SYMBOLCOMMON_NAMEaka. SYNONYMS
win.firechili (Back to overview)

Fire Chili

Actor(s): Shell Crew

VTCollection    

The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections).
According to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.

References
2022-04-01The Hacker NewsRavie Lakshmanan
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-30FortinetEliran Voronovitch, Rotem Sde-Or
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
Yara Rules
[TLP:WHITE] win_firechili_auto (20260504 | Detects win.firechili.)
rule win_firechili_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.firechili."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 400fb6ff 488d4c2420 84c0 410f45ff }
            // n = 4, score = 100
            //   400fb6ff             | mov                 esi, dword ptr [esp + 0x40]
            //   488d4c2420           | xor                 al, al
            //   84c0                 | dec                 eax
            //   410f45ff             | mov                 esi, dword ptr [esp + 0x48]

        $sequence_1 = { c3 e8???????? 833d????????00 74e2 4c8bc3 e8???????? 488905???????? }
            // n = 7, score = 100
            //   c3                   | lea                 eax, [edi + edi]
            //   e8????????           |                     
            //   833d????????00       |                     
            //   74e2                 | dec                 ebp
            //   4c8bc3               | mov                 eax, edx
            //   e8????????           |                     
            //   488905????????       |                     

        $sequence_2 = { 33ff 41897b10 49897b18 33c0 498943c8 498943d0 }
            // n = 6, score = 100
            //   33ff                 | mov                 edi, dword ptr [esp + 0x38]
            //   41897b10             | dec                 eax
            //   49897b18             | mov                 ebx, dword ptr [esp + 0x28]
            //   33c0                 | dec                 eax
            //   498943c8             | test                ebx, ebx
            //   498943d0             | je                  0x161d

        $sequence_3 = { ff15???????? eb07 bb0f001cc0 eb2d 488b4c2430 8b442440 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   eb07                 | mov                 edx, dword ptr [edx + eax*4 + 4]
            //   bb0f001cc0           | dec                 esp
            //   eb2d                 | mov                 edx, edi
            //   488b4c2430           | inc                 ecx
            //   8b442440             | movzx               edx, ax

        $sequence_4 = { 4c8d05b4430000 89442434 498bc0 48894c2420 48894c242c 895c2438 }
            // n = 6, score = 100
            //   4c8d05b4430000       | je                  0x315
            //   89442434             | test                eax, eax
            //   498bc0               | js                  0x328
            //   48894c2420           | inc                 ebp
            //   48894c242c           | xor                 ecx, ecx
            //   895c2438             | dec                 eax

        $sequence_5 = { 488bcf ff15???????? eb10 488bd7 }
            // n = 4, score = 100
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   eb10                 | test                ebx, ebx
            //   488bd7               | je                  0xc74

        $sequence_6 = { 0f1f00 488d0440 488d34c500000000 420fb7442e10 428b542e14 0fb6c8 }
            // n = 6, score = 100
            //   0f1f00               | nop                 dword ptr [eax]
            //   488d0440             | dec                 eax
            //   488d34c500000000     | cmp                 eax, esi
            //   420fb7442e10         | dec                 eax
            //   428b542e14           | mov                 eax, dword ptr [esi]
            //   0fb6c8               | mov                 edi, ebp

        $sequence_7 = { 48894138 41807c241000 0f848d000000 4885c0 0f8484000000 4d8bc4 498bd7 }
            // n = 7, score = 100
            //   48894138             | dec                 eax
            //   41807c241000         | mov                 ecx, dword ptr [esp + 0x68]
            //   0f848d000000         | dec                 eax
            //   4885c0               | mov                 dword ptr [esp + 0x50], edx
            //   0f8484000000         | dec                 eax
            //   4d8bc4               | test                ecx, ecx
            //   498bd7               | je                  0x171e

        $sequence_8 = { 4839542420 7509 33c0 663b442428 745e ff15???????? }
            // n = 6, score = 100
            //   4839542420           | test                esi, esi
            //   7509                 | dec                 eax
            //   33c0                 | mov                 esi, dword ptr [esp + 0x48]
            //   663b442428           | dec                 eax
            //   745e                 | lea                 ecx, [0x206c]
            //   ff15????????         |                     

        $sequence_9 = { 488b4908 ff15???????? 8bd8 85c0 0f881b010000 4c8d8c24a8020000 41b848020000 }
            // n = 7, score = 100
            //   488b4908             | mov                 dword ptr [ecx + 0x20], eax
            //   ff15????????         |                     
            //   8bd8                 | dec                 eax
            //   85c0                 | mov                 ecx, dword ptr [esp + 0x30]
            //   0f881b010000         | dec                 eax
            //   4c8d8c24a8020000     | cmp                 dword ptr [ecx + 0x20], 0
            //   41b848020000         | jne                 0x6a6

    condition:
        7 of them and filesize < 91136
}
Download all Yara Rules