SYMBOLCOMMON_NAMEaka. SYNONYMS
win.quickmute (Back to overview)

QUICKMUTE

Actor(s): Tonto Team


QuickMute is a malware developed using the C/C++ programming language. Functionally provides download, RC4 decryption, and in-memory launch of the payload (waiting for a PE file with the export function "HttpsVictimMain"). To communicate with the management server, a number of protocols are provided, in particular: TCP, UDP, HTTP, HTTPS.

References
2022-06-22Cert-UACert-UA
@online{certua:20220622:cyberattacks:3a05a70, author = {Cert-UA}, title = {{Cyberattacks by China-associated groups against Russian scientific and technical enterprises and government agencies (CERT-UA#4860)}}, date = {2022-06-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/375404}, language = {Ukrainian}, urldate = {2022-07-13} } Cyberattacks by China-associated groups against Russian scientific and technical enterprises and government agencies (CERT-UA#4860)
QUICKMUTE
Yara Rules
[TLP:WHITE] win_quickmute_auto (20230715 | Detects win.quickmute.)
rule win_quickmute_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.quickmute."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd7 a3???????? 833d????????00 c745d857696e48 885ddc 885ddd c745de70436f6e }
            // n = 7, score = 100
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   833d????????00       |                     
            //   c745d857696e48       | mov                 dword ptr [ebp - 0x28], 0x486e6957
            //   885ddc               | mov                 byte ptr [ebp - 0x24], bl
            //   885ddd               | mov                 byte ptr [ebp - 0x23], bl
            //   c745de70436f6e       | mov                 dword ptr [ebp - 0x22], 0x6e6f4370

        $sequence_1 = { ff15???????? 8b4d14 83c414 51 8d953cf2ffff 52 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   83c414               | add                 esp, 0x14
            //   51                   | push                ecx
            //   8d953cf2ffff         | lea                 edx, [ebp - 0xdc4]
            //   52                   | push                edx

        $sequence_2 = { 3d00010000 7d10 8a8c181d010000 888898c84000 40 ebe6 ff35???????? }
            // n = 7, score = 100
            //   3d00010000           | cmp                 eax, 0x100
            //   7d10                 | jge                 0x12
            //   8a8c181d010000       | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   888898c84000         | mov                 byte ptr [eax + 0x40c898], cl
            //   40                   | inc                 eax
            //   ebe6                 | jmp                 0xffffffe8
            //   ff35????????         |                     

        $sequence_3 = { 750f 8d9558ffffff 52 56 ffd7 a3???????? c745f86365696c }
            // n = 7, score = 100
            //   750f                 | jne                 0x11
            //   8d9558ffffff         | lea                 edx, [ebp - 0xa8]
            //   52                   | push                edx
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   c745f86365696c       | mov                 dword ptr [ebp - 8], 0x6c696563

        $sequence_4 = { 837df000 7558 837df400 7552 }
            // n = 4, score = 100
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0
            //   7558                 | jne                 0x5a
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   7552                 | jne                 0x54

        $sequence_5 = { 8bf8 81fb00900100 7614 8b5520 8bc7 5f }
            // n = 6, score = 100
            //   8bf8                 | mov                 edi, eax
            //   81fb00900100         | cmp                 ebx, 0x19000
            //   7614                 | jbe                 0x16
            //   8b5520               | mov                 edx, dword ptr [ebp + 0x20]
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_6 = { 7409 be01000000 d3e6 0bd6 49 }
            // n = 5, score = 100
            //   7409                 | je                  0xb
            //   be01000000           | mov                 esi, 1
            //   d3e6                 | shl                 esi, cl
            //   0bd6                 | or                  edx, esi
            //   49                   | dec                 ecx

        $sequence_7 = { 56 ffd7 a3???????? 833d????????00 c68560ffffff47 889d61ffffff c78562ffffff74537461 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   833d????????00       |                     
            //   c68560ffffff47       | mov                 byte ptr [ebp - 0xa0], 0x47
            //   889d61ffffff         | mov                 byte ptr [ebp - 0x9f], bl
            //   c78562ffffff74537461     | mov    dword ptr [ebp - 0x9e], 0x61745374

        $sequence_8 = { 0bd6 49 d1e8 83f9ff 7feb }
            // n = 5, score = 100
            //   0bd6                 | or                  edx, esi
            //   49                   | dec                 ecx
            //   d1e8                 | shr                 eax, 1
            //   83f9ff               | cmp                 ecx, -1
            //   7feb                 | jg                  0xffffffed

        $sequence_9 = { c78505ffffff53797374 889d09ffffff c7850affffff6d496e66 66c7850effffff6f00 750f }
            // n = 5, score = 100
            //   c78505ffffff53797374     | mov    dword ptr [ebp - 0xfb], 0x74737953
            //   889d09ffffff         | mov                 byte ptr [ebp - 0xf7], bl
            //   c7850affffff6d496e66     | mov    dword ptr [ebp - 0xf6], 0x666e496d
            //   66c7850effffff6f00     | mov    word ptr [ebp - 0xf2], 0x6f
            //   750f                 | jne                 0x11

    condition:
        7 of them and filesize < 146432
}
Download all Yara Rules