MoriAgent (Malware Family)

MoriAgent
VTCollection
There is no description at this point.
References
2022-02-24 ⋅ CISA, CNMF, FBI, NCSC UK
Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop MoriAgent
Yara Rules
[TLP:WHITE] win_moriagent_auto (20230808 | Detects win.moriagent.)
rule win_moriagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.moriagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b802000000 eb05 b801000000 33ff }
            // n = 4, score = 200
            //   b802000000           | mov                 eax, 2
            //   eb05                 | jmp                 7
            //   b801000000           | mov                 eax, 1
            //   33ff                 | xor                 edi, edi

        $sequence_1 = { cc 488bc8 e8???????? 48897d00 48c745080f000000 c645f000 488b4528 }
            // n = 7, score = 100
            //   cc                   | int3                
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   48897d00             | mov                 ecx, eax
            //   48c745080f000000     | dec                 eax
            //   c645f000             | mov                 dword ptr [ebp], edi
            //   488b4528             | dec                 eax

        $sequence_2 = { cc 488bc8 e8???????? 48897da0 48c745a80f000000 c6459000 }
            // n = 6, score = 100
            //   cc                   | mov                 dword ptr [ebp + 0x20], edi
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   48897da0             | mov                 dword ptr [ebp + 0x28], 0xf
            //   48c745a80f000000     | int3                
            //   c6459000             | dec                 eax

        $sequence_3 = { cc 488bc8 e8???????? 48897d18 48c745200f000000 c6450800 }
            // n = 6, score = 100
            //   cc                   | dec                 eax
            //   488bc8               | mov                 dword ptr [ebp + 0x18], edi
            //   e8????????           |                     
            //   48897d18             | int3                
            //   48c745200f000000     | dec                 eax
            //   c6450800             | mov                 ecx, eax

        $sequence_4 = { 83bd98efffff10 8bb5c4efffff 8b8d94efffff 660f7ec8 51 0f43d0 }
            // n = 6, score = 100
            //   83bd98efffff10       | cmp                 dword ptr [ebp - 0x1068], 0x10
            //   8bb5c4efffff         | mov                 esi, dword ptr [ebp - 0x103c]
            //   8b8d94efffff         | mov                 ecx, dword ptr [ebp - 0x106c]
            //   660f7ec8             | movd                eax, xmm1
            //   51                   | push                ecx
            //   0f43d0               | cmovae              edx, eax

        $sequence_5 = { cc 488bc8 e8???????? 48897dd0 48c745d80f000000 c645c000 }
            // n = 6, score = 100
            //   cc                   | dec                 eax
            //   488bc8               | mov                 ecx, eax
            //   e8????????           |                     
            //   48897dd0             | dec                 eax
            //   48c745d80f000000     | mov                 dword ptr [ebp - 0x60], edi
            //   c645c000             | dec                 eax

        $sequence_6 = { cc 488bc8 e8???????? 48897dc0 48c745c80f000000 c645b000 }
            // n = 6, score = 100
            //   cc                   | dec                 eax
            //   488bc8               | mov                 dword ptr [ebp - 0x60], edi
            //   e8????????           |                     
            //   48897dc0             | int3                
            //   48c745c80f000000     | dec                 eax
            //   c645b000             | mov                 ecx, eax

        $sequence_7 = { cc 488bc8 e8???????? 48897d20 48c745280f000000 c6451000 }
            // n = 6, score = 100
            //   cc                   | dec                 eax
            //   488bc8               | mov                 ecx, eax
            //   e8????????           |                     
            //   48897d20             | dec                 eax
            //   48c745280f000000     | mov                 dword ptr [ebp + 0x18], edi
            //   c6451000             | dec                 eax

        $sequence_8 = { 8d8de4feffff e9???????? 8d8d30ffffff e9???????? 8d8dccfeffff }
            // n = 5, score = 100
            //   8d8de4feffff         | lea                 ecx, [ebp - 0x11c]
            //   e9????????           |                     
            //   8d8d30ffffff         | lea                 ecx, [ebp - 0xd0]
            //   e9????????           |                     
            //   8d8dccfeffff         | lea                 ecx, [ebp - 0x134]

        $sequence_9 = { 0f87df160000 52 51 e8???????? 8b85e8eeffff }
            // n = 5, score = 100
            //   0f87df160000         | ja                  0x16e5
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b85e8eeffff         | mov                 eax, dword ptr [ebp - 0x1118]

        $sequence_10 = { eb06 8bb5e4eeffff 8b857cefffff 85c0 0f84bd080000 80bdc7eeffff00 }
            // n = 6, score = 100
            //   eb06                 | jmp                 8
            //   8bb5e4eeffff         | mov                 esi, dword ptr [ebp - 0x111c]
            //   8b857cefffff         | mov                 eax, dword ptr [ebp - 0x1084]
            //   85c0                 | test                eax, eax
            //   0f84bd080000         | je                  0x8c3
            //   80bdc7eeffff00       | cmp                 byte ptr [ebp - 0x1139], 0

        $sequence_11 = { c785e0feffff0f000000 c685ccfeffff00 6a04 68???????? c7411000000000 c741140f000000 c60100 }
            // n = 7, score = 100
            //   c785e0feffff0f000000     | mov    dword ptr [ebp - 0x120], 0xf
            //   c685ccfeffff00       | mov                 byte ptr [ebp - 0x134], 0
            //   6a04                 | push                4
            //   68????????           |                     
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   c60100               | mov                 byte ptr [ecx], 0

        $sequence_12 = { 0f1006 8b85e8eeffff 0f1185b4efffff f30f7e4610 660fd685c4efffff c7461000000000 c746140f000000 }
            // n = 7, score = 100
            //   0f1006               | movups              xmm0, xmmword ptr [esi]
            //   8b85e8eeffff         | mov                 eax, dword ptr [ebp - 0x1118]
            //   0f1185b4efffff       | movups              xmmword ptr [ebp - 0x104c], xmm0
            //   f30f7e4610           | movq                xmm0, qword ptr [esi + 0x10]
            //   660fd685c4efffff     | movq                qword ptr [ebp - 0x103c], xmm0
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf

        $sequence_13 = { c746140f000000 c60600 8b5d1c 8d4d08 8b5508 8d7d08 8b4518 }
            // n = 7, score = 100
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c60600               | mov                 byte ptr [esi], 0
            //   8b5d1c               | mov                 ebx, dword ptr [ebp + 0x1c]
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8d7d08               | lea                 edi, [ebp + 8]
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]

        $sequence_14 = { cc 488bc8 e8???????? 48897de0 48c745e80f000000 c645d000 }
            // n = 6, score = 100
            //   cc                   | mov                 eax, dword ptr [ebp - 0x18]
            //   488bc8               | int3                
            //   e8????????           |                     
            //   48897de0             | dec                 eax
            //   48c745e80f000000     | mov                 ecx, eax
            //   c645d000             | dec                 eax

    condition:
        7 of them and filesize < 1347904
}
Download all Yara Rules
MoriAgent Propose Change

References

Yara Rules

MoriAgent
