Actor(s): GALLIUM, Molerats, Mustang Panda, Nightshade Panda, Pirate Panda, Stone Panda, TA428, Temper Panda
There is no description at this point.
rule win_poison_ivy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.poison_ivy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a01 6a00 8d86120e0000 50 } // n = 4, score = 100 // 6a01 | push 1 // 6a00 | push 0 // 8d86120e0000 | lea eax, [esi + 0xe12] // 50 | push eax $sequence_1 = { 683f000f00 6a00 57 51 ff5635 68ff000000 } // n = 6, score = 100 // 683f000f00 | push 0xf003f // 6a00 | push 0 // 57 | push edi // 51 | push ecx // ff5635 | call dword ptr [esi + 0x35] // 68ff000000 | push 0xff $sequence_2 = { 51 57 ff9681000000 8d45fc 50 683f000f00 6a00 } // n = 7, score = 100 // 51 | push ecx // 57 | push edi // ff9681000000 | call dword ptr [esi + 0x81] // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // 683f000f00 | push 0xf003f // 6a00 | push 0 $sequence_3 = { 80beaf08000001 7507 b902000080 eb05 b901000080 8d45fc 50 } // n = 7, score = 100 // 80beaf08000001 | cmp byte ptr [esi + 0x8af], 1 // 7507 | jne 9 // b902000080 | mov ecx, 0x80000002 // eb05 | jmp 7 // b901000080 | mov ecx, 0x80000001 // 8d45fc | lea eax, [ebp - 4] // 50 | push eax $sequence_4 = { 8d86120e0000 50 ff75fc ff563d } // n = 4, score = 100 // 8d86120e0000 | lea eax, [esi + 0xe12] // 50 | push eax // ff75fc | push dword ptr [ebp - 4] // ff563d | call dword ptr [esi + 0x3d] $sequence_5 = { 51 ff5635 68ff000000 8d86b1060000 50 6a01 6a00 } // n = 7, score = 100 // 51 | push ecx // ff5635 | call dword ptr [esi + 0x35] // 68ff000000 | push 0xff // 8d86b1060000 | lea eax, [esi + 0x6b1] // 50 | push eax // 6a01 | push 1 // 6a00 | push 0 $sequence_6 = { 57 ff9681000000 80beaf08000001 7507 } // n = 4, score = 100 // 57 | push edi // ff9681000000 | call dword ptr [esi + 0x81] // 80beaf08000001 | cmp byte ptr [esi + 0x8af], 1 // 7507 | jne 9 condition: 7 of them and filesize < 204800 }
rule win_poison_ivy_w0 { meta: author = "Matthew Ulm" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/pivy.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy" malpedia_version = "20170517" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: // presence of pivy in memory $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} condition: any of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
