SYMBOLCOMMON_NAMEaka. SYNONYMS
win.finfisher (Back to overview)

FinFisher RAT

aka: FinSpy
VTCollection    

FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.

References
2022-03-28Netzpolitik.orgAndre Meister
Staatstrojaner-Hersteller FinFisher „ist geschlossen und bleibt es auch“
FinFisher RAT
2021-11-15binarlyBinarly Team
Design issues of modern EDRs: bypassing ETW-based solutions
ESPecter FinFisher RAT
2021-09-28Kaspersky LabsGReAT
FinSpy: unseen findings
FinFisher FinFisher FinFisher FinFisher RAT
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2020-10-14Netzpolitik.orgAndre Meister
German Made State Malware Company FinFisher Raided
FinFisher FinFisher FinFisher FinFisher RAT
2020-09-25Amnesty InternationalAmnesty International
German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
FinFisher FinFisher FinFisher FinFisher RAT
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2018-03-01MicrosoftMicrosoft Defender ATP Research Team, Office 365 Threat Research Team
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines
FinFisher RAT
2018-02-21Möbius Strip Reverse EngineeringRolf Rolles
FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #3: Fixing The Function-Related Issues
FinFisher RAT
2018-02-21Möbius Strip Reverse EngineeringRolf Rolles
FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #2: First Attempt At Devirtualization
FinFisher RAT
2018-02-21Möbius Strip Reverse EngineeringRolf Rolles
FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #1: Deobfuscating FinSpy VM Bytecode Programs
FinFisher RAT
2018-02-21Möbius Strip Reverse EngineeringRolf Rolles
FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #4: Second Attempt At Devirtualization
FinFisher RAT
2018-02-21Möbius Strip Reverse EngineeringRolf Rolles
FinSpy VM Unpacking Tutorial Part 3: Devirtualization
FinFisher RAT
2018-02-21GitHub (RolfRolles)Rolf Rolles
FinSpyVM (Static Unpacker for FinSpyVM)
FinFisher RAT
2018-01-24ESET ResearchFilip Kafka
ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER
FinFisher RAT
2018-01-23Möbius Strip Reverse EngineeringRolf Rolles
A Walk-Through Tutorial, with Code, on Statically Unpacking the FinSpy VM: Part One, x86 Deobfuscation
FinFisher RAT
2017-10-16Kaspersky LabsGReAT
BlackOasis APT and new targeted attacks leveraging zero-day exploit
FinFisher RAT BlackOasis
2017-09-21ESET ResearchFilip Kafka
New FinFisher surveillance campaigns: Internet providers involved?
FinFisher RAT
2017-09-12FireEyeBen Read, Genwei Jiang, James T. Bennett
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY,FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
FinFisher RAT BlackOasis
2017-07-18ElasticAshkan Hosseini
Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-01-13Artem Baranov
Finfisher rootkit analysis
FinFisher RAT
2014-10-02CodeAndSecCodeAndSec
FinFisher Malware Analysis - Part 2
FinFisher RAT
Yara Rules
[TLP:WHITE] win_finfisher_auto (20241030 | Detects win.finfisher.)
rule win_finfisher_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.finfisher."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8d85ccf9ffff 50 e8???????? }
            // n = 4, score = 200
            //   56                   | push                esi
            //   8d85ccf9ffff         | lea                 eax, [ebp - 0x634]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { 68???????? 6804010000 8d85ccf9ffff 50 }
            // n = 4, score = 200
            //   68????????           |                     
            //   6804010000           | push                0x104
            //   8d85ccf9ffff         | lea                 eax, [ebp - 0x634]
            //   50                   | push                eax

        $sequence_2 = { 8d84860c010000 3938 740a 8b00 51 }
            // n = 5, score = 100
            //   8d84860c010000       | lea                 eax, [esi + eax*4 + 0x10c]
            //   3938                 | cmp                 dword ptr [eax], edi
            //   740a                 | je                  0xc
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   51                   | push                ecx

        $sequence_3 = { 8365fc00 ff36 a1???????? ff5004 }
            // n = 4, score = 100
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff36                 | push                dword ptr [esi]
            //   a1????????           |                     
            //   ff5004               | call                dword ptr [eax + 4]

        $sequence_4 = { c78584f7ffff40020000 8d8570f7ffff 898580f7ffff 89b588f7ffff 89b58cf7ffff }
            // n = 5, score = 100
            //   c78584f7ffff40020000     | mov    dword ptr [ebp - 0x87c], 0x240
            //   8d8570f7ffff         | lea                 eax, [ebp - 0x890]
            //   898580f7ffff         | mov                 dword ptr [ebp - 0x880], eax
            //   89b588f7ffff         | mov                 dword ptr [ebp - 0x878], esi
            //   89b58cf7ffff         | mov                 dword ptr [ebp - 0x874], esi

        $sequence_5 = { 8bd8 ffb5acf7ffff 3bde 0f856dffffff ff15???????? }
            // n = 5, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   ffb5acf7ffff         | push                dword ptr [ebp - 0x854]
            //   3bde                 | cmp                 ebx, esi
            //   0f856dffffff         | jne                 0xffffff73
            //   ff15????????         |                     

        $sequence_6 = { ff4510 394510 72ea eb06 8b4510 }
            // n = 5, score = 100
            //   ff4510               | inc                 dword ptr [ebp + 0x10]
            //   394510               | cmp                 dword ptr [ebp + 0x10], eax
            //   72ea                 | jb                  0xffffffec
            //   eb06                 | jmp                 8
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_7 = { e8???????? 83c424 8b8db0f7ffff 8b4160 8985b4f7ffff 81780c00202200 0f8536050000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   8b8db0f7ffff         | mov                 ecx, dword ptr [ebp - 0x850]
            //   8b4160               | mov                 eax, dword ptr [ecx + 0x60]
            //   8985b4f7ffff         | mov                 dword ptr [ebp - 0x84c], eax
            //   81780c00202200       | cmp                 dword ptr [eax + 0xc], 0x222000
            //   0f8536050000         | jne                 0x53c

        $sequence_8 = { 85c0 0f8538020000 6a04 8bbd48f9ffff 8d4708 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   0f8538020000         | jne                 0x23e
            //   6a04                 | push                4
            //   8bbd48f9ffff         | mov                 edi, dword ptr [ebp - 0x6b8]
            //   8d4708               | lea                 eax, [edi + 8]

        $sequence_9 = { 750a bb9a0000c0 e9???????? 8bd0 8b8dc0f7ffff ff15???????? }
            // n = 6, score = 100
            //   750a                 | jne                 0xc
            //   bb9a0000c0           | mov                 ebx, 0xc000009a
            //   e9????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   8b8dc0f7ffff         | mov                 ecx, dword ptr [ebp - 0x840]
            //   ff15????????         |                     

        $sequence_10 = { ff15???????? 8b8db0f7ffff 895918 8b85a0f7ffff 89411c 32d2 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8b8db0f7ffff         | mov                 ecx, dword ptr [ebp - 0x850]
            //   895918               | mov                 dword ptr [ecx + 0x18], ebx
            //   8b85a0f7ffff         | mov                 eax, dword ptr [ebp - 0x860]
            //   89411c               | mov                 dword ptr [ecx + 0x1c], eax
            //   32d2                 | xor                 dl, dl

        $sequence_11 = { 8b3f 85ff 75a7 ff45f8 837df825 7293 be010000c0 }
            // n = 7, score = 100
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   85ff                 | test                edi, edi
            //   75a7                 | jne                 0xffffffa9
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   837df825             | cmp                 dword ptr [ebp - 8], 0x25
            //   7293                 | jb                  0xffffff95
            //   be010000c0           | mov                 esi, 0xc0000001

        $sequence_12 = { ff75fc ff750c ff15???????? 3bc6 }
            // n = 4, score = 100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_13 = { 50 e8???????? 83c41c c745fc04000000 6850020000 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   6850020000           | push                0x250

    condition:
        7 of them and filesize < 262144
}
[TLP:WHITE] win_finfisher_w0   (20170517 | FinFisher FinSpy)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_finfisher_w0 {
    meta:
        description = "FinFisher FinSpy"
	    author = "botherder https://github.com/botherder"
	    source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/FinSpy.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $password1 = /\/scomma kbd101\.sys/ wide ascii
        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
        $password3 = /\/scomma excel2010\.part/ wide ascii
        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
        $password6 = /\/scomma MSN2010\.dll/ wide ascii
        $password7 = /\/scomma Firefox\.base/ wide ascii
        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
        $password9 = /\/scomma IE7setup\.sys/ wide ascii
        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
        $password11 = /\/scomma office2007\.cab/ wide ascii
        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
        $password13 = /\/scomma outlook2007\.dll/ wide ascii
        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii

        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
        $screenrec7 = /(v)112O00000000\.dat/ wide ascii

        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii

        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii

        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
        $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii

        $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
        $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii

        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii

        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii

        $versions1 = /(f)inspyv2/ nocase
        $versions2 = /(f)inspyv4/ nocase

        $bootkit1 = /(b)ootkit_x32driver/
        $bootkit2 = /(b)ootkit_x64driver/

        $typo1 = /(S)creenShort Recording/ wide

        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide

    condition:
        8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
}
[TLP:WHITE] win_finfisher_w1   (20170517 | FinFisher FinSpy)
rule win_finfisher_w1 {
    meta:
        description = "FinFisher FinSpy"
        author = "AlienVault Labs"
	    source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/FinSpy.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $filter1 = "$password14"
        $filter2 = "$screenrec7"
        $filter3 = "$micrec"
        $filter4 = "$skyperec3"
        $filter5 = "$mouserec2"
        $filter6 = "$driver"
        $filter7 = "$janedow2"
        $filter8 = "$bootkit2"

        $password1 = /\/scomma kbd101\.sys/ wide ascii
        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
        $password3 = /\/scomma excel2010\.part/ wide ascii
        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
        $password6 = /\/scomma MSN2010\.dll/ wide ascii
        $password7 = /\/scomma Firefox\.base/ wide ascii
        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
        $password9 = /\/scomma IE7setup\.sys/ wide ascii
        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
        $password11 = /\/scomma office2007\.cab/ wide ascii
        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
        $password13 = /\/scomma outlook2007\.dll/ wide ascii
        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii

        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
        $screenrec7 = /(v)112O00000000\.dat/ wide ascii

        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii

        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii

        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
        //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii

        //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
        //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii

        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii

        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii

        //$versions1 = /(f)inspyv2/ nocase
        //$versions2 = /(f)inspyv4/ nocase

        $bootkit1 = /(b)ootkit_x32driver/
        $bootkit2 = /(b)ootkit_x64driver/

        $typo1 = /(S)creenShort Recording/ wide

        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide

    condition:
        (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
}
Download all Yara Rules