SYMBOLCOMMON_NAMEaka. SYNONYMS
win.komprogo (Back to overview)

KOMPROGO

aka: Splinter RAT

Actor(s): APT32


KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.

References
2018-11-02CylanceCylance
@techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } The SpyRATs of OceanLotus
KOMPROGO PHOREAL
2017-05-14FireEyeNick Carr
@online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32
2017FireEyeBart Inglot, Byrne Ghavalas
@online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } ATTACKER ANTICS: Illustrations of Ingenuity
KOMPROGO SOUNDBITE
2015-12-08SymantecSymantec
@online{symantec:20151208:backdoorkomprogo:786eb9b, author = {Symantec}, title = {{Backdoor.Komprogo}}, date = {2015-12-08}, organization = {Symantec}, url = {https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99}, language = {English}, urldate = {2019-11-27} } Backdoor.Komprogo
KOMPROGO
Yara Rules
[TLP:WHITE] win_komprogo_auto (20211008 | Detects win.komprogo.)
rule win_komprogo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.komprogo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 899694c30300 8d8e28710300 8986e6c10000 51 8b4dfc 8d8662d10300 899e7a1e0000 }
            // n = 7, score = 100
            //   899694c30300         | mov                 dword ptr [esi + 0x3c394], edx
            //   8d8e28710300         | lea                 ecx, dword ptr [esi + 0x37128]
            //   8986e6c10000         | mov                 dword ptr [esi + 0xc1e6], eax
            //   51                   | push                ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d8662d10300         | lea                 eax, dword ptr [esi + 0x3d162]
            //   899e7a1e0000         | mov                 dword ptr [esi + 0x1e7a], ebx

        $sequence_1 = { 8d96b4be0300 8996fa690300 8d960c370400 899646070300 8d961c700300 8996e8b00000 8d9614700300 }
            // n = 7, score = 100
            //   8d96b4be0300         | lea                 edx, dword ptr [esi + 0x3beb4]
            //   8996fa690300         | mov                 dword ptr [esi + 0x369fa], edx
            //   8d960c370400         | lea                 edx, dword ptr [esi + 0x4370c]
            //   899646070300         | mov                 dword ptr [esi + 0x30746], edx
            //   8d961c700300         | lea                 edx, dword ptr [esi + 0x3701c]
            //   8996e8b00000         | mov                 dword ptr [esi + 0xb0e8], edx
            //   8d9614700300         | lea                 edx, dword ptr [esi + 0x37014]

        $sequence_2 = { 56 ff15???????? 85c0 743a 803d????????00 7517 68???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   743a                 | je                  0x3c
            //   803d????????00       |                     
            //   7517                 | jne                 0x19
            //   68????????           |                     

        $sequence_3 = { 899610e80300 8d96f8f10000 899684bf0300 898602cc0000 898e79cc0000 8d8eaa5e0300 898eb6cc0000 }
            // n = 7, score = 100
            //   899610e80300         | mov                 dword ptr [esi + 0x3e810], edx
            //   8d96f8f10000         | lea                 edx, dword ptr [esi + 0xf1f8]
            //   899684bf0300         | mov                 dword ptr [esi + 0x3bf84], edx
            //   898602cc0000         | mov                 dword ptr [esi + 0xcc02], eax
            //   898e79cc0000         | mov                 dword ptr [esi + 0xcc79], ecx
            //   8d8eaa5e0300         | lea                 ecx, dword ptr [esi + 0x35eaa]
            //   898eb6cc0000         | mov                 dword ptr [esi + 0xccb6], ecx

        $sequence_4 = { 56 e8???????? 8d04452ce64600 8bc8 2bce 6a03 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d04452ce64600       | lea                 eax, dword ptr [eax*2 + 0x46e62c]
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   6a03                 | push                3

        $sequence_5 = { 8986066d0100 8d8e78ba0300 898ed4ba0300 8d96b8ba0300 8996dcba0300 8d8660670300 8986f4ba0300 }
            // n = 7, score = 100
            //   8986066d0100         | mov                 dword ptr [esi + 0x16d06], eax
            //   8d8e78ba0300         | lea                 ecx, dword ptr [esi + 0x3ba78]
            //   898ed4ba0300         | mov                 dword ptr [esi + 0x3bad4], ecx
            //   8d96b8ba0300         | lea                 edx, dword ptr [esi + 0x3bab8]
            //   8996dcba0300         | mov                 dword ptr [esi + 0x3badc], edx
            //   8d8660670300         | lea                 eax, dword ptr [esi + 0x36760]
            //   8986f4ba0300         | mov                 dword ptr [esi + 0x3baf4], eax

        $sequence_6 = { 52 ffd7 8b85d0f3ffff 50 ffd7 8b4df8 5f }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8b85d0f3ffff         | mov                 eax, dword ptr [ebp - 0xc30]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   5f                   | pop                 edi

        $sequence_7 = { 8d8650700300 89862e450000 8d96406b0300 89969cc00300 8d860c710300 898657720000 899ef6dd0000 }
            // n = 7, score = 100
            //   8d8650700300         | lea                 eax, dword ptr [esi + 0x37050]
            //   89862e450000         | mov                 dword ptr [esi + 0x452e], eax
            //   8d96406b0300         | lea                 edx, dword ptr [esi + 0x36b40]
            //   89969cc00300         | mov                 dword ptr [esi + 0x3c09c], edx
            //   8d860c710300         | lea                 eax, dword ptr [esi + 0x3710c]
            //   898657720000         | mov                 dword ptr [esi + 0x7257], eax
            //   899ef6dd0000         | mov                 dword ptr [esi + 0xddf6], ebx

        $sequence_8 = { 0f95c0 8bf0 c745e800000000 85f6 7423 8b4d0c 8b11 }
            // n = 7, score = 100
            //   0f95c0               | setne               al
            //   8bf0                 | mov                 esi, eax
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   85f6                 | test                esi, esi
            //   7423                 | je                  0x25
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b11                 | mov                 edx, dword ptr [ecx]

        $sequence_9 = { 8d8ec0a60300 898e727d0200 8d8690700300 8986365a0000 8d96205f0300 899614af0300 8d86105f0300 }
            // n = 7, score = 100
            //   8d8ec0a60300         | lea                 ecx, dword ptr [esi + 0x3a6c0]
            //   898e727d0200         | mov                 dword ptr [esi + 0x27d72], ecx
            //   8d8690700300         | lea                 eax, dword ptr [esi + 0x37090]
            //   8986365a0000         | mov                 dword ptr [esi + 0x5a36], eax
            //   8d96205f0300         | lea                 edx, dword ptr [esi + 0x35f20]
            //   899614af0300         | mov                 dword ptr [esi + 0x3af14], edx
            //   8d86105f0300         | lea                 eax, dword ptr [esi + 0x35f10]

    condition:
        7 of them and filesize < 1045504
}
Download all Yara Rules