PseudoManuscrypt (Malware Family)

PseudoManuscrypt
VTCollection
According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).
References
2023-04-13 ⋅ Intel 471 ⋅ Jorge Rodriguez, Souhail Hammou
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt
Yara Rules
[TLP:WHITE] win_pseudo_manuscrypt_auto (20230808 | Detects win.pseudo_manuscrypt.)
rule win_pseudo_manuscrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.pseudo_manuscrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8473ffffff 8bd6 8bcf e8???????? 85c0 0f8f62ffffff 53 }
            // n = 7, score = 200
            //   0f8473ffffff         | je                  0xffffff79
            //   8bd6                 | mov                 edx, esi
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8f62ffffff         | jg                  0xffffff68
            //   53                   | push                ebx

        $sequence_1 = { 668906 e8???????? 8b45fc 83c404 8bfb 3b18 75bd }
            // n = 7, score = 200
            //   668906               | mov                 word ptr [esi], ax
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c404               | add                 esp, 4
            //   8bfb                 | mov                 edi, ebx
            //   3b18                 | cmp                 ebx, dword ptr [eax]
            //   75bd                 | jne                 0xffffffbf

        $sequence_2 = { 33db 8d857cfdffff 53 50 53 683f010f00 53 }
            // n = 7, score = 200
            //   33db                 | xor                 ebx, ebx
            //   8d857cfdffff         | lea                 eax, [ebp - 0x284]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   53                   | push                ebx
            //   683f010f00           | push                0xf013f
            //   53                   | push                ebx

        $sequence_3 = { 6a00 6a00 6a00 6a18 ffd6 6a00 6a00 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a18                 | push                0x18
            //   ffd6                 | call                esi
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { 8bec 56 8bb17c010000 85f6 742a 8b4508 33d2 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8bb17c010000         | mov                 esi, dword ptr [ecx + 0x17c]
            //   85f6                 | test                esi, esi
            //   742a                 | je                  0x2c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33d2                 | xor                 edx, edx

        $sequence_5 = { 6a04 68ffff0000 53 ffd6 0bc7 5f 5e }
            // n = 7, score = 200
            //   6a04                 | push                4
            //   68ffff0000           | push                0xffff
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   0bc7                 | or                  eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { 57 8945fc 8d140b 8bc8 0f44d3 52 e8???????? }
            // n = 7, score = 200
            //   57                   | push                edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d140b               | lea                 edx, [ebx + ecx]
            //   8bc8                 | mov                 ecx, eax
            //   0f44d3               | cmove               edx, ebx
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_7 = { 7554 5f 33c0 5e 8b4dfc 33cd e8???????? }
            // n = 7, score = 200
            //   7554                 | jne                 0x56
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   e8????????           |                     

        $sequence_8 = { 89442474 8d842480000000 6804010000 50 c744246c01010000 ff15???????? 68???????? }
            // n = 7, score = 200
            //   89442474             | mov                 dword ptr [esp + 0x74], eax
            //   8d842480000000       | lea                 eax, [esp + 0x80]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   c744246c01010000     | mov                 dword ptr [esp + 0x6c], 0x101
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_9 = { 8d85d0fdffff 50 56 ff15???????? 85c0 742c 53 }
            // n = 7, score = 200
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742c                 | je                  0x2e
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules
PseudoManuscrypt Propose Change

References

Yara Rules

PseudoManuscrypt
