ScreenCap (Malware Family)

ScreenCap

VTCollection
SentinelOne describes this malware as capable of doing screen capture and keylogging. It is uses by a threat cluster they named WIP19, targeting telecommunications and IT service providers in the Middle East and Asia.
References

2022-10-12 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich, Joey Chen
WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
Maggie ScreenCap WIP19
Yara Rules

[TLP:WHITE] win_screencap_auto (20260504 | Detects win.screencap.)
rule win_screencap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.screencap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.screencap"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b900040000 ff15???????? 488bf8 4885c0 747f 488d4c2452 }
            // n = 6, score = 100
            //   b900040000           | cmovne              edx, eax
            //   ff15????????         |                     
            //   488bf8               | dec                 eax
            //   4885c0               | lea                 edx, [0xcd22]
            //   747f                 | dec                 eax
            //   488d4c2452           | lea                 eax, [0xe93d]

        $sequence_1 = { 488bcb 666666660f1f840000000000 0fb68431a8f70000 48ffc1 88440c77 84c0 }
            // n = 6, score = 100
            //   488bcb               | js                  0x18af
            //   666666660f1f840000000000     | push    ebx
            //   0fb68431a8f70000     | mov                 dword ptr [esi + 0x14], 0
            //   48ffc1               | mov                 byte ptr [esp + 0x13], al
            //   88440c77             | lea                 ebx, [ebx]
            //   84c0                 | mov                 edi, dword ptr [esi + 0x14]

        $sequence_2 = { 4533c9 ff5018 85c0 0f88a4000000 488b0d???????? }
            // n = 5, score = 100
            //   4533c9               | je                  0x1ec6
            //   ff5018               | mov                 ecx, 0x473310
            //   85c0                 | movsx               eax, byte ptr [esi]
            //   0f88a4000000         | push                eax
            //   488b0d????????       |                     

        $sequence_3 = { ff15???????? 488d0d3e380100 33d2 e8???????? 488d0d30380100 85c0 740c }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d0d3e380100       | mov                 dword ptr [esp + 0x40], ebx
            //   33d2                 | mov                 dword ptr [esp + 0x38], eax
            //   e8????????           |                     
            //   488d0d30380100       | mov                 dword ptr [esp + 0x30], ecx
            //   85c0                 | mov                 dword ptr [esp + 0x28], edx
            //   740c                 | dec                 esp

        $sequence_4 = { e8???????? 482be0 488b05???????? 4833c4 488985a01d0000 ff15???????? 483b05???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   482be0               | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | lea                 ecx, [esp + 0x48]
            //   488985a01d0000       | inc                 ebp
            //   ff15????????         |                     
            //   483b05????????       |                     

        $sequence_5 = { e9???????? 488d1560ca0000 e9???????? 488d15eccb0000 e9???????? 488d15d0cb0000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d1560ca0000       | dec                 eax
            //   e9????????           |                     
            //   488d15eccb0000       | mov                 ecx, dword ptr [edx + ecx*8]
            //   e9????????           |                     
            //   488d15d0cb0000       | dec                 ebp
            //   e9????????           |                     

        $sequence_6 = { 8d8424c8000000 6854334700 50 e8???????? ffb424ec220000 8d8424da000000 }
            // n = 6, score = 100
            //   8d8424c8000000       | dec                 eax
            //   6854334700           | mov                 ecx, eax
            //   50                   | dec                 eax
            //   e8????????           |                     
            //   ffb424ec220000       | mov                 ecx, ebx
            //   8d8424da000000       | dec                 eax

        $sequence_7 = { 488b05???????? 4833c4 4889842400010000 488b0d???????? }
            // n = 4, score = 100
            //   488b05????????       |                     
            //   4833c4               | mov                 ecx, ebx
            //   4889842400010000     | dec                 eax
            //   488b0d????????       |                     

        $sequence_8 = { 488bd5 8bdf e8???????? 85ff 741c }
            // n = 5, score = 100
            //   488bd5               | push                0x4728cc
            //   8bdf                 | push                edi
            //   e8????????           |                     
            //   85ff                 | add                 byte ptr [ebx + 0x10082484], cl
            //   741c                 | add                 byte ptr [eax], al

        $sequence_9 = { 4c8d4308 488d442420 4c2bc0 0fb610 420fb60c00 2bd1 }
            // n = 6, score = 100
            //   4c8d4308             | je                  0x34
            //   488d442420           | mov                 edx, 0x67
            //   4c2bc0               | xor                 edx, edx
            //   0fb610               | test                eax, eax
            //   420fb60c00           | jne                 0xfffffc8c
            //   2bd1                 | mov                 edi, ebx

    condition:
        7 of them and filesize < 1391616
}
Download all Yara Rules
ScreenCap Propose Change

References

Yara Rules

ScreenCap
