SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pcshare (Back to overview)

PcShare

Actor(s): Pirate Panda

VTCollection    

PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.

References
2021-06-16Recorded FutureInsikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2019-09-25CylanceCylance Research and Intelligence Team
PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware
PcShare
Yara Rules
[TLP:WHITE] win_pcshare_auto (20260504 | Detects win.pcshare.)
rule win_pcshare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pcshare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 68???????? e8???????? 83c408 85c0 740d 8b16 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   8b16                 | mov                 edx, dword ptr [esi]

        $sequence_1 = { 7425 0fb601 0fb6fa 3bc7 7714 8b55fc 8a9250220610 }
            // n = 7, score = 100
            //   7425                 | je                  0x27
            //   0fb601               | movzx               eax, byte ptr [ecx]
            //   0fb6fa               | movzx               edi, dl
            //   3bc7                 | cmp                 eax, edi
            //   7714                 | ja                  0x16
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8a9250220610         | mov                 dl, byte ptr [edx + 0x10062250]

        $sequence_2 = { 2bee 85c9 750e 8d442eff 8932 894204 }
            // n = 6, score = 100
            //   2bee                 | sub                 ebp, esi
            //   85c9                 | test                ecx, ecx
            //   750e                 | jne                 0x10
            //   8d442eff             | lea                 eax, [esi + ebp - 1]
            //   8932                 | mov                 dword ptr [edx], esi
            //   894204               | mov                 dword ptr [edx + 4], eax

        $sequence_3 = { 50 e8???????? 8b4c2440 e9???????? 83f8fe 0f85effbffff 8b4c2414 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   e9????????           |                     
            //   83f8fe               | cmp                 eax, -2
            //   0f85effbffff         | jne                 0xfffffbf5
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_4 = { 8b442444 c7462800000000 895e38 897e34 85c0 741d 8d48ff }
            // n = 7, score = 100
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   c7462800000000       | mov                 dword ptr [esi + 0x28], 0
            //   895e38               | mov                 dword ptr [esi + 0x38], ebx
            //   897e34               | mov                 dword ptr [esi + 0x34], edi
            //   85c0                 | test                eax, eax
            //   741d                 | je                  0x1f
            //   8d48ff               | lea                 ecx, [eax - 1]

        $sequence_5 = { 3bc6 7505 b8???????? 6a05 68???????? 50 e8???????? }
            // n = 7, score = 100
            //   3bc6                 | cmp                 eax, esi
            //   7505                 | jne                 7
            //   b8????????           |                     
            //   6a05                 | push                5
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 56 8918 e8???????? 89742410 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8918                 | mov                 dword ptr [eax], ebx
            //   e8????????           |                     
            //   89742410             | mov                 dword ptr [esp + 0x10], esi

        $sequence_7 = { 8b4c242c 85c9 7510 3b5c2430 746b 43 895c241c }
            // n = 7, score = 100
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   85c9                 | test                ecx, ecx
            //   7510                 | jne                 0x12
            //   3b5c2430             | cmp                 ebx, dword ptr [esp + 0x30]
            //   746b                 | je                  0x6d
            //   43                   | inc                 ebx
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx

        $sequence_8 = { 8d4c2438 50 89442430 e8???????? }
            // n = 4, score = 100
            //   8d4c2438             | lea                 ecx, [esp + 0x38]
            //   50                   | push                eax
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   e8????????           |                     

        $sequence_9 = { c7413c00000000 895134 c20c00 6aff 68???????? }
            // n = 5, score = 100
            //   c7413c00000000       | mov                 dword ptr [ecx + 0x3c], 0
            //   895134               | mov                 dword ptr [ecx + 0x34], edx
            //   c20c00               | ret                 0xc
            //   6aff                 | push                -1
            //   68????????           |                     

    condition:
        7 of them and filesize < 893708
}
Download all Yara Rules