SYMBOLCOMMON_NAMEaka. SYNONYMS
win.moriagent (Back to overview)

MoriAgent

Actor(s): MuddyWater

There is no description at this point.

References
2022-02-25infoRisk TODAYPrajeet Nair
@online{nair:20220225:muddywater:62fb30e, author = {Prajeet Nair}, title = {{MuddyWater Targets Critical Infrastructure in Asia, Europe}}, date = {2022-02-25}, organization = {infoRisk TODAY}, url = {https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611}, language = {English}, urldate = {2022-03-04} } MuddyWater Targets Critical Infrastructure in Asia, Europe
POWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK
@online{fbi:20220224:alert:f9ae76b, author = {FBI and CISA and CNMF and NCSC UK}, title = {{Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-055a}, language = {English}, urldate = {2022-03-01} } Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK, NSA
@techreport{fbi:20220224:iranian:9117e42, author = {FBI and CISA and CNMF and NCSC UK and NSA}, title = {{Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf}, language = {English}, urldate = {2022-03-01} } Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop GRAMDOOR MoriAgent
2022-01-12U.S. Cyber CommandU.S. Cyber Command
@online{command:20220112:iranian:52c412c, author = {U.S. Cyber Command}, title = {{Iranian intel cyber suite of malware uses open source tools}}, date = {2022-01-12}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/}, language = {English}, urldate = {2022-01-25} } Iranian intel cyber suite of malware uses open source tools
PowGoop MoriAgent
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-06-17Twitter (@Timele9527)Timele12138
@online{timele12138:20200617:moriagent:a4986d2, author = {Timele12138}, title = {{Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)}}, date = {2020-06-17}, organization = {Twitter (@Timele9527)}, url = {https://twitter.com/Timele9527/status/1272776776335233024}, language = {English}, urldate = {2020-06-18} } Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)
MoriAgent
2020-05-07paloalto LIVEcommunityMohammed Yasin
@online{yasin:20200507:how:a3796cd, author = {Mohammed Yasin}, title = {{How to stop MortiAgent Malware using the snort rule?}}, date = {2020-05-07}, organization = {paloalto LIVEcommunity}, url = {https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#}, language = {English}, urldate = {2023-06-19} } How to stop MortiAgent Malware using the snort rule?
MoriAgent
Yara Rules
[TLP:WHITE] win_moriagent_auto (20230715 | Detects win.moriagent.)
rule win_moriagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.moriagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b802000000 eb05 b801000000 33ff }
            // n = 4, score = 200
            //   b802000000           | mov                 eax, 2
            //   eb05                 | jmp                 7
            //   b801000000           | mov                 eax, 1
            //   33ff                 | xor                 edi, edi

        $sequence_1 = { 0f87af0b0000 52 51 e8???????? 83c408 6a00 }
            // n = 6, score = 100
            //   0f87af0b0000         | ja                  0xbb5
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6a00                 | push                0

        $sequence_2 = { c6041800 488bc3 488b8c2440010000 4833cc }
            // n = 4, score = 100
            //   c6041800             | sub                 edx, eax
            //   488bc3               | inc                 ebp
            //   488b8c2440010000     | xor                 eax, eax
            //   4833cc               | mov                 byte ptr [eax + edx], 0

        $sequence_3 = { c745dc0f000000 c645c800 3bc8 0f827a020000 }
            // n = 4, score = 100
            //   c745dc0f000000       | mov                 dword ptr [ebp - 0x24], 0xf
            //   c645c800             | mov                 byte ptr [ebp - 0x38], 0
            //   3bc8                 | cmp                 ecx, eax
            //   0f827a020000         | jb                  0x280

        $sequence_4 = { 8642b5 41 b963866428 623e d1af34810242 46 }
            // n = 6, score = 100
            //   8642b5               | xchg                byte ptr [edx - 0x4b], al
            //   41                   | inc                 ecx
            //   b963866428           | mov                 ecx, 0x28648663
            //   623e                 | bound               edi, qword ptr [esi]
            //   d1af34810242         | shr                 dword ptr [edi + 0x42028134], 1
            //   46                   | inc                 esi

        $sequence_5 = { c6041000 eb0e 482bd0 4533c0 488bcf e8???????? 33f6 }
            // n = 7, score = 100
            //   c6041000             | cmp                 edx, eax
            //   eb0e                 | jne                 0x2c
            //   482bd0               | dec                 eax
            //   4533c0               | add                 edx, 1
            //   488bcf               | mov                 byte ptr [eax + edx], 0
            //   e8????????           |                     
            //   33f6                 | jmp                 0x10

        $sequence_6 = { c6041000 eb3c 4d85db 7443 }
            // n = 4, score = 100
            //   c6041000             | jmp                 0x18
            //   eb3c                 | dec                 eax
            //   4d85db               | cmp                 ecx, 0x10
            //   7443                 | dec                 ecx

        $sequence_7 = { 8b95c8eeffff 2b95d8eeffff 8b85bceeffff 0fb6c0 0f4485b0eeffff 8995c8eeffff }
            // n = 6, score = 100
            //   8b95c8eeffff         | mov                 edx, dword ptr [ebp - 0x1138]
            //   2b95d8eeffff         | sub                 edx, dword ptr [ebp - 0x1128]
            //   8b85bceeffff         | mov                 eax, dword ptr [ebp - 0x1144]
            //   0fb6c0               | movzx               eax, al
            //   0f4485b0eeffff       | cmove               eax, dword ptr [ebp - 0x1150]
            //   8995c8eeffff         | mov                 dword ptr [ebp - 0x1138], edx

        $sequence_8 = { c6041300 488b5c2430 4883c420 5f c3 4d85c9 }
            // n = 6, score = 100
            //   c6041300             | jmp                 0x3e
            //   488b5c2430           | dec                 ebp
            //   4883c420             | test                ebx, ebx
            //   5f                   | je                  0x4a
            //   c3                   | dec                 eax
            //   4d85c9               | lea                 ecx, [ebp - 0x21]

        $sequence_9 = { 8b4d28 b8abaaaa2a 8b7520 83c404 }
            // n = 4, score = 100
            //   8b4d28               | mov                 ecx, dword ptr [ebp + 0x28]
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab
            //   8b7520               | mov                 esi, dword ptr [ebp + 0x20]
            //   83c404               | add                 esp, 4

        $sequence_10 = { c645fc03 83ffff 0f8418e4ffff 57 c645fc15 ff15???????? e9???????? }
            // n = 7, score = 100
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   83ffff               | cmp                 edi, -1
            //   0f8418e4ffff         | je                  0xffffe41e
            //   57                   | push                edi
            //   c645fc15             | mov                 byte ptr [ebp - 4], 0x15
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_11 = { c6041800 4c8b45a0 4c8b4db8 4983f910 }
            // n = 4, score = 100
            //   c6041800             | mov                 byte ptr [eax + edx], 0
            //   4c8b45a0             | jmp                 0xffffffb2
            //   4c8b4db8             | dec                 eax
            //   4983f910             | sub                 edx, eax

        $sequence_12 = { c6040800 eb59 488b5710 488b4718 483bd0 752a 4883c201 }
            // n = 7, score = 100
            //   c6040800             | mov                 byte ptr [eax + ecx], 0
            //   eb59                 | jmp                 0x5b
            //   488b5710             | dec                 eax
            //   488b4718             | mov                 edx, dword ptr [edi + 0x10]
            //   483bd0               | dec                 eax
            //   752a                 | mov                 eax, dword ptr [edi + 0x18]
            //   4883c201             | dec                 eax

        $sequence_13 = { c6041000 eb16 4883f910 490f43c0 }
            // n = 4, score = 100
            //   c6041000             | dec                 eax
            //   eb16                 | sub                 edx, eax
            //   4883f910             | inc                 ebp
            //   490f43c0             | xor                 eax, eax

        $sequence_14 = { 8b1c9d30ea4100 6800080000 6a00 53 }
            // n = 4, score = 100
            //   8b1c9d30ea4100       | mov                 ebx, dword ptr [ebx*4 + 0x41ea30]
            //   6800080000           | push                0x800
            //   6a00                 | push                0
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 1347904
}
Download all Yara Rules