SYMBOLCOMMON_NAMEaka. SYNONYMS
win.komprogo (Back to overview)

KOMPROGO

aka: Splinter RAT

Actor(s): APT32


KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.

References
2018-11-02CylanceCylance
@techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } The SpyRATs of OceanLotus
KOMPROGO PHOREAL
2017-05-14FireEyeNick Carr
@online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32
2017FireEyeBart Inglot, Byrne Ghavalas
@online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } ATTACKER ANTICS: Illustrations of Ingenuity
KOMPROGO SOUNDBITE
2015-12-08SymantecSymantec
@online{symantec:20151208:backdoorkomprogo:786eb9b, author = {Symantec}, title = {{Backdoor.Komprogo}}, date = {2015-12-08}, organization = {Symantec}, url = {https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99}, language = {English}, urldate = {2019-11-27} } Backdoor.Komprogo
KOMPROGO
Yara Rules
[TLP:WHITE] win_komprogo_auto (20220411 | Detects win.komprogo.)
rule win_komprogo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.komprogo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d86cc710300 89867e0a0100 8d86006c0300 8986acc10300 8d9690ad0300 8996d4ad0300 8d86902f0400 }
            // n = 7, score = 100
            //   8d86cc710300         | lea                 eax, dword ptr [esi + 0x371cc]
            //   89867e0a0100         | mov                 dword ptr [esi + 0x10a7e], eax
            //   8d86006c0300         | lea                 eax, dword ptr [esi + 0x36c00]
            //   8986acc10300         | mov                 dword ptr [esi + 0x3c1ac], eax
            //   8d9690ad0300         | lea                 edx, dword ptr [esi + 0x3ad90]
            //   8996d4ad0300         | mov                 dword ptr [esi + 0x3add4], edx
            //   8d86902f0400         | lea                 eax, dword ptr [esi + 0x42f90]

        $sequence_1 = { 898ef1e40000 8d8ec2340000 898ed4bc0300 8d8ecbe30200 898e61ed0200 8d8e84ab0300 898ea4ab0300 }
            // n = 7, score = 100
            //   898ef1e40000         | mov                 dword ptr [esi + 0xe4f1], ecx
            //   8d8ec2340000         | lea                 ecx, dword ptr [esi + 0x34c2]
            //   898ed4bc0300         | mov                 dword ptr [esi + 0x3bcd4], ecx
            //   8d8ecbe30200         | lea                 ecx, dword ptr [esi + 0x2e3cb]
            //   898e61ed0200         | mov                 dword ptr [esi + 0x2ed61], ecx
            //   8d8e84ab0300         | lea                 ecx, dword ptr [esi + 0x3ab84]
            //   898ea4ab0300         | mov                 dword ptr [esi + 0x3aba4], ecx

        $sequence_2 = { 8d96ec910300 8996f4930300 8d8e782d0400 898e7d8a0200 8d8e08ee0300 898e5c110300 8d8e74700300 }
            // n = 7, score = 100
            //   8d96ec910300         | lea                 edx, dword ptr [esi + 0x391ec]
            //   8996f4930300         | mov                 dword ptr [esi + 0x393f4], edx
            //   8d8e782d0400         | lea                 ecx, dword ptr [esi + 0x42d78]
            //   898e7d8a0200         | mov                 dword ptr [esi + 0x28a7d], ecx
            //   8d8e08ee0300         | lea                 ecx, dword ptr [esi + 0x3ee08]
            //   898e5c110300         | mov                 dword ptr [esi + 0x3115c], ecx
            //   8d8e74700300         | lea                 ecx, dword ptr [esi + 0x37074]

        $sequence_3 = { 8d866c720300 50 b803000000 8bcf e8???????? 83c404 84c0 }
            // n = 7, score = 100
            //   8d866c720300         | lea                 eax, dword ptr [esi + 0x3726c]
            //   50                   | push                eax
            //   b803000000           | mov                 eax, 3
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al

        $sequence_4 = { 8d8690160400 8986bb7b0100 8d86286b0300 898684c00300 8d8e92e80100 898e0c310200 8d8650700300 }
            // n = 7, score = 100
            //   8d8690160400         | lea                 eax, dword ptr [esi + 0x41690]
            //   8986bb7b0100         | mov                 dword ptr [esi + 0x17bbb], eax
            //   8d86286b0300         | lea                 eax, dword ptr [esi + 0x36b28]
            //   898684c00300         | mov                 dword ptr [esi + 0x3c084], eax
            //   8d8e92e80100         | lea                 ecx, dword ptr [esi + 0x1e892]
            //   898e0c310200         | mov                 dword ptr [esi + 0x2310c], ecx
            //   8d8650700300         | lea                 eax, dword ptr [esi + 0x37050]

        $sequence_5 = { 8bce e8???????? 33c9 83c404 85c0 0f95c1 8bf9 }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   0f95c1               | setne               cl
            //   8bf9                 | mov                 edi, ecx

        $sequence_6 = { 57 8bf0 ff15???????? 8d540002 56 53 8995e4fdffff }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   8d540002             | lea                 edx, dword ptr [eax + eax + 2]
            //   56                   | push                esi
            //   53                   | push                ebx
            //   8995e4fdffff         | mov                 dword ptr [ebp - 0x21c], edx

        $sequence_7 = { 899640ad0300 8d86d9610300 898634b20300 8d8e085e0300 898e68ad0300 8d8624e20300 898630b40200 }
            // n = 7, score = 100
            //   899640ad0300         | mov                 dword ptr [esi + 0x3ad40], edx
            //   8d86d9610300         | lea                 eax, dword ptr [esi + 0x361d9]
            //   898634b20300         | mov                 dword ptr [esi + 0x3b234], eax
            //   8d8e085e0300         | lea                 ecx, dword ptr [esi + 0x35e08]
            //   898e68ad0300         | mov                 dword ptr [esi + 0x3ad68], ecx
            //   8d8624e20300         | lea                 eax, dword ptr [esi + 0x3e224]
            //   898630b40200         | mov                 dword ptr [esi + 0x2b430], eax

        $sequence_8 = { 8d86f8980300 8986d5280100 8d8670750300 898660e00300 8d8eac960100 898e30d40100 899eb3650000 }
            // n = 7, score = 100
            //   8d86f8980300         | lea                 eax, dword ptr [esi + 0x398f8]
            //   8986d5280100         | mov                 dword ptr [esi + 0x128d5], eax
            //   8d8670750300         | lea                 eax, dword ptr [esi + 0x37570]
            //   898660e00300         | mov                 dword ptr [esi + 0x3e060], eax
            //   8d8eac960100         | lea                 ecx, dword ptr [esi + 0x196ac]
            //   898e30d40100         | mov                 dword ptr [esi + 0x1d430], ecx
            //   899eb3650000         | mov                 dword ptr [esi + 0x65b3], ebx

        $sequence_9 = { 898640af0300 8d8e00a70300 898eef820200 8d96c4b60000 899677b60000 8d86c95f0300 8986369f0000 }
            // n = 7, score = 100
            //   898640af0300         | mov                 dword ptr [esi + 0x3af40], eax
            //   8d8e00a70300         | lea                 ecx, dword ptr [esi + 0x3a700]
            //   898eef820200         | mov                 dword ptr [esi + 0x282ef], ecx
            //   8d96c4b60000         | lea                 edx, dword ptr [esi + 0xb6c4]
            //   899677b60000         | mov                 dword ptr [esi + 0xb677], edx
            //   8d86c95f0300         | lea                 eax, dword ptr [esi + 0x35fc9]
            //   8986369f0000         | mov                 dword ptr [esi + 0x9f36], eax

    condition:
        7 of them and filesize < 1045504
}
Download all Yara Rules