SYMBOLCOMMON_NAMEaka. SYNONYMS
win.komprogo (Back to overview)

KOMPROGO

aka: Splinter RAT

Actor(s): APT32

VTCollection    

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.

References
2018-11-02CylanceCylance
The SpyRATs of OceanLotus
KOMPROGO PHOREAL
2017-05-14FireEyeNick Carr
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32
2017-01-01FireEyeBart Inglot, Byrne Ghavalas
ATTACKER ANTICS: Illustrations of Ingenuity
KOMPROGO SOUNDBITE
2015-12-08SymantecSymantec
Backdoor.Komprogo
KOMPROGO
Yara Rules
[TLP:WHITE] win_komprogo_auto (20260504 | Detects win.komprogo.)
rule win_komprogo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.komprogo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c404 84c0 7451 8d8e48720300 51 8d86d2cf0300 8bcf }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al
            //   7451                 | je                  0x53
            //   8d8e48720300         | lea                 ecx, [esi + 0x37248]
            //   51                   | push                ecx
            //   8d86d2cf0300         | lea                 eax, [esi + 0x3cfd2]
            //   8bcf                 | mov                 ecx, edi

        $sequence_1 = { 898e73450300 8996e7410100 8d8ef4380400 898eed410100 8d8e60f10300 898e30a30300 8d96ccb80300 }
            // n = 7, score = 100
            //   898e73450300         | mov                 dword ptr [esi + 0x34573], ecx
            //   8996e7410100         | mov                 dword ptr [esi + 0x141e7], edx
            //   8d8ef4380400         | lea                 ecx, [esi + 0x438f4]
            //   898eed410100         | mov                 dword ptr [esi + 0x141ed], ecx
            //   8d8e60f10300         | lea                 ecx, [esi + 0x3f160]
            //   898e30a30300         | mov                 dword ptr [esi + 0x3a330], ecx
            //   8d96ccb80300         | lea                 edx, [esi + 0x3b8cc]

        $sequence_2 = { 8d96d8be0300 899644bf0300 8d8628bf0300 89864cbf0300 8d96606a0300 89966cbf0300 }
            // n = 6, score = 100
            //   8d96d8be0300         | lea                 edx, [esi + 0x3bed8]
            //   899644bf0300         | mov                 dword ptr [esi + 0x3bf44], edx
            //   8d8628bf0300         | lea                 eax, [esi + 0x3bf28]
            //   89864cbf0300         | mov                 dword ptr [esi + 0x3bf4c], eax
            //   8d96606a0300         | lea                 edx, [esi + 0x36a60]
            //   89966cbf0300         | mov                 dword ptr [esi + 0x3bf6c], edx

        $sequence_3 = { 8986ef470000 8d8e90160400 898eab3e0200 89be389c0000 8d8e58700300 898e93480000 8d8e90e90300 }
            // n = 7, score = 100
            //   8986ef470000         | mov                 dword ptr [esi + 0x47ef], eax
            //   8d8e90160400         | lea                 ecx, [esi + 0x41690]
            //   898eab3e0200         | mov                 dword ptr [esi + 0x23eab], ecx
            //   89be389c0000         | mov                 dword ptr [esi + 0x9c38], edi
            //   8d8e58700300         | lea                 ecx, [esi + 0x37058]
            //   898e93480000         | mov                 dword ptr [esi + 0x4893], ecx
            //   8d8e90e90300         | lea                 ecx, [esi + 0x3e990]

        $sequence_4 = { 8986e0d20100 8d86e15c0300 8986c6c70000 8d8eab880100 898ee8d20100 8d9683bd0100 }
            // n = 6, score = 100
            //   8986e0d20100         | mov                 dword ptr [esi + 0x1d2e0], eax
            //   8d86e15c0300         | lea                 eax, [esi + 0x35ce1]
            //   8986c6c70000         | mov                 dword ptr [esi + 0xc7c6], eax
            //   8d8eab880100         | lea                 ecx, [esi + 0x188ab]
            //   898ee8d20100         | mov                 dword ptr [esi + 0x1d2e8], ecx
            //   8d9683bd0100         | lea                 edx, [esi + 0x1bd83]

        $sequence_5 = { 89861cb60300 8d8e28640300 898ed4b50300 8d9610780300 899624e80300 8d86e4970300 8986a5080100 }
            // n = 7, score = 100
            //   89861cb60300         | mov                 dword ptr [esi + 0x3b61c], eax
            //   8d8e28640300         | lea                 ecx, [esi + 0x36428]
            //   898ed4b50300         | mov                 dword ptr [esi + 0x3b5d4], ecx
            //   8d9610780300         | lea                 edx, [esi + 0x37810]
            //   899624e80300         | mov                 dword ptr [esi + 0x3e824], edx
            //   8d86e4970300         | lea                 eax, [esi + 0x397e4]
            //   8986a5080100         | mov                 dword ptr [esi + 0x108a5], eax

        $sequence_6 = { 8986f8bc0200 8d8e57540300 8d86e0710300 898e78c50300 8b4df0 50 b809000000 }
            // n = 7, score = 100
            //   8986f8bc0200         | mov                 dword ptr [esi + 0x2bcf8], eax
            //   8d8e57540300         | lea                 ecx, [esi + 0x35457]
            //   8d86e0710300         | lea                 eax, [esi + 0x371e0]
            //   898e78c50300         | mov                 dword ptr [esi + 0x3c578], ecx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   b809000000           | mov                 eax, 9

        $sequence_7 = { 898605090100 8d8ef85b0300 898e76ae0000 8d9694160400 8996d9d20000 8d8628700300 8986b6ae0000 }
            // n = 7, score = 100
            //   898605090100         | mov                 dword ptr [esi + 0x10905], eax
            //   8d8ef85b0300         | lea                 ecx, [esi + 0x35bf8]
            //   898e76ae0000         | mov                 dword ptr [esi + 0xae76], ecx
            //   8d9694160400         | lea                 edx, [esi + 0x41694]
            //   8996d9d20000         | mov                 dword ptr [esi + 0xd2d9], edx
            //   8d8628700300         | lea                 eax, [esi + 0x37028]
            //   8986b6ae0000         | mov                 dword ptr [esi + 0xaeb6], eax

        $sequence_8 = { 8d86e0a50300 898666cc0200 8d866c770300 898658e80300 8d868c720300 50 b812000000 }
            // n = 7, score = 100
            //   8d86e0a50300         | lea                 eax, [esi + 0x3a5e0]
            //   898666cc0200         | mov                 dword ptr [esi + 0x2cc66], eax
            //   8d866c770300         | lea                 eax, [esi + 0x3776c]
            //   898658e80300         | mov                 dword ptr [esi + 0x3e858], eax
            //   8d868c720300         | lea                 eax, [esi + 0x3728c]
            //   50                   | push                eax
            //   b812000000           | mov                 eax, 0x12

        $sequence_9 = { 8d8ea8970300 898e5f510100 8d8e50720300 89be504b0300 898ea94d0000 8d8ef0380400 }
            // n = 6, score = 100
            //   8d8ea8970300         | lea                 ecx, [esi + 0x397a8]
            //   898e5f510100         | mov                 dword ptr [esi + 0x1515f], ecx
            //   8d8e50720300         | lea                 ecx, [esi + 0x37250]
            //   89be504b0300         | mov                 dword ptr [esi + 0x34b50], edi
            //   898ea94d0000         | mov                 dword ptr [esi + 0x4da9], ecx
            //   8d8ef0380400         | lea                 ecx, [esi + 0x438f0]

    condition:
        7 of them and filesize < 1045504
}
Download all Yara Rules