SYMBOLCOMMON_NAMEaka. SYNONYMS
win.entryshell (Back to overview)

EntryShell

VTCollection    

Fileless malware 'EntryShell', a variant of the KeyBoy malware, due to similarities in backdoor command IDs and debug messages with old KeyBoy samples. The embedded malware config was encrypted with a unique algorithm.

References
2023-10-05VirusBulletinHajime Yanagishita, Suguru Ishimaru, Yusuke Niwa
Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload
EntryShell SparrowDoor Xiangoop
Yara Rules
[TLP:WHITE] win_entryshell_auto (20230808 | Detects win.entryshell.)
rule win_entryshell_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.entryshell."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.entryshell"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 7517 53 8d95e4dfffff 8b8d8cddffff }
            // n = 5, score = 100
            //   85db                 | test                ebx, ebx
            //   7517                 | jne                 0x19
            //   53                   | push                ebx
            //   8d95e4dfffff         | lea                 edx, [ebp - 0x201c]
            //   8b8d8cddffff         | mov                 ecx, dword ptr [ebp - 0x2274]

        $sequence_1 = { 771d 8d8290c72501 8d5001 660f1f440000 }
            // n = 4, score = 100
            //   771d                 | ja                  0x1f
            //   8d8290c72501         | lea                 eax, [edx + 0x125c790]
            //   8d5001               | lea                 edx, [eax + 1]
            //   660f1f440000         | nop                 word ptr [eax + eax]

        $sequence_2 = { 83c40c 8d8424a8080000 50 6804010000 ff15???????? 8d442450 50 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d8424a8080000       | lea                 eax, [esp + 0x8a8]
            //   50                   | push                eax
            //   6804010000           | push                0x104
            //   ff15????????         |                     
            //   8d442450             | lea                 eax, [esp + 0x50]
            //   50                   | push                eax

        $sequence_3 = { 8b46f8 0fb684054fffffff 8842fd 83ef01 75a1 0f1003 53 }
            // n = 7, score = 100
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   0fb684054fffffff     | movzx               eax, byte ptr [ebp + eax - 0xb1]
            //   8842fd               | mov                 byte ptr [edx - 3], al
            //   83ef01               | sub                 edi, 1
            //   75a1                 | jne                 0xffffffa3
            //   0f1003               | movups              xmm0, xmmword ptr [ebx]
            //   53                   | push                ebx

        $sequence_4 = { 83c404 84c0 0f8495010000 8bbdf4efffff 85ff 0f84eefcffff 6a20 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al
            //   0f8495010000         | je                  0x19b
            //   8bbdf4efffff         | mov                 edi, dword ptr [ebp - 0x100c]
            //   85ff                 | test                edi, edi
            //   0f84eefcffff         | je                  0xfffffcf4
            //   6a20                 | push                0x20

        $sequence_5 = { e8???????? 59 83cfff 897de4 33c9 894dfc 8b049d78512501 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83cfff               | or                  edi, 0xffffffff
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   33c9                 | xor                 ecx, ecx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b049d78512501       | mov                 eax, dword ptr [ebx*4 + 0x1255178]

        $sequence_6 = { 8945f8 53 8b5d08 0f57c0 56 57 895de8 }
            // n = 7, score = 100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   0f57c0               | xorps               xmm0, xmm0
            //   56                   | push                esi
            //   57                   | push                edi
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx

        $sequence_7 = { 83c40c 8d4ffe 668b4102 8d4902 6685c0 75f4 e9???????? }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d4ffe               | lea                 ecx, [edi - 2]
            //   668b4102             | mov                 ax, word ptr [ecx + 2]
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   6685c0               | test                ax, ax
            //   75f4                 | jne                 0xfffffff6
            //   e9????????           |                     

        $sequence_8 = { 8a0445399f2401 eb02 32c0 0fb64d0c 0fb6c0 6bc009 03c1 }
            // n = 7, score = 100
            //   8a0445399f2401       | mov                 al, byte ptr [eax*2 + 0x1249f39]
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   0fb64d0c             | movzx               ecx, byte ptr [ebp + 0xc]
            //   0fb6c0               | movzx               eax, al
            //   6bc009               | imul                eax, eax, 9
            //   03c1                 | add                 eax, ecx

        $sequence_9 = { 02d2 029013800000 02d2 029014800000 02d2 029015800000 02d2 }
            // n = 7, score = 100
            //   02d2                 | add                 dl, dl
            //   029013800000         | add                 dl, byte ptr [eax + 0x8013]
            //   02d2                 | add                 dl, dl
            //   029014800000         | add                 dl, byte ptr [eax + 0x8014]
            //   02d2                 | add                 dl, dl
            //   029015800000         | add                 dl, byte ptr [eax + 0x8015]
            //   02d2                 | add                 dl, dl

    condition:
        7 of them and filesize < 663552
}
Download all Yara Rules