SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dusty_hammock (Back to overview)

DustyHammock

VTCollection    

According to Proofpoint, DustyHammock is a minimalist backdoor that can run commands via cmd.exe, as well as download and execute additional files. The beacon structure of the DustyHammock communications is highly similar to that of SingleCamper, which suggests that both variants can be administered from the same panel.

References
2025-06-30ProofpointDavid Galazin, Greg Lesnewich, Kelsey Merriman, Proofpoint Threat Research Team, Selena Larson
10 Things I Hate About Attribution: RomCom vs. TransferLoader
DustyHammock MeltingClaw RustyClaw ShadyHammock SlipScreen TransferLoader TA829
Yara Rules
[TLP:WHITE] win_dusty_hammock_auto (20260504 | Detects win.dusty_hammock.)
rule win_dusty_hammock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dusty_hammock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dusty_hammock"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745b8e04d4600 c745bc02000000 c745c800000000 89d9 89fa 8945d0 8d45d0 }
            // n = 7, score = 100
            //   c745b8e04d4600       | mov                 dword ptr [ebp - 0x48], 0x464de0
            //   c745bc02000000       | mov                 dword ptr [ebp - 0x44], 2
            //   c745c800000000       | mov                 dword ptr [ebp - 0x38], 0
            //   89d9                 | mov                 ecx, ebx
            //   89fa                 | mov                 edx, edi
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]

        $sequence_1 = { f20f1086c0000000 f20f108ec8000000 83f803 8986ac000000 898628010000 f20f1186b0000000 f20f118eb8000000 }
            // n = 7, score = 100
            //   f20f1086c0000000     | movsd               xmm0, qword ptr [esi + 0xc0]
            //   f20f108ec8000000     | movsd               xmm1, qword ptr [esi + 0xc8]
            //   83f803               | cmp                 eax, 3
            //   8986ac000000         | mov                 dword ptr [esi + 0xac], eax
            //   898628010000         | mov                 dword ptr [esi + 0x128], eax
            //   f20f1186b0000000     | movsd               qword ptr [esi + 0xb0], xmm0
            //   f20f118eb8000000     | movsd               qword ptr [esi + 0xb8], xmm1

        $sequence_2 = { ba28000000 68???????? e8???????? 83c404 eb40 b9???????? c786b805000003000000 }
            // n = 7, score = 100
            //   ba28000000           | mov                 edx, 0x28
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb40                 | jmp                 0x42
            //   b9????????           |                     
            //   c786b805000003000000     | mov    dword ptr [esi + 0x5b8], 3

        $sequence_3 = { e8???????? 8b18 832000 85db 0f840f010000 ff02 8d4b34 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b18                 | mov                 ebx, dword ptr [eax]
            //   832000               | and                 dword ptr [eax], 0
            //   85db                 | test                ebx, ebx
            //   0f840f010000         | je                  0x115
            //   ff02                 | inc                 dword ptr [edx]
            //   8d4b34               | lea                 ecx, [ebx + 0x34]

        $sequence_4 = { c745ac01000000 c745b800000000 c745b004000000 c745b400000000 c745f0ffffffff e8???????? 55 }
            // n = 7, score = 100
            //   c745ac01000000       | mov                 dword ptr [ebp - 0x54], 1
            //   c745b800000000       | mov                 dword ptr [ebp - 0x48], 0
            //   c745b004000000       | mov                 dword ptr [ebp - 0x50], 4
            //   c745b400000000       | mov                 dword ptr [ebp - 0x4c], 0
            //   c745f0ffffffff       | mov                 dword ptr [ebp - 0x10], 0xffffffff
            //   e8????????           |                     
            //   55                   | push                ebp

        $sequence_5 = { c786b805000002000000 8b411c 8b4920 6a58 68???????? 50 ff510c }
            // n = 7, score = 100
            //   c786b805000002000000     | mov    dword ptr [esi + 0x5b8], 2
            //   8b411c               | mov                 eax, dword ptr [ecx + 0x1c]
            //   8b4920               | mov                 ecx, dword ptr [ecx + 0x20]
            //   6a58                 | push                0x58
            //   68????????           |                     
            //   50                   | push                eax
            //   ff510c               | call                dword ptr [ecx + 0xc]

        $sequence_6 = { e8???????? 59 5f 3d01000080 0f85320e0000 8b8648010000 8bbe44010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   3d01000080           | cmp                 eax, 0x80000001
            //   0f85320e0000         | jne                 0xe38
            //   8b8648010000         | mov                 eax, dword ptr [esi + 0x148]
            //   8bbe44010000         | mov                 edi, dword ptr [esi + 0x144]

        $sequence_7 = { 8b4820 6a01 68???????? ff701c ff510c 83c40c 2401 }
            // n = 7, score = 100
            //   8b4820               | mov                 ecx, dword ptr [eax + 0x20]
            //   6a01                 | push                1
            //   68????????           |                     
            //   ff701c               | push                dword ptr [eax + 0x1c]
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   83c40c               | add                 esp, 0xc
            //   2401                 | and                 al, 1

        $sequence_8 = { c745f002000000 8b45d0 8975ac c745f002000000 b9???????? ba16000000 8945b0 }
            // n = 7, score = 100
            //   c745f002000000       | mov                 dword ptr [ebp - 0x10], 2
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8975ac               | mov                 dword ptr [ebp - 0x54], esi
            //   c745f002000000       | mov                 dword ptr [ebp - 0x10], 2
            //   b9????????           |                     
            //   ba16000000           | mov                 edx, 0x16
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax

        $sequence_9 = { 83ec28 83c50c 8d4d8c e8???????? 8d8d78ffffff e8???????? 837dd400 }
            // n = 7, score = 100
            //   83ec28               | sub                 esp, 0x28
            //   83c50c               | add                 ebp, 0xc
            //   8d4d8c               | lea                 ecx, [ebp - 0x74]
            //   e8????????           |                     
            //   8d8d78ffffff         | lea                 ecx, [ebp - 0x88]
            //   e8????????           |                     
            //   837dd400             | cmp                 dword ptr [ebp - 0x2c], 0

    condition:
        7 of them and filesize < 1051648
}
Download all Yara Rules