SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pseudo_manuscrypt (Back to overview)

PseudoManuscrypt

VTCollection    

According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).

References
2025-09-24NetresecErik Hjelmvik
Gh0stKCP Protocol
PseudoManuscrypt ValleyRAT
2023-04-13Intel 471Jorge Rodriguez, Souhail Hammou
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt
2023-03-26Luca Mella
Updates from the MaaS: new threats delivered through NullMixer
Fabookie Koi Loader Koi Stealer Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2022-10-05BitSightJoão Godinho, Stanislas Arnoud
Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1
PrivateLoader PseudoManuscrypt
2022-09-26KasperskyArtem Ushkov, Haim Zigel, Oleg Kupreev
NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-02-18AhnLabASEC Analysis Team
PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-16Kaspersky Lab ICS CERT
PseudoManuscrypt: a mass-scale spyware attack campaign
PseudoManuscrypt
Yara Rules
[TLP:WHITE] win_pseudo_manuscrypt_auto (20260504 | Detects win.pseudo_manuscrypt.)
rule win_pseudo_manuscrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pseudo_manuscrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b0f 8b55f8 8b4708 2bc2 50 8d0411 50 }
            // n = 7, score = 200
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   2bc2                 | sub                 eax, edx
            //   50                   | push                eax
            //   8d0411               | lea                 eax, [ecx + edx]
            //   50                   | push                eax

        $sequence_1 = { 8b36 8b4344 2bc6 85c0 7fbf 5f 5e }
            // n = 7, score = 200
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b4344               | mov                 eax, dword ptr [ebx + 0x44]
            //   2bc6                 | sub                 eax, esi
            //   85c0                 | test                eax, eax
            //   7fbf                 | jg                  0xffffffc1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { 8b5d0c 42 56 57 894df8 8d43ff 8955f0 }
            // n = 7, score = 200
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   42                   | inc                 edx
            //   56                   | push                esi
            //   57                   | push                edi
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8d43ff               | lea                 eax, [ebx - 1]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx

        $sequence_3 = { 8bf0 85f6 0f8494000000 56 e8???????? 83c404 8945cc }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f8494000000         | je                  0x9a
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax

        $sequence_4 = { 8b4df8 03cf 833900 75c9 8b4d0c 83c114 894d0c }
            // n = 7, score = 200
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   03cf                 | add                 ecx, edi
            //   833900               | cmp                 dword ptr [ecx], 0
            //   75c9                 | jne                 0xffffffcb
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   83c114               | add                 ecx, 0x14
            //   894d0c               | mov                 dword ptr [ebp + 0xc], ecx

        $sequence_5 = { ff15???????? 8906 85c0 7440 8d4e1c 897e10 c7461400040000 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8906                 | mov                 dword ptr [esi], eax
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8d4e1c               | lea                 ecx, [esi + 0x1c]
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   c7461400040000       | mov                 dword ptr [esi + 0x14], 0x400

        $sequence_6 = { 53 56 8945f8 8b4510 57 8bf9 8945f4 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_7 = { 8bec 81ecdc070000 a1???????? 33c5 8945fc 53 56 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   81ecdc070000         | sub                 esp, 0x7dc
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_8 = { 8d044502000000 50 8b45fc ff75f0 03c6 50 e8???????? }
            // n = 7, score = 200
            //   8d044502000000       | lea                 eax, [eax*2 + 2]
            //   50                   | push                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { 85c0 7427 8d4df8 51 8d4e78 e8???????? }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7427                 | je                  0x29
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   51                   | push                ecx
            //   8d4e78               | lea                 ecx, [esi + 0x78]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules