SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mistpen (Back to overview)

MISTPEN

Actor(s): UNC2970

VTCollection    

According to Mandiant, MISTPEN is a lightweight backdoor written in C whose main functionality is to download and execute Portable Executable (PE) files. The backdoor is a modification of the open-source Notepad++ binhex plugin v2.0.0.1 where the creation of a thread that executes the malicious code has been added to the DllMain function.

References
2025-11-20Orange CyberdefenseAlexis Bonnefoi, Marine PICHON
A Pain in the Mist: Navigating Operation DreamJob’s arsenal
BURNBOOK MISTPEN
2024-12-19Kaspersky LabsSojun Ryu, Vasily Berdnikov
Lazarus group evolves its infection chain with old and new malware
MISTPEN
2024-09-17MandiantMandiant
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
BURNBOOK MISTPEN
Yara Rules
[TLP:WHITE] win_mistpen_auto (20260504 | Detects win.mistpen.)
rule win_mistpen_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.mistpen."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistpen"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f20f5cca f2410f590cc1 660f28d1 660f28c1 4c8d0d3b930000 f20f101d???????? }
            // n = 6, score = 100
            //   f20f5cca             | mov                 edx, 0x3a
            //   f2410f590cc1         | dec                 eax
            //   660f28d1             | lea                 ecx, [ebp - 0x20]
            //   660f28c1             | inc                 ebp
            //   4c8d0d3b930000       | test                ebp, ebp
            //   f20f101d????????     |                     

        $sequence_1 = { 448bce 4489642428 4c8bc0 33d2 4c89642420 b9e9fd0000 }
            // n = 6, score = 100
            //   448bce               | lea                 edx, [0x22e52]
            //   4489642428           | jmp                 0x13b8
            //   4c8bc0               | dec                 eax
            //   33d2                 | lea                 edx, [0x164f5]
            //   4c89642420           | dec                 edx
            //   b9e9fd0000           | mov                 ecx, dword ptr [edx]

        $sequence_2 = { 4c8d3555140100 896b48 40886b24 8a11 48ffc1 e9???????? }
            // n = 6, score = 100
            //   4c8d3555140100       | inc                 ecx
            //   896b48               | mov                 ebx, ecx
            //   40886b24             | inc                 ecx
            //   8a11                 | xor                 eax, edx
            //   48ffc1               | inc                 ecx
            //   e9????????           |                     

        $sequence_3 = { 4403c2 410bdb 4181c1a1ebd96e 418bc0 c1c81b 8bce 33cb }
            // n = 7, score = 100
            //   4403c2               | je                  0xa96
            //   410bdb               | dec                 eax
            //   4181c1a1ebd96e       | lea                 ecx, [0x15c08]
            //   418bc0               | add                 ecx, 0x5a827999
            //   c1c81b               | inc                 ecx
            //   8bce                 | or                  ebx, edx
            //   33cb                 | inc                 esp

        $sequence_4 = { ff15???????? 498bc4 eb4b 428b540010 83fa17 7610 b97f000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   498bc4               | inc                 edx
            //   eb4b                 | movzx               edx, byte ptr [eax + esi + 0x29690]
            //   428b540010           | mov                 eax, ebx
            //   83fa17               | inc                 edx
            //   7610                 | movzx               eax, byte ptr [eax + esi + 0x29690]
            //   b97f000000           | inc                 esp

        $sequence_5 = { ffc5 418d4c2402 03cd e8???????? 85f6 458be5 }
            // n = 6, score = 100
            //   ffc5                 | and                 eax, ecx
            //   418d4c2402           | inc                 ecx
            //   03cd                 | mov                 edx, edx
            //   e8????????           |                     
            //   85f6                 | or                  ecx, eax
            //   458be5               | inc                 ebp

        $sequence_6 = { 458b8c9460810200 4133bc8490920200 418bc0 41337e20 c1e808 0fb6c8 8bc3 }
            // n = 7, score = 100
            //   458b8c9460810200     | mov                 ecx, ebp
            //   4133bc8490920200     | dec                 esp
            //   418bc0               | mov                 dword ptr [esp + 0x20], edi
            //   41337e20             | dec                 esp
            //   c1e808               | mov                 ecx, eax
            //   0fb6c8               | inc                 ebp
            //   8bc3                 | xor                 eax, eax

        $sequence_7 = { 418bc7 33c7 c1ca1b 4133c5 41c1e21e 05d6c162ca 41c1ed02 }
            // n = 7, score = 100
            //   418bc7               | xor                 ebx, ebx
            //   33c7                 | dec                 eax
            //   c1ca1b               | lea                 edi, [0xc7eb]
            //   4133c5               | dec                 ebp
            //   41c1e21e             | test                ecx, ecx
            //   05d6c162ca           | dec                 eax
            //   41c1ed02             | mov                 eax, edx

        $sequence_8 = { 488b05???????? 4833c4 488985e0010000 4c8ba560020000 0f57c0 488b8568020000 4c8bf1 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | inc                 ebp
            //   488985e0010000       | xor                 ebx, dword ptr [esp + ecx*4 + 0x28560]
            //   4c8ba560020000       | inc                 ebp
            //   0f57c0               | xor                 ebx, dword ptr [esp + eax*4 + 0x29290]
            //   488b8568020000       | shr                 eax, 0x10
            //   4c8bf1               | movzx               ecx, al

        $sequence_9 = { 488d4c2420 e8???????? 488d158f350200 488d4c2420 e8???????? cc 4883ec48 }
            // n = 7, score = 100
            //   488d4c2420           | mov                 al, 0x65
            //   e8????????           |                     
            //   488d158f350200       | jmp                 0xf7
            //   488d4c2420           | mov                 cl, 0x34
            //   e8????????           |                     
            //   cc                   | jmp                 0xf7
            //   4883ec48             | mov                 cl, 0x33

    condition:
        7 of them and filesize < 458752
}
Download all Yara Rules