QuanPinLoader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.quan_pin_loader (Back to overview)
QuanPinLoader

Actor(s): Lazarus Group
VTCollection
According to ESET Research, this is a loader that has the Mandarin Chinese symbol (yang in the Pinyin transliteration) as an icon in the resources. It also contains the string SampleIMESimplifiedQuanPin.txt, which suggests that it is probably based on the open-source project Sample IME, a TSF-based input method editor demo.
References

2025-10-23 ⋅ ESET Research ⋅ Alexis Rapin, Peter Kálnai
Gotta fly: Lazarus targets the UAV sector
BURNBOOK QuanPinLoader ScoringMathTea
Yara Rules

[TLP:WHITE] win_quan_pin_loader_auto (20260504 | Detects win.quan_pin_loader.)
rule win_quan_pin_loader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.quan_pin_loader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quan_pin_loader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488364242800 488d0da6090700 4889542420 488d542420 e8???????? 8903 33c0 }
            // n = 7, score = 100
            //   488364242800         | dec                 eax
            //   488d0da6090700       | lea                 eax, [0x3432d]
            //   4889542420           | ret                 
            //   488d542420           | dec                 eax
            //   e8????????           |                     
            //   8903                 | lea                 eax, [0x34325]
            //   33c0                 | ret                 

        $sequence_1 = { 4803c8 488b45cf 44885488f3 8b4dcb 448b45c7 450fb653fd 8d4101 }
            // n = 7, score = 100
            //   4803c8               | inc                 ecx
            //   488b45cf             | imul                eax, eax
            //   44885488f3           | cdq                 
            //   8b4dcb               | sub                 eax, edx
            //   448b45c7             | sar                 eax, 1
            //   450fb653fd           | js                  0x195a
            //   8d4101               | inc                 ecx

        $sequence_2 = { 488b742438 b801000000 c70302000000 c7430409000000 488b5c2430 4883c420 5f }
            // n = 7, score = 100
            //   488b742438           | mov                 eax, edx
            //   b801000000           | shr                 ecx, 0x10
            //   c70302000000         | jle                 0x6e0
            //   c7430409000000       | cdq                 
            //   488b5c2430           | sub                 eax, edx
            //   4883c420             | sar                 eax, 1
            //   5f                   | inc                 edx

        $sequence_3 = { 0f8fe0000000 48833b00 488b10 7524 4885d2 7511 0fbe5008 }
            // n = 7, score = 100
            //   0f8fe0000000         | lea                 ecx, [esp + 0x20]
            //   48833b00             | dec                 esp
            //   488b10               | mov                 eax, esi
            //   7524                 | mov                 edx, ebp
            //   4885d2               | dec                 eax
            //   7511                 | mov                 ecx, edi
            //   0fbe5008             | je                  0x6ae

        $sequence_4 = { ffd0 8bd8 85c0 782e 488b4c2430 4885c9 7437 }
            // n = 7, score = 100
            //   ffd0                 | lea                 eax, [0x71707]
            //   8bd8                 | dec                 eax
            //   85c0                 | mov                 edi, ecx
            //   782e                 | dec                 eax
            //   488b4c2430           | mov                 dword ptr [ecx], eax
            //   4885c9               | mov                 ebx, edx
            //   7437                 | dec                 eax

        $sequence_5 = { 4885c9 750a 488d0d9e640300 48890f 4863d2 e8???????? 894350 }
            // n = 7, score = 100
            //   4885c9               | xor                 ebx, ebx
            //   750a                 | dec                 eax
            //   488d0d9e640300       | lea                 ecx, [esp + 0x20]
            //   48890f               | mov                 eax, ebx
            //   4863d2               | nop                 
            //   e8????????           |                     
            //   894350               | xor                 edi, edi

        $sequence_6 = { e8???????? 4584e4 7430 488d05bdb80400 c745ff03000000 488945f7 488d5507 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4584e4               | mov                 dword ptr [ecx], 1
            //   7430                 | dec                 eax
            //   488d05bdb80400       | add                 esp, 0x40
            //   c745ff03000000       | dec                 eax
            //   488945f7             | mov                 esi, dword ptr [esp + 0x68]
            //   488d5507             | dec                 eax

        $sequence_7 = { 49890e 4c8b4708 488b17 488bc8 4d3be0 7505 4c2bc2 }
            // n = 7, score = 100
            //   49890e               | inc                 ebp
            //   4c8b4708             | xor                 esi, esi
            //   488b17               | inc                 ecx
            //   488bc8               | shr                 ebx, 5
            //   4d3be0               | inc                 ecx
            //   7505                 | mov                 dword ptr [edi + 0x200], 0xe
            //   4c2bc2               | jmp                 0x21a

        $sequence_8 = { 498b5508 488bc1 482bc2 48c1f805 443bf8 0f8256ffffff }
            // n = 6, score = 100
            //   498b5508             | call                dword ptr [eax + 0x10]
            //   488bc1               | dec                 eax
            //   482bc2               | mov                 dword ptr [esi + 0xb0], edi
            //   48c1f805             | dec                 eax
            //   443bf8               | test                edi, edi
            //   0f8256ffffff         | dec                 eax

        $sequence_9 = { 440fb61d???????? 8d4101 99 2bc2 d1f8 83f803 7c3a }
            // n = 7, score = 100
            //   440fb61d????????     |                     
            //   8d4101               | cmp                 ebx, -1
            //   99                   | je                  0x141
            //   2bc2                 | mov                 esi, dword ptr [edi]
            //   d1f8                 | dec                 ecx
            //   83f803               | mov                 ebx, dword ptr [esp + esi*8 + 0x96450]
            //   7c3a                 | nop                 

    condition:
        7 of them and filesize < 1711104
}
Download all Yara Rules
QuanPinLoader Propose Change

References

Yara Rules

QuanPinLoader
