SYMBOLCOMMON_NAMEaka. SYNONYMS
win.moriagent (Back to overview)

MoriAgent

Actor(s): MuddyWater


There is no description at this point.

References
2022-02-25infoRisk TODAYPrajeet Nair
@online{nair:20220225:muddywater:62fb30e, author = {Prajeet Nair}, title = {{MuddyWater Targets Critical Infrastructure in Asia, Europe}}, date = {2022-02-25}, organization = {infoRisk TODAY}, url = {https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611}, language = {English}, urldate = {2022-03-04} } MuddyWater Targets Critical Infrastructure in Asia, Europe
POWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK, NSA
@techreport{fbi:20220224:iranian:9117e42, author = {FBI and CISA and CNMF and NCSC UK and NSA}, title = {{Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf}, language = {English}, urldate = {2022-03-01} } Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop GRAMDOOR MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK
@online{fbi:20220224:alert:f9ae76b, author = {FBI and CISA and CNMF and NCSC UK}, title = {{Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-055a}, language = {English}, urldate = {2022-03-01} } Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop MoriAgent
2022-01-12U.S. Cyber CommandU.S. Cyber Command
@online{command:20220112:iranian:52c412c, author = {U.S. Cyber Command}, title = {{Iranian intel cyber suite of malware uses open source tools}}, date = {2022-01-12}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/}, language = {English}, urldate = {2022-01-25} } Iranian intel cyber suite of malware uses open source tools
PowGoop MoriAgent
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-07-05paloalto LIVEcommunityMohammed Yasin
@online{yasin:20200705:how:a3796cd, author = {Mohammed Yasin}, title = {{How to stop MortiAgent Malware using the snort rule?}}, date = {2020-07-05}, organization = {paloalto LIVEcommunity}, url = {https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#}, language = {English}, urldate = {2020-08-18} } How to stop MortiAgent Malware using the snort rule?
MoriAgent
2020-06-17Twitter (@Timele9527)Timele12138
@online{timele12138:20200617:moriagent:a4986d2, author = {Timele12138}, title = {{Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)}}, date = {2020-06-17}, organization = {Twitter (@Timele9527)}, url = {https://twitter.com/Timele9527/status/1272776776335233024}, language = {English}, urldate = {2020-06-18} } Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)
MoriAgent
Yara Rules
[TLP:WHITE] win_moriagent_auto (20220411 | Detects win.moriagent.)
rule win_moriagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.moriagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb0c b802000000 eb05 b801000000 33ff }
            // n = 5, score = 200
            //   eb0c                 | jmp                 0xe
            //   b802000000           | mov                 eax, 2
            //   eb05                 | jmp                 7
            //   b801000000           | mov                 eax, 1
            //   33ff                 | xor                 edi, edi

        $sequence_1 = { 6884030000 6858020000 6a00 6a00 50 }
            // n = 5, score = 100
            //   6884030000           | push                0x384
            //   6858020000           | push                0x258
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_2 = { e8???????? 83c404 c705????????00000000 8b5de8 eb15 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c705????????00000000     |     
            //   8b5de8               | mov                 ebx, dword ptr [ebp - 0x18]
            //   eb15                 | jmp                 0x17

        $sequence_3 = { 83c40c 03f1 89b5e4eeffff 89b534efffff 68???????? }
            // n = 5, score = 100
            //   83c40c               | add                 esp, 0xc
            //   03f1                 | add                 esi, ecx
            //   89b5e4eeffff         | mov                 dword ptr [ebp - 0x111c], esi
            //   89b534efffff         | mov                 dword ptr [ebp - 0x10cc], esi
            //   68????????           |                     

        $sequence_4 = { 53 e8???????? 8b5dd4 83c408 8b45cc 8d0c5b 8d0cce }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b5dd4               | mov                 ebx, dword ptr [ebp - 0x2c]
            //   83c408               | add                 esp, 8
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   8d0c5b               | lea                 ecx, dword ptr [ebx + ebx*2]
            //   8d0cce               | lea                 ecx, dword ptr [esi + ecx*8]

        $sequence_5 = { 90 4c89742460 48c744246807000000 664489742450 488b55d0 4983c8ff 0f1f00 }
            // n = 7, score = 100
            //   90                   | nop                 
            //   4c89742460           | dec                 esp
            //   48c744246807000000     | mov    dword ptr [esp + 0x60], esi
            //   664489742450         | dec                 eax
            //   488b55d0             | mov                 dword ptr [esp + 0x68], 7
            //   4983c8ff             | inc                 sp
            //   0f1f00               | mov                 dword ptr [esp + 0x50], esi

        $sequence_6 = { 6bc838 894de0 8b049d00844200 f644082801 }
            // n = 4, score = 100
            //   6bc838               | imul                ecx, eax, 0x38
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b049d00844200       | mov                 eax, dword ptr [ebx*4 + 0x428400]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1

        $sequence_7 = { 90 4c897dff 48c745070f000000 c645ef00 }
            // n = 4, score = 100
            //   90                   | mov                 eax, 0xd
            //   4c897dff             | dec                 eax
            //   48c745070f000000     | lea                 edx, dword ptr [0x5c745]
            //   c645ef00             | nop                 

        $sequence_8 = { 90 4c897588 48c745900f000000 c644247800 }
            // n = 4, score = 100
            //   90                   | lea                 edx, dword ptr [ebp - 0x10]
            //   4c897588             | nop                 
            //   48c745900f000000     | dec                 esp
            //   c644247800           | mov                 dword ptr [ebp - 0x80], esi

        $sequence_9 = { 90 4c89b5b0000000 48c785b80000000f000000 c685a000000000 }
            // n = 4, score = 100
            //   90                   | dec                 esp
            //   4c89b5b0000000       | mov                 dword ptr [esp + 0x30], edi
            //   48c785b80000000f000000     | dec    eax
            //   c685a000000000       | mov                 dword ptr [esp + 0x38], 0xf

        $sequence_10 = { 57 8b7d08 897dfc 8b5e10 43 837e1408 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b5e10               | mov                 ebx, dword ptr [esi + 0x10]
            //   43                   | inc                 ebx
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8

        $sequence_11 = { 90 4c897580 48c7458807000000 664489742470 }
            // n = 4, score = 100
            //   90                   | dec                 esp
            //   4c897580             | mov                 dword ptr [esp + 0x70], esi
            //   48c7458807000000     | dec                 eax
            //   664489742470         | mov                 dword ptr [esp + 0x78], 7

        $sequence_12 = { 90 4c89742470 48c744247807000000 664489742460 }
            // n = 4, score = 100
            //   90                   | dec                 eax
            //   4c89742470           | mov                 edx, dword ptr [ebp - 0x30]
            //   48c744247807000000     | dec    ecx
            //   664489742460         | or                  eax, 0xffffffff

        $sequence_13 = { 8d0d20e44100 ba1d000000 e9???????? 833d????????00 0f852c520000 8d0d20e44100 }
            // n = 6, score = 100
            //   8d0d20e44100         | lea                 ecx, dword ptr [0x41e420]
            //   ba1d000000           | mov                 edx, 0x1d
            //   e9????????           |                     
            //   833d????????00       |                     
            //   0f852c520000         | jne                 0x5232
            //   8d0d20e44100         | lea                 ecx, dword ptr [0x41e420]

        $sequence_14 = { 90 4c897c2430 48c74424380f000000 c644242000 }
            // n = 4, score = 100
            //   90                   | inc                 sp
            //   4c897c2430           | mov                 dword ptr [esp + 0x70], esi
            //   48c74424380f000000     | dec    ecx
            //   c644242000           | or                  ecx, 0xffffffff

    condition:
        7 of them and filesize < 1347904
}
Download all Yara Rules