SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pipemon (Back to overview)

PipeMon

Actor(s): Winnti Umbrella

There is no description at this point.

References
2022-05-22cocomelonccocomelonc
@online{cocomelonc:20220522:malware:b0a0669, author = {cocomelonc}, title = {{Malware development trick - part 29: Store binary data in registry. Simple C++ example.}}, date = {2022-05-22}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html}, language = {English}, urldate = {2023-05-23} } Malware development trick - part 29: Store binary data in registry. Simple C++ example.
Turla RAT PILLOWMINT PipeMon
2022-03-24Twitter (@ESETresearch)ESET Research
@online{research:20220324:pipemon:351014e, author = {ESET Research}, title = {{Tweet on PipeMon variants by Winnti Group}}, date = {2022-03-24}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1506904404225630210}, language = {English}, urldate = {2022-03-30} } Tweet on PipeMon variants by Winnti Group
PipeMon
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
Yara Rules
[TLP:WHITE] win_pipemon_auto (20230715 | Detects win.pipemon.)
rule win_pipemon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pipemon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660f1f840000000000 b9e8030000 ff15???????? 488d542460 488d8d00030000 ff15???????? 85c0 }
            // n = 7, score = 100
            //   660f1f840000000000     | test    eax, eax
            //   b9e8030000           | jne                 0x33b
            //   ff15????????         |                     
            //   488d542460           | dec                 eax
            //   488d8d00030000       | mov                 dword ptr [ebp - 0x80], eax
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_1 = { 74c8 488bd3 4c8d05befe0000 83e23f 488bcb }
            // n = 5, score = 100
            //   74c8                 | inc                 eax
            //   488bd3               | xor                 bh, bh
            //   4c8d05befe0000       | dec                 eax
            //   83e23f               | lea                 edx, [0x1e437]
            //   488bcb               | dec                 eax

        $sequence_2 = { c3 488d0d8ddb0100 e8???????? cc 488d0d80db0100 e8???????? cc }
            // n = 7, score = 100
            //   c3                   | call                ebx
            //   488d0d8ddb0100       | dec                 eax
            //   e8????????           |                     
            //   cc                   | mov                 edi, dword ptr [esp + 0x60]
            //   488d0d80db0100       | dec                 eax
            //   e8????????           |                     
            //   cc                   | mov                 eax, ebx

        $sequence_3 = { 0f843f020000 448b4320 488d15fcf50100 488d8d60030000 e8???????? 488d7b28 }
            // n = 6, score = 100
            //   0f843f020000         | jne                 0x106
            //   448b4320             | nop                 word ptr [eax + eax]
            //   488d15fcf50100       | cmp                 dword ptr [eax + 0x20], ecx
            //   488d8d60030000       | jae                 0xf0
            //   e8????????           |                     
            //   488d7b28             | dec                 eax

        $sequence_4 = { c3 83f801 7529 b803000000 488b8c2440010000 4833cc e8???????? }
            // n = 7, score = 100
            //   c3                   | dec                 eax
            //   83f801               | add                 esp, 0x78
            //   7529                 | dec                 esp
            //   b803000000           | mov                 eax, dword ptr [ebp + 0x1d0]
            //   488b8c2440010000     | dec                 ebp
            //   4833cc               | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_5 = { 488bcf ff15???????? 85c0 7511 488d0d8b0a0200 e8???????? }
            // n = 6, score = 100
            //   488bcf               | inc                 ebp
            //   ff15????????         |                     
            //   85c0                 | mov                 esp, eax
            //   7511                 | inc                 ecx
            //   488d0d8b0a0200       | push                edi
            //   e8????????           |                     

        $sequence_6 = { ebdd 4533ff 418bdf 4c8d0de268ffff 4885db 750d }
            // n = 6, score = 100
            //   ebdd                 | jmp                 0x878
            //   4533ff               | dec                 eax
            //   418bdf               | mov                 eax, ebx
            //   4c8d0de268ffff       | mov                 word ptr [ebx], si
            //   4885db               | jb                  0x852
            //   750d                 | dec                 eax

        $sequence_7 = { ff15???????? 90 4c8b442440 4d8bc8 4d8b00 488d95f0010000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   90                   | dec                 eax
            //   4c8b442440           | mov                 eax, dword ptr [eax]
            //   4d8bc8               | cmp                 byte ptr [eax + 0x19], 0
            //   4d8b00               | cmp                 byte ptr [eax + 0x19], 0
            //   488d95f0010000       | jne                 0x2ca

        $sequence_8 = { 498d4608 4d85f6 490f44c6 48833e00 4c8bf0 0f855effffff }
            // n = 6, score = 100
            //   498d4608             | dec                 eax
            //   4d85f6               | add                 eax, eax
            //   490f44c6             | dec                 eax
            //   48833e00             | lea                 ecx, [0x9092]
            //   4c8bf0               | mov                 eax, dword ptr [ecx + eax*8]
            //   0f855effffff         | jmp                 0x462

        $sequence_9 = { 752d 418b4020 413901 0f836e010000 488b842480000000 }
            // n = 5, score = 100
            //   752d                 | dec                 eax
            //   418b4020             | lea                 edx, [0x10dc6]
            //   413901               | mov                 ecx, 7
            //   0f836e010000         | dec                 esp
            //   488b842480000000     | lea                 eax, [0x10db2]

    condition:
        7 of them and filesize < 389120
}
Download all Yara Rules