ScanLine (Malware Family)

ScanLine

VTCollection
According to CISA, this is a command-line port scanning utility from Foundstone. It is used to scan for open UDP and TCP ports, grab banners from open ports, resolve IP addresses to host names, and bind to specified ports and IP addresses.
References

2024-02-07 ⋅ CISA ⋅ CISA
MAR-10448362-1.v1 Volt Typhoon
ScanLine
2024-02-07 ⋅ CISA ⋅ CISA
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
ScanLine
Yara Rules

[TLP:WHITE] win_scanline_auto (20260504 | Detects win.scanline.)
rule win_scanline_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.scanline."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanline"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 72e8 894670 8b4674 03d8 8a450c 0803 }
            // n = 6, score = 100
            //   72e8                 | jb                  0xffffffea
            //   894670               | mov                 dword ptr [esi + 0x70], eax
            //   8b4674               | mov                 eax, dword ptr [esi + 0x74]
            //   03d8                 | add                 ebx, eax
            //   8a450c               | mov                 al, byte ptr [ebp + 0xc]
            //   0803                 | or                  byte ptr [ebx], al

        $sequence_1 = { 33c2 668b0e 2bc2 99 f7fb 8d0457 668b1457 }
            // n = 7, score = 100
            //   33c2                 | xor                 eax, edx
            //   668b0e               | mov                 cx, word ptr [esi]
            //   2bc2                 | sub                 eax, edx
            //   99                   | cdq                 
            //   f7fb                 | idiv                ebx
            //   8d0457               | lea                 eax, [edi + edx*2]
            //   668b1457             | mov                 dx, word ptr [edi + edx*2]

        $sequence_2 = { 83c10c 83fa40 7cf2 c3 6a01 58 }
            // n = 6, score = 100
            //   83c10c               | add                 ecx, 0xc
            //   83fa40               | cmp                 edx, 0x40
            //   7cf2                 | jl                  0xfffffff4
            //   c3                   | ret                 
            //   6a01                 | push                1
            //   58                   | pop                 eax

        $sequence_3 = { 897dfc eb20 ff15???????? 8bc8 2b4e70 81f9e8030000 72e8 }
            // n = 7, score = 100
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   eb20                 | jmp                 0x22
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   2b4e70               | sub                 ecx, dword ptr [esi + 0x70]
            //   81f9e8030000         | cmp                 ecx, 0x3e8
            //   72e8                 | jb                  0xffffffea

        $sequence_4 = { 68???????? e8???????? 59 392d???????? 0f8522020000 b9???????? e8???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   392d????????         |                     
            //   0f8522020000         | jne                 0x228
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_5 = { f3a5 8bc8 83e103 f3a4 ff7304 e8???????? 8b45fc }
            // n = 7, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   ff7304               | push                dword ptr [ebx + 4]
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_6 = { 84db 740f 8819 41 ff45fc 817dfcff070000 7308 }
            // n = 7, score = 100
            //   84db                 | test                bl, bl
            //   740f                 | je                  0x11
            //   8819                 | mov                 byte ptr [ecx], bl
            //   41                   | inc                 ecx
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   817dfcff070000       | cmp                 dword ptr [ebp - 4], 0x7ff
            //   7308                 | jae                 0xa

        $sequence_7 = { 83fb40 7cb6 5f 5e 5d 5b c3 }
            // n = 7, score = 100
            //   83fb40               | cmp                 ebx, 0x40
            //   7cb6                 | jl                  0xffffffb8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   c3                   | ret                 

        $sequence_8 = { 8b3d???????? ff7604 bb00040000 8d85fcfbffff 53 50 }
            // n = 6, score = 100
            //   8b3d????????         |                     
            //   ff7604               | push                dword ptr [esi + 4]
            //   bb00040000           | mov                 ebx, 0x400
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_9 = { 7510 80a11703000000 c6811603000008 eb15 807c24040d 750e c681160300000d }
            // n = 7, score = 100
            //   7510                 | jne                 0x12
            //   80a11703000000       | and                 byte ptr [ecx + 0x317], 0
            //   c6811603000008       | mov                 byte ptr [ecx + 0x316], 8
            //   eb15                 | jmp                 0x17
            //   807c24040d           | cmp                 byte ptr [esp + 4], 0xd
            //   750e                 | jne                 0x10
            //   c681160300000d       | mov                 byte ptr [ecx + 0x316], 0xd

    condition:
        7 of them and filesize < 151552
}
Download all Yara Rules
ScanLine Propose Change

References

Yara Rules

ScanLine
