SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lowkey (Back to overview)

LOWKEY

aka: PortReuse

Actor(s): APT41

VTCollection    

There is no description at this point.

References
2022-03-08MandiantDouglas Bienstock, Geoff Ackerman, John Wolfram, Rufus Brown, Van Ta
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY
2019-10-21ESET ResearchMathieu Tartare
Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0
2019-10-15FireEyeTobias Krueger
LOWKEY: Hunting for the Missing Volume Serial ID
LOWKEY POISONPLUG
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
Yara Rules
[TLP:WHITE] win_lowkey_auto (20260504 | Detects win.lowkey.)
rule win_lowkey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lowkey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f20f114c2430 4533c9 41b800080000 488d542450 660f73da08 }
            // n = 5, score = 100
            //   f20f114c2430         | test                eax, eax
            //   4533c9               | je                  0xbbb
            //   41b800080000         | dec                 esp
            //   488d542450           | lea                 eax, [esp + 0x30]
            //   660f73da08           | dec                 eax

        $sequence_1 = { 747e 488b05???????? 4823c2 483b05???????? 756b 488d0574490100 48c74424580f000000 }
            // n = 7, score = 100
            //   747e                 | mov                 edx, dword ptr [ebx + 0x10]
            //   488b05????????       |                     
            //   4823c2               | dec                 eax
            //   483b05????????       |                     
            //   756b                 | test                edx, edx
            //   488d0574490100       | je                  0x15f4
            //   48c74424580f000000     | dec    eax

        $sequence_2 = { 4c8d4c2428 48895c2420 448d4308 895c2428 488d542420 488bcf ff15???????? }
            // n = 7, score = 100
            //   4c8d4c2428           | je                  0x17e8
            //   48895c2420           | inc                 ecx
            //   448d4308             | cmp                 eax, 0x2000
            //   895c2428             | jg                  0x1828
            //   488d542420           | dec                 eax
            //   488bcf               | lea                 edx, [ebp + 0x10]
            //   ff15????????         |                     

        $sequence_3 = { 48895c2458 ff15???????? 48895c2440 4533c9 895c2438 4533c0 }
            // n = 6, score = 100
            //   48895c2458           | mov                 edx, edi
            //   ff15????????         |                     
            //   48895c2440           | dec                 eax
            //   4533c9               | lea                 ecx, [0x33dd5]
            //   895c2438             | nop                 
            //   4533c0               | dec                 ecx

        $sequence_4 = { 488d45e8 48894de8 488945f0 488d15689d0000 }
            // n = 4, score = 100
            //   488d45e8             | dec                 eax
            //   48894de8             | mov                 dword ptr [esp + 0x38], esi
            //   488945f0             | dec                 eax
            //   488d15689d0000       | mov                 esi, ecx

        $sequence_5 = { 4c8d442450 4088740450 488d542438 66896c243d 89442440 e8???????? }
            // n = 6, score = 100
            //   4c8d442450           | dec                 eax
            //   4088740450           | mov                 dword ptr [esp + 0x58], 0xe
            //   488d542438           | dec                 eax
            //   66896c243d           | mov                 dword ptr [esp + 0x50], eax
            //   89442440             | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { 4c63c7 e8???????? 017e20 8b4620 39461c 0f94c0 884609 }
            // n = 7, score = 100
            //   4c63c7               | mov                 eax, 0x66
            //   e8????????           |                     
            //   017e20               | inc                 ecx
            //   8b4620               | mov                 eax, 1
            //   39461c               | or                  edx, 0xffffffff
            //   0f94c0               | dec                 eax
            //   884609               | mov                 eax, dword ptr [ecx]

        $sequence_7 = { 488bc2 488bf1 33db bd01000000 48895c2430 4533c9 }
            // n = 6, score = 100
            //   488bc2               | mov                 eax, dword ptr [ecx]
            //   488bf1               | call                dword ptr [eax + 0x10]
            //   33db                 | dec                 eax
            //   bd01000000           | mov                 ecx, dword ptr [esp + 0x60]
            //   48895c2430           | dec                 eax
            //   4533c9               | mov                 eax, dword ptr [ecx]

        $sequence_8 = { ff15???????? 488b4c2478 ff15???????? 90 33c0 e9???????? 48897c2438 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488b4c2478           | je                  0x16cb
            //   ff15????????         |                     
            //   90                   | dec                 eax
            //   33c0                 | mov                 eax, dword ptr [ebx + 0xe0]
            //   e9????????           |                     
            //   48897c2438           | dec                 eax

        $sequence_9 = { 488d4c2470 e8???????? 83caff 488bcb ff15???????? eb17 b866000000 }
            // n = 7, score = 100
            //   488d4c2470           | dec                 eax
            //   e8????????           |                     
            //   83caff               | mov                 ecx, ebx
            //   488bcb               | mov                 dword ptr [esp + 0x20], edi
            //   ff15????????         |                     
            //   eb17                 | dec                 eax
            //   b866000000           | mov                 ebx, eax

    condition:
        7 of them and filesize < 643072
}
Download all Yara Rules