SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream

VTCollection    

There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-04nao_sec blognao_sec
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderLiviu Arsene, Victor Vrabie
Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20260504 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ff7724 ff15???????? 8b4714 8b35???????? 85c0 }
            // n = 6, score = 300
            //   6a00                 | push                0
            //   ff7724               | push                dword ptr [edi + 0x24]
            //   ff15????????         |                     
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   8b35????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_1 = { 0fb6c9 ba01000000 0f44ca 898df4f9ffff 8d85f8f9ffff c785f8f9ffff00000000 }
            // n = 6, score = 300
            //   0fb6c9               | movzx               ecx, cl
            //   ba01000000           | mov                 edx, 1
            //   0f44ca               | cmove               ecx, edx
            //   898df4f9ffff         | mov                 dword ptr [ebp - 0x60c], ecx
            //   8d85f8f9ffff         | lea                 eax, [ebp - 0x608]
            //   c785f8f9ffff00000000     | mov    dword ptr [ebp - 0x608], 0

        $sequence_2 = { ff15???????? 85c0 7513 68???????? ff15???????? 85c0 0f84a5000000 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7513                 | jne                 0x15
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84a5000000         | je                  0xab

        $sequence_3 = { ff15???????? 85c0 747e 8b9df8fdffff 8d4304 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   747e                 | je                  0x80
            //   8b9df8fdffff         | mov                 ebx, dword ptr [ebp - 0x208]
            //   8d4304               | lea                 eax, [ebx + 4]

        $sequence_4 = { ffb5b4feffff ffd7 5f 5e b001 5b 8b4dfc }
            // n = 7, score = 300
            //   ffb5b4feffff         | push                dword ptr [ebp - 0x14c]
            //   ffd7                 | call                edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b001                 | mov                 al, 1
            //   5b                   | pop                 ebx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_5 = { 8bce 85c0 741e 83c009 50 57 e8???????? }
            // n = 7, score = 300
            //   8bce                 | mov                 ecx, esi
            //   85c0                 | test                eax, eax
            //   741e                 | je                  0x20
            //   83c009               | add                 eax, 9
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_6 = { 8bf2 50 0f1184242c010000 8d84242c010000 0f2805???????? 50 0f11842420010000 }
            // n = 7, score = 300
            //   8bf2                 | mov                 esi, edx
            //   50                   | push                eax
            //   0f1184242c010000     | movups              xmmword ptr [esp + 0x12c], xmm0
            //   8d84242c010000       | lea                 eax, [esp + 0x12c]
            //   0f2805????????       |                     
            //   50                   | push                eax
            //   0f11842420010000     | movups              xmmword ptr [esp + 0x120], xmm0

        $sequence_7 = { ffb5a0fdffff ffd3 ffb594fdffff ff15???????? }
            // n = 4, score = 300
            //   ffb5a0fdffff         | push                dword ptr [ebp - 0x260]
            //   ffd3                 | call                ebx
            //   ffb594fdffff         | push                dword ptr [ebp - 0x26c]
            //   ff15????????         |                     

        $sequence_8 = { 8db5d0fdffff 2410 8d4e01 88041f 47 6690 8a06 }
            // n = 7, score = 300
            //   8db5d0fdffff         | lea                 esi, [ebp - 0x230]
            //   2410                 | and                 al, 0x10
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   88041f               | mov                 byte ptr [edi + ebx], al
            //   47                   | inc                 edi
            //   6690                 | nop                 
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_9 = { 8d95f9f7ffff 668985f2f7ffff c785f4f7ffff00000001 8bce 2bd6 }
            // n = 5, score = 300
            //   8d95f9f7ffff         | lea                 edx, [ebp - 0x807]
            //   668985f2f7ffff       | mov                 word ptr [ebp - 0x80e], ax
            //   c785f4f7ffff00000001     | mov    dword ptr [ebp - 0x80c], 0x1000000
            //   8bce                 | mov                 ecx, esi
            //   2bd6                 | sub                 edx, esi

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules