SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pseudo_manuscrypt (Back to overview)

PseudoManuscrypt

According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).

References
2023-03-26Luca Mella
@online{mella:20230326:updates:deb3c61, author = {Luca Mella}, title = {{Updates from the MaaS: new threats delivered through NullMixer}}, date = {2023-03-26}, url = {https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1}, language = {English}, urldate = {2023-03-29} } Updates from the MaaS: new threats delivered through NullMixer
Fabookie Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2022-10-05BitSightStanislas Arnoud, João Godinho
@online{arnoud:20221005:sinkholing:8a928c6, author = {Stanislas Arnoud and João Godinho}, title = {{Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1}}, date = {2022-10-05}, organization = {BitSight}, url = {https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1}, language = {English}, urldate = {2022-10-07} } Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1
PrivateLoader PseudoManuscrypt
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-02-18AhnLabASEC Analysis Team
@online{team:20220218:pseudomanuscrypt:4aa75d9, author = {ASEC Analysis Team}, title = {{PseudoManuscrypt Being Distributed in the Same Method as Cryptbot}}, date = {2022-02-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31683/}, language = {English}, urldate = {2022-02-19} } PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-16Kaspersky Lab ICS CERT
@online{cert:20211216:pseudomanuscrypt:808ef18, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, url = {https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/}, language = {English}, urldate = {2021-12-23} } PseudoManuscrypt: a mass-scale spyware attack campaign
PseudoManuscrypt
Yara Rules
[TLP:WHITE] win_pseudo_manuscrypt_auto (20230407 | Detects win.pseudo_manuscrypt.)
rule win_pseudo_manuscrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.pseudo_manuscrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5d c20400 8b5508 53 8b9f80010000 8b4204 8b4818 }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   8b9f80010000         | mov                 ebx, dword ptr [edi + 0x180]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]

        $sequence_1 = { 57 53 50 e8???????? 8b4e30 83c40c 894e04 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4e30               | mov                 ecx, dword ptr [esi + 0x30]
            //   83c40c               | add                 esp, 0xc
            //   894e04               | mov                 dword ptr [esi + 4], ecx

        $sequence_2 = { 56 ff15???????? 85ff 0f848d000000 8d44240c 8bcb 50 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85ff                 | test                edi, edi
            //   0f848d000000         | je                  0x93
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   8bcb                 | mov                 ecx, ebx
            //   50                   | push                eax

        $sequence_3 = { 8bc1 33d2 668910 6aff 52 ff7510 e8???????? }
            // n = 7, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   33d2                 | xor                 edx, edx
            //   668910               | mov                 word ptr [eax], dx
            //   6aff                 | push                -1
            //   52                   | push                edx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     

        $sequence_4 = { 8bd8 53 e8???????? 83c404 8bf0 8d85f0fdffff 89b5ecfdffff }
            // n = 7, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bf0                 | mov                 esi, eax
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   89b5ecfdffff         | mov                 dword ptr [ebp - 0x214], esi

        $sequence_5 = { 46 83fe64 72c8 8b4dfc 8b8550feffff 33cd 5f }
            // n = 7, score = 200
            //   46                   | inc                 esi
            //   83fe64               | cmp                 esi, 0x64
            //   72c8                 | jb                  0xffffffca
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b8550feffff         | mov                 eax, dword ptr [ebp - 0x1b0]
            //   33cd                 | xor                 ecx, ebp
            //   5f                   | pop                 edi

        $sequence_6 = { e8???????? 83c408 8b44242c 85c0 7407 50 ff15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 837e0400 7509 33c0 5e 8be5 5d c20800 }
            // n = 7, score = 200
            //   837e0400             | cmp                 dword ptr [esi + 4], 0
            //   7509                 | jne                 0xb
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8

        $sequence_8 = { e8???????? 897dfc 8b4508 8b4d0c 894704 8bc7 c7474800000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   8bc7                 | mov                 eax, edi
            //   c7474800000000       | mov                 dword ptr [edi + 0x48], 0

        $sequence_9 = { 6a00 83ec08 6a00 68???????? e8???????? 83c414 8bf0 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   83ec08               | sub                 esp, 8
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8bf0                 | mov                 esi, eax

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules