SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mqsttang (Back to overview)

MQsTTang

aka: QMAGENT

Actor(s): MUSTANG PANDA


There is no description at this point.

References
2023-09-07SekoiaJamila B.
@online{b:20230907:my:de66f96, author = {Jamila B.}, title = {{My Tea’s not cold. An overview of China’s cyber threat}}, date = {2023-09-07}, organization = {Sekoia}, url = {https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/}, language = {English}, urldate = {2023-09-08} } My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL
2023-03-02ESET ResearchAlexandre Côté Cyr
@online{cyr:20230302:mqsttang:b7dee51, author = {Alexandre Côté Cyr}, title = {{MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT}}, date = {2023-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/}, language = {English}, urldate = {2023-03-13} } MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
MQsTTang
Yara Rules
[TLP:WHITE] win_mqsttang_auto (20230715 | Detects win.mqsttang.)
rule win_mqsttang_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.mqsttang."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mqsttang"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8d4c2430 668944245e e8???????? ba93244992 89c1 c7042400000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4c2430             | lea                 ecx, [esp + 0x30]
            //   668944245e           | mov                 word ptr [esp + 0x5e], ax
            //   e8????????           |                     
            //   ba93244992           | mov                 edx, 0x92492493
            //   89c1                 | mov                 ecx, eax
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_1 = { c745d0ffffffff 8b45d0 8d65f4 5b 5e 5f 5d }
            // n = 7, score = 100
            //   c745d0ffffffff       | mov                 dword ptr [ebp - 0x30], 0xffffffff
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8d65f4               | lea                 esp, [ebp - 0xc]
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp

        $sequence_2 = { e9???????? 8b5518 89f1 891424 ffd0 83ec04 894510 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   89f1                 | mov                 ecx, esi
            //   891424               | mov                 dword ptr [esp], edx
            //   ffd0                 | call                eax
            //   83ec04               | sub                 esp, 4
            //   894510               | mov                 dword ptr [ebp + 0x10], eax

        $sequence_3 = { f3a4 e9???????? 6683bd60ffffff1e 668945c8 0f8785070000 83bd54ffffff01 0f8678070000 }
            // n = 7, score = 100
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   e9????????           |                     
            //   6683bd60ffffff1e     | cmp                 word ptr [ebp - 0xa0], 0x1e
            //   668945c8             | mov                 word ptr [ebp - 0x38], ax
            //   0f8785070000         | ja                  0x78b
            //   83bd54ffffff01       | cmp                 dword ptr [ebp - 0xac], 1
            //   0f8678070000         | jbe                 0x77e

        $sequence_4 = { e8???????? 8b542414 8b442410 8b4a08 85c9 7413 89442410 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]
            //   85c9                 | test                ecx, ecx
            //   7413                 | je                  0x15
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_5 = { e9???????? 837d1480 7520 31d2 e9???????? 83f802 7ebf }
            // n = 7, score = 100
            //   e9????????           |                     
            //   837d1480             | cmp                 dword ptr [ebp + 0x14], -0x80
            //   7520                 | jne                 0x22
            //   31d2                 | xor                 edx, edx
            //   e9????????           |                     
            //   83f802               | cmp                 eax, 2
            //   7ebf                 | jle                 0xffffffc1

        $sequence_6 = { e8???????? 8b45e4 c744240400000000 89f1 8b5004 8b45e0 8b4004 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   89f1                 | mov                 ecx, esi
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

        $sequence_7 = { e8???????? 8b45b4 8b10 85d2 7581 c744240804000000 c744240402000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   85d2                 | test                edx, edx
            //   7581                 | jne                 0xffffff83
            //   c744240804000000     | mov                 dword ptr [esp + 8], 4
            //   c744240402000000     | mov                 dword ptr [esp + 4], 2

        $sequence_8 = { e9???????? 890424 e8???????? e9???????? 893c24 e8???????? 8b442414 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_9 = { e9???????? 8b5d0c 85db 0f8481fdffff 31db eb21 8b7d14 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   85db                 | test                ebx, ebx
            //   0f8481fdffff         | je                  0xfffffd87
            //   31db                 | xor                 ebx, ebx
            //   eb21                 | jmp                 0x23
            //   8b7d14               | mov                 edi, dword ptr [ebp + 0x14]

    condition:
        7 of them and filesize < 12651520
}
Download all Yara Rules