SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dusttrap (Back to overview)

DUSTTRAP

aka: CurveLoad, DodgeBox, StealthReacher

Actor(s): APT41

VTCollection    

There is no description at this point.

References
2024-07-18MandiantMike Stokkel
APT41 Has Arisen From the DUST
DUSTTRAP PINEGROVE
2024-07-10ZscalerSudeep Singh, Yin Hong Chang
DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
Cobalt Strike DUSTPAN DUSTTRAP
Yara Rules
[TLP:WHITE] win_dusttrap_auto (20260504 | Detects win.dusttrap.)
rule win_dusttrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dusttrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dusttrap"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 482b8b9a020000 4885c9 418bc5 0f94c0 85c0 0f8481000000 }
            // n = 6, score = 100
            //   482b8b9a020000       | dec                 esp
            //   4885c9               | mov                 dword ptr [esp + 0x38], ebp
            //   418bc5               | dec                 esp
            //   0f94c0               | mov                 dword ptr [esp + 0x30], ebp
            //   85c0                 | dec                 eax
            //   0f8481000000         | mov                 ecx, dword ptr [ecx + 0x198]

        $sequence_1 = { 48897810 33ed 4c896020 488bfa 4c8978d8 4533c0 4c8bf9 }
            // n = 7, score = 100
            //   48897810             | test                edx, edx
            //   33ed                 | je                  0x29
            //   4c896020             | inc                 ebp
            //   488bfa               | cmp                 ecx, ebx
            //   4c8978d8             | dec                 eax
            //   4533c0               | inc                 eax
            //   4c8bf9               | test                ecx, ecx

        $sequence_2 = { ff15???????? 488b4c2448 85c0 7429 488d15b1eb0000 ff15???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488b4c2448           | lea                 ebx, [esp + 0x800]
            //   85c0                 | dec                 ecx
            //   7429                 | mov                 ebx, dword ptr [ebx + 0x20]
            //   488d15b1eb0000       | inc                 ebx
            //   ff15????????         |                     

        $sequence_3 = { 48895c2430 448d4209 0f11442460 488b4950 48895c2428 48895c2420 e8???????? }
            // n = 7, score = 100
            //   48895c2430           | inc                 ecx
            //   448d4209             | and                 edx, 0x3f
            //   0f11442460           | dec                 edi
            //   488b4950             | lea                 eax, [edx + edx*8]
            //   48895c2428           | dec                 ecx
            //   48895c2420           | mov                 eax, dword ptr [ecx + eax*8]
            //   e8????????           |                     

        $sequence_4 = { 488bc7 403828 750f ffc1 48ffc0 83f906 72f1 }
            // n = 7, score = 100
            //   488bc7               | mov                 eax, dword ptr [edi]
            //   403828               | dec                 eax
            //   750f                 | lea                 ecx, [edi + 4]
            //   ffc1                 | dec                 esp
            //   48ffc0               | mov                 dword ptr [eax], edi
            //   83f906               | dec                 eax
            //   72f1                 | mov                 eax, edx

        $sequence_5 = { 4533c0 8b9c24a0000000 33d2 488b89f8000000 e8???????? 488b0d???????? 33d2 }
            // n = 7, score = 100
            //   4533c0               | dec                 eax
            //   8b9c24a0000000       | cmp                 eax, -1
            //   33d2                 | je                  0x14aa
            //   488b89f8000000       | inc                 esp
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   33d2                 | lea                 eax, [ebx + 5]

        $sequence_6 = { 0f1005???????? c7442470f79dfa5d c7442474e5c9c7e4 0f114510 c74424784b60067f 66c744247c34dc 0f114d58 }
            // n = 7, score = 100
            //   0f1005????????       |                     
            //   c7442470f79dfa5d     | inc                 ebp
            //   c7442474e5c9c7e4     | and                 ecx, eax
            //   0f114510             | inc                 esp
            //   c74424784b60067f     | xor                 ecx, edx
            //   66c744247c34dc       | inc                 ecx
            //   0f114d58             | add                 ecx, 0x2441453

        $sequence_7 = { 488b0d???????? bab0070bfe 41b866d25e3e 48894140 488d0d62010200 e8???????? }
            // n = 6, score = 100
            //   488b0d????????       |                     
            //   bab0070bfe           | add                 eax, esi
            //   41b866d25e3e         | jmp                 eax
            //   48894140             | psrldq              xmm1, 1
            //   488d0d62010200       | ja                  0xac8
            //   e8????????           |                     

        $sequence_8 = { 488907 e9???????? 33d2 4c89ac24b8000000 0f57c0 498d5c2402 }
            // n = 6, score = 100
            //   488907               | inc                 esp
            //   e9????????           |                     
            //   33d2                 | lea                 eax, [edx + 4]
            //   4c89ac24b8000000     | dec                 esp
            //   0f57c0               | lea                 ecx, [edx - 1]
            //   498d5c2402           | dec                 eax

        $sequence_9 = { 4c8d8d80070000 4889442420 33d2 458d442402 488b8950010000 e8???????? }
            // n = 6, score = 100
            //   4c8d8d80070000       | cmovns              edx, dword ptr [esp + 0x88]
            //   4889442420           | movups              xmmword ptr [esp + 0x88], xmm0
            //   33d2                 | dec                 ecx
            //   458d442402           | mov                 dword ptr [ebx - 0x40], eax
            //   488b8950010000       | inc                 ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 421888
}
Download all Yara Rules