SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hyperbro (Back to overview)

HyperBro

Actor(s): Emissary Panda


There is no description at this point.

References
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz LuckyMouse
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-03-25Team CymruTeam Cymru
@online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } How the Iranian Cyber Security Agency Detects Emissary Panda Malware
HyperBro
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-17Talent-Jump TechnologiesTheo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2018-06-13Kaspersky LabsDenis Legezo
@online{legezo:20180613:luckymouse:26f9860, author = {Denis Legezo}, title = {{LuckyMouse hits national data center to organize country-level waterholing campaign}}, date = {2018-06-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-hits-national-data-center/86083/}, language = {English}, urldate = {2019-12-20} } LuckyMouse hits national data center to organize country-level waterholing campaign
HyperBro LuckyMouse
Yara Rules
[TLP:WHITE] win_hyperbro_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_hyperbro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442410 8b7c240c 53 3bf8 7413 e8???????? }
            // n = 6, score = 300
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   53                   | push                ebx
            //   3bf8                 | cmp                 edi, eax
            //   7413                 | je                  0x15
            //   e8????????           |                     

        $sequence_1 = { 33db 56 57 3bc3 740b 53 50 }
            // n = 7, score = 300
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   3bc3                 | cmp                 eax, ebx
            //   740b                 | je                  0xd
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_2 = { 23d3 33db 85c9 8b08 0f94c3 c644242281 }
            // n = 6, score = 300
            //   23d3                 | and                 edx, ebx
            //   33db                 | xor                 ebx, ebx
            //   85c9                 | test                ecx, ecx
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   0f94c3               | sete                bl
            //   c644242281           | mov                 byte ptr [esp + 0x22], 0x81

        $sequence_3 = { 3d01feffff 0f8703030000 8bd5 2bd1 83fa01 0f82f6020000 }
            // n = 6, score = 300
            //   3d01feffff           | cmp                 eax, 0xfffffe01
            //   0f8703030000         | ja                  0x309
            //   8bd5                 | mov                 edx, ebp
            //   2bd1                 | sub                 edx, ecx
            //   83fa01               | cmp                 edx, 1
            //   0f82f6020000         | jb                  0x2fc

        $sequence_4 = { 8810 40 47 83ed01 75f5 03f3 8b442428 }
            // n = 7, score = 300
            //   8810                 | mov                 byte ptr [eax], dl
            //   40                   | inc                 eax
            //   47                   | inc                 edi
            //   83ed01               | sub                 ebp, 1
            //   75f5                 | jne                 0xfffffff7
            //   03f3                 | add                 esi, ebx
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]

        $sequence_5 = { 6a00 ff15???????? 8bf8 85ff 7432 8b442424 }
            // n = 6, score = 300
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7432                 | je                  0x34
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_6 = { ffd2 8b742414 53 56 68???????? 8d7c2450 e8???????? }
            // n = 7, score = 300
            //   ffd2                 | call                edx
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   68????????           |                     
            //   8d7c2450             | lea                 edi, [esp + 0x50]
            //   e8????????           |                     

        $sequence_7 = { 83c40c 56 e8???????? 8b742448 8b0d???????? 83c404 }
            // n = 6, score = 300
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b742448             | mov                 esi, dword ptr [esp + 0x48]
            //   8b0d????????         |                     
            //   83c404               | add                 esp, 4

        $sequence_8 = { 3d01feffff 0f878c010000 8bd5 2bd1 83fa01 0f8249010000 }
            // n = 6, score = 300
            //   3d01feffff           | cmp                 eax, 0xfffffe01
            //   0f878c010000         | ja                  0x192
            //   8bd5                 | mov                 edx, ebp
            //   2bd1                 | sub                 edx, ecx
            //   83fa01               | cmp                 edx, 1
            //   0f8249010000         | jb                  0x14f

        $sequence_9 = { 2bc6 83f803 0f827a020000 0fb602 8806 0fb64201 }
            // n = 6, score = 300
            //   2bc6                 | sub                 eax, esi
            //   83f803               | cmp                 eax, 3
            //   0f827a020000         | jb                  0x280
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   8806                 | mov                 byte ptr [esi], al
            //   0fb64201             | movzx               eax, byte ptr [edx + 1]

    condition:
        7 of them and filesize < 352256
}
Download all Yara Rules