SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eagerbee (Back to overview)

EagerBee

aka: Thumtais
VTCollection    

According to Elastic, EagerBee loads additional capabilities using remotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced skills from the author, relying on basic techniques. During their research, they identified string formatting and underlying behavior that aligns with previous research attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).

References
2025-05-14LACYoshihiro Ishikawa
Continued EAGERBEE (Thumtais) malware activity
EagerBee
2025-01-06KasperskySaurabh Sharma, Vasily Berdnikov
EAGERBEE, with updated and novel components, targets the Middle East
EagerBee CoughingDown
2024-06-05LACYoshihiro Ishikawa
Thumtais, a malware targeting Japanese organizations
EagerBee
2023-10-03ElasticAndrew Pease, Cyril François, Daniel Stepanic, Salim Bitam, Seth Goodwin
Introducing the REF5961 intrusion set (RUDEBIRD, DOWNTOWN, and EAGERBEE)
EagerBee SManager REF2924 REF5961
Yara Rules
[TLP:WHITE] win_eagerbee_auto (20260504 | Detects win.eagerbee.)
rule win_eagerbee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.eagerbee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3986f4160000 0f8576ffffff 8b8684000000 85c0 7809 488bd0 }
            // n = 6, score = 100
            //   3986f4160000         | cmp                 dword ptr [ecx], eax
            //   0f8576ffffff         | jne                 0x8ee
            //   8b8684000000         | dec                 eax
            //   85c0                 | lea                 edx, [0x1840a]
            //   7809                 | inc                 ebp
            //   488bd0               | lea                 ecx, [eax + 3]

        $sequence_1 = { 488d4c0422 44896309 e8???????? 8bd0 e9???????? 488d4c0421 e8???????? }
            // n = 7, score = 100
            //   488d4c0422           | mov                 esi, edx
            //   44896309             | dec                 eax
            //   e8????????           |                     
            //   8bd0                 | mov                 edi, ecx
            //   e9????????           |                     
            //   488d4c0421           | inc                 esp
            //   e8????????           |                     

        $sequence_2 = { 44396818 0f84b7010000 488d1de463ffff beffff0000 bd00010000 e9???????? 4439af90000000 }
            // n = 7, score = 100
            //   44396818             | mov                 edi, edx
            //   0f84b7010000         | dec                 eax
            //   488d1de463ffff       | mov                 ecx, dword ptr [ecx]
            //   beffff0000           | inc                 ebp
            //   bd00010000           | xor                 esp, esp
            //   e9????????           |                     
            //   4439af90000000       | dec                 eax

        $sequence_3 = { 885c247d 488b08 488d542470 ff5058 b9fb010000 488bd8 e8???????? }
            // n = 7, score = 100
            //   885c247d             | dec                 eax
            //   488b08               | test                ecx, ecx
            //   488d542470           | mov                 esi, 0xffff
            //   ff5058               | dec                 eax
            //   b9fb010000           | lea                 ebx, [0xffff6735]
            //   488bd8               | mov                 ebp, 0x100
            //   e8????????           |                     

        $sequence_4 = { c684242b0100006d 4088bc242c010000 4088b4242d010000 48397308 0f84ae030000 488b05???????? c684249000000073 }
            // n = 7, score = 100
            //   c684242b0100006d     | mov                 ecx, dword ptr [ebx + 0x28]
            //   4088bc242c010000     | lea                 eax, [ecx + 2]
            //   4088b4242d010000     | cmp                 eax, dword ptr [ebx + 0x18]
            //   48397308             | ja                  0x6e9
            //   0f84ae030000         | movzx               eax, byte ptr [edi + 0x4c]
            //   488b05????????       |                     
            //   c684249000000073     | mov                 ecx, dword ptr [esi + edi + 0x1c]

        $sequence_5 = { 33c9 8bd7 41b800300000 ff15???????? 8b5500 }
            // n = 5, score = 100
            //   33c9                 | jne                 0x7f0
            //   8bd7                 | mov                 eax, esi
            //   41b800300000         | jmp                 0x7fb
            //   ff15????????         |                     
            //   8b5500               | mov                 ecx, dword ptr [edi + 0x4c]

        $sequence_6 = { c644243432 c64424352e c644243664 884c2438 488d4c2430 c644243900 }
            // n = 6, score = 100
            //   c644243432           | mov                 byte ptr [esp + 0x391], bh
            //   c64424352e           | inc                 esp
            //   c644243664           | mov                 byte ptr [esp + 0x392], ah
            //   884c2438             | mov                 byte ptr [esp + 0x393], 0x64
            //   488d4c2430           | inc                 eax
            //   c644243900           | mov                 byte ptr [esp + 0x394], dh

        $sequence_7 = { 488d8c24e0040000 48894c2420 488b8c24e8040000 4c8bc3 ba01000000 ffd0 488b05???????? }
            // n = 7, score = 100
            //   488d8c24e0040000     | dec                 ecx
            //   48894c2420           | mov                 ebx, dword ptr [ebx + 0x30]
            //   488b8c24e8040000     | dec                 ecx
            //   4c8bc3               | mov                 ebp, dword ptr [ebx + 0x40]
            //   ba01000000           | dec                 ecx
            //   ffd0                 | mov                 esi, dword ptr [ebx + 0x48]
            //   488b05????????       |                     

        $sequence_8 = { 8a8424c0000000 8b9c24a8000000 488bbc2498000000 88442450 488b8424b8000000 498943e0 8a8424b0000000 }
            // n = 7, score = 100
            //   8a8424c0000000       | call                dword ptr [eax + 0x58]
            //   8b9c24a8000000       | mov                 byte ptr [esp + 0x47], 0x6e
            //   488bbc2498000000     | mov                 byte ptr [esp + 0x48], 0x49
            //   88442450             | mov                 byte ptr [esp + 0x49], 0x6e
            //   488b8424b8000000     | mov                 byte ptr [esp + 0x4a], 0x66
            //   498943e0             | mov                 byte ptr [esp + 0x4b], 0x6f
            //   8a8424b0000000       | mov                 byte ptr [esp + 0x4c], 0x72

        $sequence_9 = { 4883ec38 83fa01 7528 488364242800 8364242000 }
            // n = 5, score = 100
            //   4883ec38             | mov                 byte ptr [esp + 0xe0], 0x57
            //   83fa01               | mov                 byte ptr [esp + 0xe1], 0
            //   7528                 | call                dword ptr [eax + 0x58]
            //   488364242800         | mov                 byte ptr [esp + 0xdf], 0x65
            //   8364242000           | mov                 byte ptr [esp + 0xe0], 0x6e

    condition:
        7 of them and filesize < 422912
}
[TLP:WHITE] win_eagerbee_w0   (20231009 | No description)
rule win_eagerbee_w0 {
    meta:
        author = "Elastic Security"
        creation_date = "2023-09-04"
        last_modified = "2023-09-20"
        threat_name = "Windows.Trojan.EagerBee"
        reference_sample = "339e4fdbccb65b0b06a1421c719300a8da844789a2016d58e8ce4227cb5dc91b"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee"
        malpedia_rule_date = "20231009"
        malpedia_hash = ""
        malpedia_version = "20231009"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"

    strings:
        $dexor_config_file = { 48 FF C0 8D 51 FF 44 30 00 49 03 C4 49 2B D4 ?? ?? 48 8D 4F 01 48 }
        $parse_config = { 80 7C 14 20 3A ?? ?? ?? ?? ?? ?? 45 03 C4 49 03 D4 49 63 C0 48 3B C1 }
        $parse_proxy1 = { 44 88 7C 24 31 44 88 7C 24 32 48 F7 D1 C6 44 24 33 70 C6 44 24 34 3D 88 5C 24 35 48 83 F9 01 }
        $parse_proxy2 = { 33 C0 48 8D BC 24 F0 00 00 00 49 8B CE F2 AE 8B D3 48 F7 D1 48 83 E9 01 48 8B F9 }

    condition:
        2 of them
}
Download all Yara Rules