FoalShell (Malware Family)

FoalShell

VTCollection
According to BI.ZONE, FoalShell is a simple reverse shell used by Cavalry Werewolf, written in Go, C++, and C#. FoalShell allows attackers to execute arbitrary commands in the cmd.exe command line interpreter on a compromised host.
References

2025-10-02 ⋅ Medium BI.ZONE ⋅ BI.ZONE
Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks
FoalShell StallionRAT YoroTrooper
Yara Rules

[TLP:WHITE] win_foalshell_auto (20260504 | Detects win.foalshell.)
rule win_foalshell_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.foalshell."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.foalshell"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec58 48837c246800 750c 48c7c0ffffffff e9???????? 488b442468 48ffc8 }
            // n = 7, score = 100
            //   4883ec58             | inc                 esi
            //   48837c246800         | dec                 eax
            //   750c                 | inc                 ecx
            //   48c7c0ffffffff       | dec                 ebx
            //   e9????????           |                     
            //   488b442468           | add                 edx, dword ptr [eax + ebx*8 + 0x1f940]
            //   48ffc8               | mov                 al, byte ptr [edx]

        $sequence_1 = { 4883ea10 660f74c1 660fd7c0 85c0 7507 483bd1 }
            // n = 6, score = 100
            //   4883ea10             | mov                 edx, ebp
            //   660f74c1             | inc                 esp
            //   660fd7c0             | lea                 eax, [edi - 0xa]
            //   85c0                 | dec                 eax
            //   7507                 | lea                 esi, [0x12d8e]
            //   483bd1               | dec                 esp

        $sequence_2 = { a801 0f84da000000 488bd6 498bce }
            // n = 4, score = 100
            //   a801                 | dec                 eax
            //   0f84da000000         | lea                 edx, [0xd2f8]
            //   488bd6               | dec                 eax
            //   498bce               | lea                 ecx, [eax + 8]

        $sequence_3 = { 4d03f6 4b8b94f7d07b0100 e8???????? 85c0 }
            // n = 4, score = 100
            //   4d03f6               | dec                 eax
            //   4b8b94f7d07b0100     | mov                 ecx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   85c0                 | dec                 eax

        $sequence_4 = { 25ffffff1f 3d21059319 0f82fa000000 48635e20 85db 740a }
            // n = 6, score = 100
            //   25ffffff1f           | mov                 dword ptr [ebx], ecx
            //   3d21059319           | dec                 eax
            //   0f82fa000000         | mov                 ebx, ecx
            //   48635e20             | dec                 eax
            //   85db                 | mov                 eax, edx
            //   740a                 | dec                 eax

        $sequence_5 = { 4b0394d840f90100 8a02 88440dff 48ffc1 48ffc2 493bce }
            // n = 6, score = 100
            //   4b0394d840f90100     | xor                 eax, eax
            //   8a02                 | mov                 ecx, 1
            //   88440dff             | rep stosb           byte ptr es:[edi], al
            //   48ffc1               | dec                 eax
            //   48ffc2               | lea                 eax, [esp + 0x31]
            //   493bce               | dec                 eax

        $sequence_6 = { c705????????01000000 488d1510ed0000 488d0dd1ec0000 e8???????? 85c0 740a }
            // n = 6, score = 100
            //   c705????????01000000     |     
            //   488d1510ed0000       | dec                 eax
            //   488d0dd1ec0000       | mov                 eax, dword ptr [esp + 0x28]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   740a                 | cmp                 dword ptr [esp + 0x30], eax

        $sequence_7 = { 0f85b8020000 8b4720 3d20059319 740e 05dffa6ce6 83f801 0f87a0020000 }
            // n = 7, score = 100
            //   0f85b8020000         | lea                 eax, [0x1807d]
            //   8b4720               | dec                 eax
            //   3d20059319           | mov                 dword ptr [ebp - 0x20], eax
            //   740e                 | mov                 dword ptr [ecx + 0x28], edx
            //   05dffa6ce6           | dec                 eax
            //   83f801               | lea                 ecx, [0xd3a7]
            //   0f87a0020000         | dec                 eax

        $sequence_8 = { c3 4053 4883ec20 488bd9 488bc2 488d0d49f00000 0f57c0 }
            // n = 7, score = 100
            //   c3                   | inc                 ecx
            //   4053                 | cmp                 ecx, -1
            //   4883ec20             | jl                  0x6f8
            //   488bd9               | inc                 esp
            //   488bc2               | cmp                 ecx, dword ptr [ebx + 4]
            //   488d0d49f00000       | jge                 0x6f8
            //   0f57c0               | dec                 eax

        $sequence_9 = { 0f8d26010000 488b4f28 ebce 4c8bc3 488bd6 498bce }
            // n = 6, score = 100
            //   0f8d26010000         | lea                 eax, [0x123f0]
            //   488b4f28             | and                 edx, 0x3f
            //   ebce                 | dec                 eax
            //   4c8bc3               | mov                 edx, ecx
            //   488bd6               | dec                 eax
            //   498bce               | lea                 ecx, [esp + 0x20]

    condition:
        7 of them and filesize < 520192
}
Download all Yara Rules
FoalShell Propose Change

References

Yara Rules

FoalShell
