SYMBOLCOMMON_NAMEaka. SYNONYMS
win.moriya (Back to overview)

Moriya

VTCollection    

This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.

References
2025-04-25Trend MicroNick Dai, Sunny Lu
Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
KRNRAT Moriya Earth Kurma
2021-05-06KasperskyGiampaolo Dedola, Mark Lechtik
Operation TunnelSnake
Moriya TunnelSnake
Yara Rules
[TLP:WHITE] win_moriya_auto (20260504 | Detects win.moriya.)
rule win_moriya_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.moriya."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d542460 488b0d???????? 4533c9 f30f7f45a0 4889442470 4533c0 0f1007 }
            // n = 7, score = 200
            //   488d542460           | lea                 eax, [0xfdd]
            //   488b0d????????       |                     
            //   4533c9               | xor                 ecx, ecx
            //   f30f7f45a0           | dec                 esp
            //   4889442470           | lea                 eax, [0x243e]
            //   4533c0               | mov                 edx, edi
            //   0f1007               | dec                 esp

        $sequence_1 = { 488bcb 4889442448 f30f7f442428 e8???????? 8bd8 }
            // n = 5, score = 200
            //   488bcb               | dec                 ebp
            //   4889442448           | test                ecx, ecx
            //   f30f7f442428         | je                  0x67d
            //   e8????????           |                     
            //   8bd8                 | cmp                 byte ptr [edi + 0x44], bl

        $sequence_2 = { 8844242e e8???????? 488d442428 482bf0 }
            // n = 4, score = 200
            //   8844242e             | lea                 ecx, [0x5c54]
            //   e8????????           |                     
            //   488d442428           | dec                 eax
            //   482bf0               | lea                 ecx, [0x6e86]

        $sequence_3 = { 742a 488b4b08 4885c9 7406 ff15???????? }
            // n = 5, score = 200
            //   742a                 | shr                 ebx, 8
            //   488b4b08             | inc                 ebp
            //   4885c9               | xor                 edx, dword ptr [esp + ecx*4 + 0x7c00]
            //   7406                 | movzx               ecx, al
            //   ff15????????         |                     

        $sequence_4 = { 786d 488b0d???????? 33d2 e8???????? 8bd8 }
            // n = 5, score = 200
            //   786d                 | jle                 0x186f
            //   488b0d????????       |                     
            //   33d2                 | inc                 ecx
            //   e8????????           |                     
            //   8bd8                 | mov                 eax, esp

        $sequence_5 = { 4883ec38 488364242000 488bd1 4c8b0d???????? }
            // n = 4, score = 200
            //   4883ec38             | inc                 ecx
            //   488364242000         | shr                 ebx, 8
            //   488bd1               | inc                 ecx
            //   4c8b0d????????       |                     

        $sequence_6 = { e8???????? 48833d????????00 7417 488d4dd0 ff15???????? 488b0d???????? ff15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48833d????????00     |                     
            //   7417                 | dec                 eax
            //   488d4dd0             | mov                 eax, dword ptr [edi + 0xb8]
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   ff15????????         |                     

        $sequence_7 = { 4883ec28 418b00 4c8bc9 448bd8 4c8bd1 }
            // n = 5, score = 200
            //   4883ec28             | movzx               eax, al
            //   418b00               | inc                 ebp
            //   4c8bc9               | xor                 edx, dword ptr [esp + ecx*4 + 0x8000]
            //   448bd8               | inc                 ebp
            //   4c8bd1               | xor                 edx, dword ptr [esp + eax*4 + 0x8400]

        $sequence_8 = { 660f1f440000 4a895408f8 4983e908 75f5 4983e007 }
            // n = 5, score = 200
            //   660f1f440000         | lea                 eax, [eax + eax*2]
            //   4a895408f8           | dec                 eax
            //   4983e908             | lea                 edx, [eax*8]
            //   75f5                 | dec                 ecx
            //   4983e007             | add                 edx, ebp

        $sequence_9 = { 0f57c0 488985b0000000 33d2 0f118590000000 448d4058 0f1185a0000000 e8???????? }
            // n = 7, score = 200
            //   0f57c0               | inc                 ebp
            //   488985b0000000       | xor                 eax, dword ptr [esp + eax*4 + 0x8400]
            //   33d2                 | inc                 ecx
            //   0f118590000000       | mov                 eax, dword ptr [esp + eax*4 + 0x7c00]
            //   448d4058             | inc                 esp
            //   0f1185a0000000       | xor                 eax, eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 99328
}
Download all Yara Rules