537             | xor                 al, 0x74
            //   488bda               | inc                 esp
            //   488bf9               | mov                 byte ptr [ebp - 0x55], al
            //   4889552f             | inc                 ecx
            //   c6459700             | xor                 cl, 0x74

        $sequence_4 = { 498b7810 4885ff 7566 48897a10 }
            // n = 4, score = 100
            //   498b7810             | mov                 dword ptr [ebp + ecx - 0x64], eax
            //   4885ff               | dec                 eax
            //   7566                 | mov                 eax, dword ptr [ebp - 0x60]
            //   48897a10             | dec                 eax

        $sequence_5 = { 488d5c2478 48837d9010 480f435c2478 488d05a23f0300 488945a0 c74424400e000000 }
            // n = 6, score = 100
            //   488d5c2478           | xor                 dh, 0x74
            //   48837d9010           | inc                 eax
            //   480f435c2478         | mov                 byte ptr [ebp - 0x4f], dh
            //   488d05a23f0300       | inc                 esp
            //   488945a0             | mov                 byte ptr [ebp - 0x4e], ah
            //   c74424400e000000     | dec                 eax

        $sequence_6 = { 488b00 498bcd ff5020 48894580 498b4500 498bcd ff5018 }
            // n = 7, score = 100
            //   488b00               | mov                 byte ptr [ecx + edi + 0x3b], al
            //   498bcd               | cmp                 edx, 3
            //   ff5020               | jne                 0x94e
            //   48894580             | mov                 al, byte ptr [ebx]
            //   498b4500             | dec                 ecx
            //   498bcd               | add                 ebx, ecx
            //   ff5018               | dec                 ecx

        $sequence_7 = { 75f1 4983e801 75db 4883c510 4c8d15f06b0300 48836c243001 0f8564feffff }
            // n = 7, score = 100
            //   75f1                 | inc                 edx
            //   4983e801             | lea                 edx, [ecx + eax]
            //   75db                 | add                 dl, dl
            //   4883c510             | inc                 ecx
            //   4c8d15f06b0300       | mul                 ecx
            //   48836c243001         | shr                 edx, 3
            //   0f8564feffff         | movzx               ecx, dl

        $sequence_8 = { 488d8d20030000 e8???????? 488b7d80 488b07 488bcf ff5050 }
            // n = 6, score = 100
            //   488d8d20030000       | inc                 ecx
            //   e8????????           |                     
            //   488b7d80             | add                 eax, esp
            //   488b07               | add                 ebx, eax
            //   488bcf               | inc                 ecx
            //   ff5050               | lea                 ecx, [ecx + 0x2ad7d2bb]

        $sequence_9 = { 4889442440 448bc2 48894c2420 488bd9 }
            // n = 4, score = 100
            //   4889442440           | dec                 eax
            //   448bc2               | lea                 edx, [0x24959]
            //   48894c2420           | inc                 esp
            //   488bd9               | lea                 eax, [edx + 0x60]

    condition:
        7 of them and filesize < 580608
}
Download all Yara Rules