SYMBOLCOMMON_NAMEaka. SYNONYMS
win.poortry (Back to overview)

POORTRY

VTCollection    

According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. This malware has been observed being used by UNC3944.

References
2025-07-03Rapid7Rapid7
Scattered Spider: Rapid7 Insights, Observations, and Recommendations
MimiKatz POORTRY
2024-08-28Bleeping ComputerBill Toulas
PoorTry Windows driver evolves into a full-featured EDR wiper
POORTRY
2023-10-27acsenseBrendon Rod
A Guide to Scattered Spider Data Breaches
POORTRY
2023-08-26BushidoToken BlogBushidoToken
Tracking Adversaries: Scattered Spider, the BlackCat affiliate
BlackLotus POORTRY
2023-08-17TrellixPhelix Oluoch
Scattered Spider: The Modus Operandi
BlackCat POORTRY
2023-07-28Quorum CyberQuorum Cyber
Scattered Spider Threat Actor Profile
Cuba KillAV POORTRY
2023-01-05SymantecThreat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle
2022-12-13MandiantMandiant Intelligence
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware
POORTRY
Yara Rules
[TLP:WHITE] win_poortry_auto (20260504 | Detects win.poortry.)
rule win_poortry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.poortry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poortry"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4981e804000000 41f6c3a0 d2e7 418b18 f8 33de }
            // n = 6, score = 100
            //   4981e804000000       | dec                 eax
            //   41f6c3a0             | mov                 ebp, dword ptr [ebp - 8]
            //   d2e7                 | rcr                 bx, cl
            //   418b18               | inc                 cx
            //   f8                   | bswap               eax
            //   33de                 | dec                 eax

        $sequence_1 = { c1c903 66443bc1 41f6c39f f5 81f17f2af75d 0fc9 f9 }
            // n = 7, score = 100
            //   c1c903               | inc                 eax
            //   66443bc1             | xor                 ch, dl
            //   41f6c39f             | inc                 eax
            //   f5                   | shr                 ch, 0x80
            //   81f17f2af75d         | xor                 ebx, 0x7be05e45
            //   0fc9                 | stc                 
            //   f9                   | inc                 ebp

        $sequence_2 = { 41ffc3 f5 80ffe1 410fcb 4180ffe7 f5 4181c3b9310b6e }
            // n = 7, score = 100
            //   41ffc3               | test                ah, dl
            //   f5                   | dec                 eax
            //   80ffe1               | cmp                 eax, 0x43a276f
            //   410fcb               | inc                 ecx
            //   4180ffe7             | add                 ecx, 0x751f71aa
            //   f5                   | clc                 
            //   4181c3b9310b6e       | push                ebp

        $sequence_3 = { 4502ee 4881c440010000 440fb7ed 490f4dee 415f 4487ef 660fbef9 }
            // n = 7, score = 100
            //   4502ee               | dec                 ecx
            //   4881c440010000       | mov                 ebx, dword ptr [edx + 8]
            //   440fb7ed             | dec                 eax
            //   490f4dee             | sub                 esi, 0x526e6db2
            //   415f                 | dec                 eax
            //   4487ef               | cmp                 eax, 0x38a4547a
            //   660fbef9             | inc                 eax

        $sequence_4 = { 1bd9 5b 48f7c57830f62d f8 4863ed 6681f90317 41f6c678 }
            // n = 7, score = 100
            //   1bd9                 | movsx               edx, dx
            //   5b                   | rol                 bl, 1
            //   48f7c57830f62d       | inc                 cx
            //   f8                   | cmovno              edx, eax
            //   4863ed               | inc                 ecx
            //   6681f90317           | mov                 edx, esp
            //   41f6c678             | inc                 eax

        $sequence_5 = { 66450fabf9 313424 410fbaf1fc 4159 4080ff4a 4863f6 453ac5 }
            // n = 7, score = 100
            //   66450fabf9           | inc                 ecx
            //   313424               | pop                 ecx
            //   410fbaf1fc           | cmc                 
            //   4159                 | dec                 eax
            //   4080ff4a             | arpl                cx, cx
            //   4863f6               | inc                 ebp
            //   453ac5               | cmp                 ah, dl

        $sequence_6 = { 440fb7df 4881ef04000000 448b1f 4533d9 41ffcb f8 3bfc }
            // n = 7, score = 100
            //   440fb7df             | push                ecx
            //   4881ef04000000       | inc                 esp
            //   448b1f               | xor                 dword ptr [esp], edx
            //   4533d9               | inc                 ecx
            //   41ffcb               | neg                 edx
            //   f8                   | inc                 ecx
            //   3bfc                 | sub                 edx, 0x6052653f

        $sequence_7 = { 415c 415e 02e8 4159 49c1e35e 5d 4d0fb7d1 }
            // n = 7, score = 100
            //   415c                 | inc                 sp
            //   415e                 | sbb                 edx, esi
            //   02e8                 | xor                 dword ptr [esp], edi
            //   4159                 | inc                 bp
            //   49c1e35e             | btr                 edx, esi
            //   5d                   | inc                 ebp
            //   4d0fb7d1             | adc                 edx, edi

        $sequence_8 = { 4002f3 44311c24 40f6de 4963f4 66d3c6 5e f8 }
            // n = 7, score = 100
            //   4002f3               | inc                 ecx
            //   44311c24             | test                dl, 0x95
            //   40f6de               | dec                 eax
            //   4963f4               | arpl                di, di
            //   66d3c6               | xor                 dword ptr [esp], edi
            //   5e                   | inc                 esp
            //   f8                   | bts                 esi, ebx

        $sequence_9 = { 81f3c94f3919 f9 55 440fa4f5bd 311c24 0fcd 40f6dd }
            // n = 7, score = 100
            //   81f3c94f3919         | bt                  ebp, ebx
            //   f9                   | pop                 ebp
            //   55                   | clc                 
            //   440fa4f5bd           | dec                 eax
            //   311c24               | arpl                dx, dx
            //   0fcd                 | inc                 ebp
            //   40f6dd               | test                al, ch

    condition:
        7 of them and filesize < 8078336
}
Download all Yara Rules