Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.
rule win_manjusaka_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.manjusaka." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b802000000 f0490fb10e 488d4c2428 e8???????? 90 4883c448 5b } // n = 7, score = 100 // b802000000 | cmp ecx, 0xfe00 // f0490fb10e | ja 0x10ac // 488d4c2428 | inc ecx // e8???????? | // 90 | and ch, 1 // 4883c448 | mov dword ptr [ebx + 0x38], eax // 5b | dec eax $sequence_1 = { 84c0 745a 488b4f70 4c8bc7 488b17 4883c108 e8???????? } // n = 7, score = 100 // 84c0 | mov dword ptr [esp + 0x48], ebx // 745a | btr edx, 0x1f // 488b4f70 | mov dword ptr [esp + 0x28], edx // 4c8bc7 | cmp ecx, 0x2e // 488b17 | je 0x5c3 // 4883c108 | cmp ecx, 0x30 // e8???????? | $sequence_2 = { e9???????? 488b8c24e8030000 488b9424d8030000 e8???????? 488b442448 4c8ba858010000 488bb060010000 } // n = 7, score = 100 // e9???????? | // 488b8c24e8030000 | mov dword ptr [esp + 0x48], eax // 488b9424d8030000 | dec eax // e8???????? | // 488b442448 | mov dword ptr [esi + 0x20], edi // 4c8ba858010000 | mov dword ptr [esi + 0x28], edi // 488bb060010000 | dec esp $sequence_3 = { 84c0 410f95c1 488d5c2428 4889d9 4c89ea 41b812000000 e8???????? } // n = 7, score = 100 // 84c0 | jbe 0x46f // 410f95c1 | dec esp // 488d5c2428 | mov ecx, esi // 4889d9 | mov dword ptr [esp + 0x20], 0xb78a // 4c89ea | dec esp // 41b812000000 | lea eax, [0xfe8c3] // e8???????? | $sequence_4 = { 7204 4d8b40f8 488b0d???????? 31d2 e8???????? 488b4b58 488b4360 } // n = 7, score = 100 // 7204 | lea edi, [esp + 0x60] // 4d8b40f8 | inc ecx // 488b0d???????? | // 31d2 | mov eax, 0xb8 // e8???????? | // 488b4b58 | push edi // 488b4360 | push ebp $sequence_5 = { eb0f b9741a0100 e9???????? 4a8b5cfd60 0fb74318 0fb64b0c 03c2 } // n = 7, score = 100 // eb0f | je 0x645 // b9741a0100 | dec eax // e9???????? | // 4a8b5cfd60 | mov ebx, dword ptr [ebx + 0x10] // 0fb74318 | dec eax // 0fb64b0c | test ebx, ebx // 03c2 | jne 0x637 $sequence_6 = { e8???????? 4885d2 7415 4c39e8 7509 4c39e2 0f846a010000 } // n = 7, score = 100 // e8???????? | // 4885d2 | mov dword ptr [ebp + 0x410], ebx // 7415 | dec esp // 4c39e8 | cmp ebx, esp // 7509 | dec eax // 4c39e2 | cmp dword ptr [ebp + 0x3c0], 0 // 0f846a010000 | dec eax $sequence_7 = { 8bf0 8b5b54 23de 83fb11 0f8520010000 418bc7 4503fd } // n = 7, score = 100 // 8bf0 | inc ecx // 8b5b54 | pop edi // 23de | inc ecx // 83fb11 | pop esi // 0f8520010000 | mov eax, ebx // 418bc7 | jmp 0x1dbe // 4503fd | dec eax $sequence_8 = { 84db 7805 49ffc4 eb6e 89d9 83e11f 410fb6742401 } // n = 7, score = 100 // 84db | dec eax // 7805 | lea eax, [ebp - 0x40] // 49ffc4 | cmp edi, 1 // eb6e | inc esp // 89d9 | lea eax, [eax - 0x2f] // 83e11f | inc esp // 410fb6742401 | cmove eax, eax $sequence_9 = { fec0 884322 e9???????? 8d4d01 48897308 894b28 488bc7 } // n = 7, score = 100 // fec0 | mov ecx, ebx // 884322 | test byte ptr [edi + 0x2c], 2 // e9???????? | // 8d4d01 | je 0xbc7 // 48897308 | movzx eax, byte ptr [ebp] // 894b28 | dec esp // 488bc7 | lea eax, [0xffea6973] condition: 7 of them and filesize < 4772864 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY