SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fuwuqidrama (Back to overview)

FuwuqiDrama

Actor(s): Lazarus Group

VTCollection    

FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.

It contains two distinguishing hardcoded lists.

First is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012).

Second is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.

FuwuqiDrama stores its configuration in the INI file data\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.

References
2018-10-03Virus BulletinMichal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
Yara Rules
[TLP:WHITE] win_fuwuqidrama_auto (20260504 | Detects win.fuwuqidrama.)
rule win_fuwuqidrama_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.fuwuqidrama."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 893e 8b4e2c 8b4630 51 50 50 }
            // n = 6, score = 100
            //   893e                 | mov                 dword ptr [esi], edi
            //   8b4e2c               | mov                 ecx, dword ptr [esi + 0x2c]
            //   8b4630               | mov                 eax, dword ptr [esi + 0x30]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_1 = { 85c0 7529 85d2 750a }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   7529                 | jne                 0x2b
            //   85d2                 | test                edx, edx
            //   750a                 | jne                 0xc

        $sequence_2 = { e8???????? 68???????? 8bce e8???????? eb56 68???????? 8bce }
            // n = 7, score = 100
            //   e8????????           |                     
            //   68????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   eb56                 | jmp                 0x58
            //   68????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_3 = { 50 51 8d4c245c c684242401000001 e8???????? 8b542454 52 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d4c245c             | lea                 ecx, [esp + 0x5c]
            //   c684242401000001     | mov                 byte ptr [esp + 0x124], 1
            //   e8????????           |                     
            //   8b542454             | mov                 edx, dword ptr [esp + 0x54]
            //   52                   | push                edx

        $sequence_4 = { 52 8bce c644241b20 e8???????? 8b5c2424 6a00 8dbbcd000000 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi
            //   c644241b20           | mov                 byte ptr [esp + 0x1b], 0x20
            //   e8????????           |                     
            //   8b5c2424             | mov                 ebx, dword ptr [esp + 0x24]
            //   6a00                 | push                0
            //   8dbbcd000000         | lea                 edi, [ebx + 0xcd]

        $sequence_5 = { 57 88442414 bf???????? 83c9ff 33c0 33db 6a01 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   88442414             | mov                 byte ptr [esp + 0x14], al
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   33db                 | xor                 ebx, ebx
            //   6a01                 | push                1

        $sequence_6 = { 50 8bcd c644246003 e8???????? 8b8f88000000 8d542458 894c2458 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8bcd                 | mov                 ecx, ebp
            //   c644246003           | mov                 byte ptr [esp + 0x60], 3
            //   e8????????           |                     
            //   8b8f88000000         | mov                 ecx, dword ptr [edi + 0x88]
            //   8d542458             | lea                 edx, [esp + 0x58]
            //   894c2458             | mov                 dword ptr [esp + 0x58], ecx

        $sequence_7 = { c1e91f 03d1 3bc2 0f83d2000000 8b5604 8b442414 83c9ff }
            // n = 7, score = 100
            //   c1e91f               | shr                 ecx, 0x1f
            //   03d1                 | add                 edx, ecx
            //   3bc2                 | cmp                 eax, edx
            //   0f83d2000000         | jae                 0xd8
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_8 = { 83c104 4a 75ee 53 e8???????? 8b4e70 83c404 }
            // n = 7, score = 100
            //   83c104               | add                 ecx, 4
            //   4a                   | dec                 edx
            //   75ee                 | jne                 0xfffffff0
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b4e70               | mov                 ecx, dword ptr [esi + 0x70]
            //   83c404               | add                 esp, 4

        $sequence_9 = { 8b442434 33f6 3bc6 7505 a1???????? 50 }
            // n = 6, score = 100
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   33f6                 | xor                 esi, esi
            //   3bc6                 | cmp                 eax, esi
            //   7505                 | jne                 7
            //   a1????????           |                     
            //   50                   | push                eax

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules