EvilGrab (Malware Family)

win.evilgrab (Back to overview)

EvilGrab

aka: Vidgrab

Actor(s): Stone Panda

VTCollection

There is no description at this point.

References

2015-08-01 ⋅ Arbor Networks ⋅ ASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_evilgrab_auto (20260504 | Detects win.evilgrab.)

rule win_evilgrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.evilgrab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f842b010000 68???????? 8bcb e8???????? 50 6a01 68ff0f1f00 }
            // n = 7, score = 200
            //   0f842b010000         | je                  0x131
            //   68????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   50                   | push                eax
            //   6a01                 | push                1
            //   68ff0f1f00           | push                0x1f0fff

        $sequence_1 = { e8???????? 8b542414 83c404 33c9 8bf8 85d2 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   83c404               | add                 esp, 4
            //   33c9                 | xor                 ecx, ecx
            //   8bf8                 | mov                 edi, eax
            //   85d2                 | test                edx, edx

        $sequence_2 = { 83e103 f3a4 8b35???????? 8b95a4adffff 8bfa 83c9ff 33c0 }
            // n = 7, score = 200
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8b35????????         |                     
            //   8b95a4adffff         | mov                 edx, dword ptr [ebp - 0x525c]
            //   8bfa                 | mov                 edi, edx
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 8b4528 8d1490 83c9ff 33c0 f2ae f7d1 2bf9 }
            // n = 7, score = 200
            //   8b4528               | mov                 eax, dword ptr [ebp + 0x28]
            //   8d1490               | lea                 edx, [eax + edx*4]
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   2bf9                 | sub                 edi, ecx

        $sequence_4 = { 68ff000000 e8???????? 8bf0 b93f000000 33c0 8bfe f3ab }
            // n = 7, score = 200
            //   68ff000000           | push                0xff
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   b93f000000           | mov                 ecx, 0x3f
            //   33c0                 | xor                 eax, eax
            //   8bfe                 | mov                 edi, esi
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_5 = { 741d 8b8d15ebffff 51 8b13 81c2f2000000 52 8b4b10 }
            // n = 7, score = 200
            //   741d                 | je                  0x1f
            //   8b8d15ebffff         | mov                 ecx, dword ptr [ebp - 0x14eb]
            //   51                   | push                ecx
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   81c2f2000000         | add                 edx, 0xf2
            //   52                   | push                edx
            //   8b4b10               | mov                 ecx, dword ptr [ebx + 0x10]

        $sequence_6 = { 8d7c2434 50 50 f3ab 8b4c2434 8d44243c 6800080000 }
            // n = 7, score = 200
            //   8d7c2434             | lea                 edi, [esp + 0x34]
            //   50                   | push                eax
            //   50                   | push                eax
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   6800080000           | push                0x800

        $sequence_7 = { f7d1 49 51 68???????? 6a07 50 68???????? }
            // n = 7, score = 200
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   51                   | push                ecx
            //   68????????           |                     
            //   6a07                 | push                7
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_8 = { 50 ff15???????? c7431cffffffff c6431500 e9???????? 8b8d15ebffff 81e1ff000000 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   c7431cffffffff       | mov                 dword ptr [ebx + 0x1c], 0xffffffff
            //   c6431500             | mov                 byte ptr [ebx + 0x15], 0
            //   e9????????           |                     
            //   8b8d15ebffff         | mov                 ecx, dword ptr [ebp - 0x14eb]
            //   81e1ff000000         | and                 ecx, 0xff

        $sequence_9 = { ff4324 8b854cfeffff 50 ff15???????? ff45ec }
            // n = 5, score = 200
            //   ff4324               | inc                 dword ptr [ebx + 0x24]
            //   8b854cfeffff         | mov                 eax, dword ptr [ebp - 0x1b4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff45ec               | inc                 dword ptr [ebp - 0x14]

    condition:
        7 of them and filesize < 327680
}

[TLP:WHITE] win_evilgrab_w0 (20170517 | Vidgrab code tricks)

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w0 {
    meta:
        description = "Vidgrab code tricks"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
        
    condition:
        all of them
}

[TLP:WHITE] win_evilgrab_w1 (20170517 | Vidgrab Identifying Strings)

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_evilgrab_w1 {
    meta:
        description = "Vidgrab Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Vidgrab.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "IDI_ICON5" wide ascii
        $s2 = "starter.exe"
        $s3 = "wmifw.exe"
        $s4 = "Software\\rar"
        $s5 = "tmp092.tmp"
        $s6 = "temp1.exe"
        
    condition:
       3 of them
}

Download all Yara Rules

EvilGrab Propose Change

References

Yara Rules

EvilGrab