SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doubleback (Back to overview)

DOUBLEBACK

VTCollection    

DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine.

References
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2021-05-04FireEyeDimiter Andonov, Nick Richard
The UNC2529 Triple Double: A Trifecta Phishing Campaign
DOUBLEBACK
Yara Rules
[TLP:WHITE] win_doubleback_auto (20260504 | Detects win.doubleback.)
rule win_doubleback_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.doubleback."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb42 b9e3050000 eb3b b90b070000 }
            // n = 4, score = 400
            //   eb42                 | lea                 eax, [ebp - 0x10]
            //   b9e3050000           | mov                 dword ptr [ebp - 4], eax
            //   eb3b                 | mov                 edi, ecx
            //   b90b070000           | mov                 eax, ecx

        $sequence_1 = { 755e b9ad060000 eb57 b9a7060000 eb50 b947060000 eb49 }
            // n = 7, score = 400
            //   755e                 | mov                 cl, byte ptr [edi + 9]
            //   b9ad060000           | test                cl, cl
            //   eb57                 | je                  0x203
            //   b9a7060000           | movzx               eax, cl
            //   eb50                 | mov                 dword ptr [ebx + 0x206], eax
            //   b947060000           | cmp                 al, 0x19
            //   eb49                 | ja                  0x1c7

        $sequence_2 = { 3d00280000 7438 3d5a290000 742a 3d39380000 741c }
            // n = 6, score = 400
            //   3d00280000           | mov                 ecx, edi
            //   7438                 | xor                 ecx, ecx
            //   3d5a290000           | dec                 eax
            //   742a                 | mov                 dword ptr [esp + 0x20], ebx
            //   3d39380000           | mov                 dword ptr [esi + 0x40a], edi
            //   741c                 | mov                 dword ptr [esp + 0x28], edi

        $sequence_3 = { 7438 3d5a290000 742a 3d39380000 741c 3dd73a0000 }
            // n = 6, score = 400
            //   7438                 | inc                 esp
            //   3d5a290000           | movzx               ecx, word ptr [ecx + 0x14]
            //   742a                 | inc                 esp
            //   3d39380000           | movzx               edx, word ptr [ecx + 6]
            //   741c                 | dec                 esp
            //   3dd73a0000           | add                 ecx, ecx

        $sequence_4 = { b9d4070000 eb13 b975070000 eb0c b96f070000 eb05 b911070000 }
            // n = 7, score = 400
            //   b9d4070000           | dec                 eax
            //   eb13                 | test                ecx, ecx
            //   b975070000           | je                  0x139e
            //   eb0c                 | inc                 ebp
            //   b96f070000           | test                esi, esi
            //   eb05                 | je                  0x13b2
            //   b911070000           | mov                 esi, dword ptr [ebp + 0x40]

        $sequence_5 = { 3d00280000 7438 3d5a290000 742a }
            // n = 4, score = 400
            //   3d00280000           | mov                 edi, eax
            //   7438                 | xor                 ebx, ebx
            //   3d5a290000           | test                eax, eax
            //   742a                 | jne                 0x307

        $sequence_6 = { b9e3050000 eb3b b90b070000 eb34 2d63450000 }
            // n = 5, score = 400
            //   b9e3050000           | pop                 edx
            //   eb3b                 | add                 eax, ecx
            //   b90b070000           | lea                 ecx, [esi + 4]
            //   eb34                 | mov                 dword ptr [esi + 8], eax
            //   2d63450000           | mov                 eax, dword ptr [esi]

        $sequence_7 = { 3dab3f0000 755e b9ad060000 eb57 b9a7060000 }
            // n = 5, score = 400
            //   3dab3f0000           | mov                 ebp, 0x3b
            //   755e                 | inc                 ecx
            //   b9ad060000           | mov                 dword ptr [edx + 0x660], 0x680027
            //   eb57                 | inc                 ecx
            //   b9a7060000           | mov                 dword ptr [edx + 0x664], 0x63006b

        $sequence_8 = { eb50 b947060000 eb49 b9e7050000 eb42 b9e3050000 }
            // n = 6, score = 400
            //   eb50                 | push                eax
            //   b947060000           | push                dword ptr [ebp - 4]
            //   eb49                 | mov                 ebx, eax
            //   b9e7050000           | test                ebx, ebx
            //   eb42                 | jne                 0x16c5
            //   b9e3050000           | push                eax

        $sequence_9 = { 742a 3d39380000 741c 3dd73a0000 }
            // n = 4, score = 400
            //   742a                 | dec                 esp
            //   3d39380000           | mov                 dword ptr [esp + 0x30], esp
            //   741c                 | mov                 edx, 0x40000000
            //   3dd73a0000           | dec                 esp

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules