SYMBOLCOMMON_NAMEaka. SYNONYMS
win.moriagent (Back to overview)

MoriAgent

Actor(s): MuddyWater


There is no description at this point.

References
2022-02-25infoRisk TODAYPrajeet Nair
@online{nair:20220225:muddywater:62fb30e, author = {Prajeet Nair}, title = {{MuddyWater Targets Critical Infrastructure in Asia, Europe}}, date = {2022-02-25}, organization = {infoRisk TODAY}, url = {https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611}, language = {English}, urldate = {2022-03-04} } MuddyWater Targets Critical Infrastructure in Asia, Europe
POWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK
@online{fbi:20220224:alert:f9ae76b, author = {FBI and CISA and CNMF and NCSC UK}, title = {{Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-055a}, language = {English}, urldate = {2022-03-01} } Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK, NSA
@techreport{fbi:20220224:iranian:9117e42, author = {FBI and CISA and CNMF and NCSC UK and NSA}, title = {{Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf}, language = {English}, urldate = {2022-03-01} } Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop GRAMDOOR MoriAgent
2022-01-12U.S. Cyber CommandU.S. Cyber Command
@online{command:20220112:iranian:52c412c, author = {U.S. Cyber Command}, title = {{Iranian intel cyber suite of malware uses open source tools}}, date = {2022-01-12}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/}, language = {English}, urldate = {2022-01-25} } Iranian intel cyber suite of malware uses open source tools
PowGoop MoriAgent
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-07-05paloalto LIVEcommunityMohammed Yasin
@online{yasin:20200705:how:a3796cd, author = {Mohammed Yasin}, title = {{How to stop MortiAgent Malware using the snort rule?}}, date = {2020-07-05}, organization = {paloalto LIVEcommunity}, url = {https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#}, language = {English}, urldate = {2020-08-18} } How to stop MortiAgent Malware using the snort rule?
MoriAgent
2020-06-17Twitter (@Timele9527)Timele12138
@online{timele12138:20200617:moriagent:a4986d2, author = {Timele12138}, title = {{Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)}}, date = {2020-06-17}, organization = {Twitter (@Timele9527)}, url = {https://twitter.com/Timele9527/status/1272776776335233024}, language = {English}, urldate = {2020-06-18} } Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)
MoriAgent
Yara Rules
[TLP:WHITE] win_moriagent_auto (20230407 | Detects win.moriagent.)
rule win_moriagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.moriagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b802000000 eb05 b801000000 33ff }
            // n = 4, score = 200
            //   b802000000           | mov                 eax, 2
            //   eb05                 | jmp                 7
            //   b801000000           | mov                 eax, 1
            //   33ff                 | xor                 edi, edi

        $sequence_1 = { c5fb102d???????? c4e2c9abe9 f2410f1004c1 488d15127c0300 f20f1014c2 c5eb58d5 }
            // n = 6, score = 100
            //   c5fb102d????????     |                     
            //   c4e2c9abe9           | vfmsub213sd         xmm5, xmm6, xmm1
            //   f2410f1004c1         | inc                 ecx
            //   488d15127c0300       | movups              xmm0, xmmword ptr [ecx + eax*8]
            //   f20f1014c2           | dec                 eax
            //   c5eb58d5             | lea                 edx, [0x37c12]

        $sequence_2 = { c5fbe6e7 4c8d15b7a10400 4c8d1db0a30400 c5fae6cc }
            // n = 4, score = 100
            //   c5fbe6e7             | lea                 ecx, [0x49528]
            //   4c8d15b7a10400       | vmovsd              xmm3, qword ptr [ecx + eax*8]
            //   4c8d1db0a30400       | vfmadd213sd         xmm0, xmm3, xmm3
            //   c5fae6cc             | vmulsd              xmm0, xmm0, xmm3

        $sequence_3 = { c60000 83f905 751e 4c8d45c8 }
            // n = 4, score = 100
            //   c60000               | dec                 eax
            //   83f905               | sub                 edx, dword ptr [esp + 0xb8]
            //   751e                 | dec                 eax
            //   4c8d45c8             | mov                 eax, dword ptr [esp + 0xe0]

        $sequence_4 = { c60000 488d95a0000000 488d4d98 e8???????? }
            // n = 4, score = 100
            //   c60000               | dec                 eax
            //   488d95a0000000       | mov                 edx, dword ptr [esp + 0xc0]
            //   488d4d98             | dec                 eax
            //   e8????????           |                     

        $sequence_5 = { e8???????? 03c7 8985d8eeffff 3bb550efffff 7432 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   03c7                 | lea                 edx, [esp + 0x48]
            //   8985d8eeffff         | mov                 byte ptr [eax], 0
            //   3bb550efffff         | cmp                 ecx, 5
            //   7432                 | jne                 0x26

        $sequence_6 = { c60000 b811000000 443bf8 440f47f8 }
            // n = 4, score = 100
            //   c60000               | lea                 edx, [ebp + 0xa0]
            //   b811000000           | dec                 eax
            //   443bf8               | lea                 ecx, [ebp - 0x68]
            //   440f47f8             | mov                 byte ptr [eax], 0

        $sequence_7 = { 83c404 8912 895204 895208 }
            // n = 4, score = 100
            //   83c404               | mov                 eax, 0x11
            //   8912                 | inc                 esp
            //   895204               | cmp                 edi, eax
            //   895208               | inc                 esp

        $sequence_8 = { 8945e8 68???????? 68???????? c745fc00000000 ff15???????? 50 }
            // n = 6, score = 100
            //   8945e8               | mov                 ecx, ebx
            //   68????????           |                     
            //   68????????           |                     
            //   c745fc00000000       | mov                 byte ptr [eax], 0
            //   ff15????????         |                     
            //   50                   | cmp                 ecx, 5

        $sequence_9 = { c60000 488b9424c0000000 482b9424b8000000 488b8424e0000000 }
            // n = 4, score = 100
            //   c60000               | dec                 esp
            //   488b9424c0000000     | lea                 edx, [0x4a1b7]
            //   482b9424b8000000     | dec                 esp
            //   488b8424e0000000     | lea                 ebx, [0x4a3b0]

        $sequence_10 = { 8b45c8 3bf8 7468 8b4f14 83f910 }
            // n = 5, score = 100
            //   8b45c8               | dec                 esp
            //   3bf8                 | lea                 eax, [ebp - 0x38]
            //   7468                 | dec                 eax
            //   8b4f14               | lea                 edx, [esp + 0x48]
            //   83f910               | dec                 eax

        $sequence_11 = { c645fc01 33c0 8b55d4 8bca c7459000000000 c7459407000000 66894580 }
            // n = 7, score = 100
            //   c645fc01             | lea                 eax, [ebp - 0x38]
            //   33c0                 | mov                 byte ptr [eax], 0
            //   8b55d4               | cmp                 ecx, 5
            //   8bca                 | jne                 0x26
            //   c7459000000000       | dec                 esp
            //   c7459407000000       | lea                 eax, [ebp - 0x38]
            //   66894580             | dec                 eax

        $sequence_12 = { 83f81f 7759 51 56 e8???????? 83c408 8b35???????? }
            // n = 7, score = 100
            //   83f81f               | dec                 eax
            //   7759                 | lea                 edx, [esp + 0x48]
            //   51                   | dec                 eax
            //   56                   | mov                 ecx, ebx
            //   e8????????           |                     
            //   83c408               | mov                 byte ptr [eax], 0
            //   8b35????????         |                     

        $sequence_13 = { e8???????? 8d4d88 e8???????? 83c418 c745fc00000000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8d4d88               | jne                 0x23
            //   e8????????           |                     
            //   83c418               | dec                 esp
            //   c745fc00000000       | lea                 eax, [ebp - 0x38]

        $sequence_14 = { c5fb59c3 48c7c03f000000 23c1 488d0d28950400 }
            // n = 4, score = 100
            //   c5fb59c3             | dec                 eax
            //   48c7c03f000000       | lea                 edx, [0x37c12]
            //   23c1                 | movsd               xmm2, qword ptr [edx + eax*8]
            //   488d0d28950400       | vaddsd              xmm2, xmm2, xmm5

    condition:
        7 of them and filesize < 1347904
}
Download all Yara Rules