SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pipemon (Back to overview)

PipeMon

Actor(s): Winnti Umbrella


There is no description at this point.

References
2022-03-24Twitter (@ESETresearch)ESET Research
@online{research:20220324:pipemon:351014e, author = {ESET Research}, title = {{Tweet on PipeMon variants by Winnti Group}}, date = {2022-03-24}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1506904404225630210}, language = {English}, urldate = {2022-03-30} } Tweet on PipeMon variants by Winnti Group
PipeMon
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
Yara Rules
[TLP:WHITE] win_pipemon_auto (20220516 | Detects win.pipemon.)
rule win_pipemon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.pipemon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4156 4157 4883ec20 448bf1 4c8d3dce0dffff }
            // n = 5, score = 100
            //   4156                 | dec                 eax
            //   4157                 | lea                 ecx, [0xfffea411]
            //   4883ec20             | dec                 eax
            //   448bf1               | shl                 esi, 2
            //   4c8d3dce0dffff       | mov                 dword ptr [ebp + 0x320], eax

        $sequence_1 = { ff542428 8b7510 4c8bf8 448b7500 4903f4 4d03f4 }
            // n = 6, score = 100
            //   ff542428             | dec                 eax
            //   8b7510               | mov                 edx, dword ptr [eax]
            //   4c8bf8               | dec                 eax
            //   448b7500             | test                edx, edx
            //   4903f4               | je                  0x8d7
            //   4d03f4               | dec                 eax

        $sequence_2 = { 488d8d60040000 ff15???????? 488bf8 4533c9 4533c0 33d2 }
            // n = 6, score = 100
            //   488d8d60040000       | dec                 eax
            //   ff15????????         |                     
            //   488bf8               | cmp                 ecx, 8
            //   4533c9               | jne                 0x46a
            //   4533c0               | inc                 ecx
            //   33d2                 | mov                 edi, dword ptr [edi]

        $sequence_3 = { 33d2 33c9 ff15???????? 4883f8ff 74c0 488bc8 ff15???????? }
            // n = 7, score = 100
            //   33d2                 | inc                 ecx
            //   33c9                 | mov                 ecx, dword ptr [esi]
            //   ff15????????         |                     
            //   4883f8ff             | test                eax, eax
            //   74c0                 | je                  0xcd4
            //   488bc8               | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 0f8339010000 488b842480000000 4889442428 4533c0 e8???????? 488bc3 }
            // n = 6, score = 100
            //   0f8339010000         | xor                 ecx, esp
            //   488b842480000000     | dec                 esp
            //   4889442428           | mov                 edi, dword ptr [esp + 0xa0]
            //   4533c0               | inc                 ecx
            //   e8????????           |                     
            //   488bc3               | mov                 edx, 0xffff

        $sequence_5 = { 85c0 7440 0f1f8000000000 397db8 7413 }
            // n = 5, score = 100
            //   85c0                 | and                 esi, 0x3f
            //   7440                 | dec                 ebp
            //   0f1f8000000000       | mov                 ebp, esp
            //   397db8               | dec                 ecx
            //   7413                 | sar                 ebp, 6

        $sequence_6 = { 33d2 41b801010000 e8???????? 8bc5 4d8d4c2410 4c8d35ed360100 bd04000000 }
            // n = 7, score = 100
            //   33d2                 | dec                 eax
            //   41b801010000         | lea                 edx, [ebp + 0x400]
            //   e8????????           |                     
            //   8bc5                 | xor                 ecx, ecx
            //   4d8d4c2410           | dec                 esp
            //   4c8d35ed360100       | lea                 eax, [0x1e37f]
            //   bd04000000           | nop                 dword ptr [eax]

        $sequence_7 = { ff15???????? c785f001000018000000 4489a500020000 488d442460 488985f8010000 ba01000000 488d4c2460 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   c785f001000018000000     | mov    dword ptr [esp + 0x48], esp
            //   4489a500020000       | dec                 eax
            //   488d442460           | lea                 ecx, [esp + 0x50]
            //   488985f8010000       | dec                 eax
            //   ba01000000           | lea                 ecx, [0xf5c9]
            //   488d4c2460           | mov                 dword ptr [ebx + 0x50], 6

        $sequence_8 = { c4c173590cc1 4c8d0d25880000 c5f359c1 c5fb101d???????? c5fb102d???????? c4e2f1a91d???????? c4e2f1a92d???????? }
            // n = 7, score = 100
            //   c4c173590cc1         | jne                 0x296
            //   4c8d0d25880000       | inc                 esp
            //   c5f359c1             | cmp                 byte ptr [esp + 0x68], ch
            //   c5fb101d????????     |                     
            //   c5fb102d????????     |                     
            //   c4e2f1a91d????????     |     
            //   c4e2f1a92d????????     |     

        $sequence_9 = { 8945fb 448d4004 ff15???????? 85c0 7576 }
            // n = 5, score = 100
            //   8945fb               | lea                 ecx, [0x1f603]
            //   448d4004             | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, edi
            //   7576                 | dec                 eax

    condition:
        7 of them and filesize < 389120
}
Download all Yara Rules