SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shimrat (Back to overview)

Shim RAT

Actor(s): Mofang


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:0447134, author = {SecureWorks}, title = {{BRONZE WALKER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-walker}, language = {English}, urldate = {2020-05-23} } BRONZE WALKER
Shim RAT Mofang
2016-05-17Fox-ITYonathan Klijnsma, Danny Heppener, Mitchel Sahertian, Krijn de Mik, Maarten van Dantzig, Yun Zheng Hu, Lennart Haagsma, Martin van Hensbergen, Erik de Jong
@techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } Mofang: A politically motivated information stealing adversary
Shim RAT Mofang
Yara Rules
[TLP:WHITE] win_shimrat_auto (20211008 | Detects win.shimrat.)
rule win_shimrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.shimrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8b7c2410 8a06 8a0f 8ad0 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8a0f                 | mov                 cl, byte ptr [edi]
            //   8ad0                 | mov                 dl, al

        $sequence_1 = { 8935???????? 8935???????? ff15???????? 85c0 741b 56 56 }
            // n = 7, score = 100
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741b                 | je                  0x1d
            //   56                   | push                esi
            //   56                   | push                esi

        $sequence_2 = { 68???????? ffd6 85c0 7513 68???????? 8d8550ffffff 50 }
            // n = 7, score = 100
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7513                 | jne                 0x15
            //   68????????           |                     
            //   8d8550ffffff         | lea                 eax, dword ptr [ebp - 0xb0]
            //   50                   | push                eax

        $sequence_3 = { 8d85d0f7ffff 50 8d4d18 c745dc04000000 e8???????? 50 e8???????? }
            // n = 7, score = 100
            //   8d85d0f7ffff         | lea                 eax, dword ptr [ebp - 0x830]
            //   50                   | push                eax
            //   8d4d18               | lea                 ecx, dword ptr [ebp + 0x18]
            //   c745dc04000000       | mov                 dword ptr [ebp - 0x24], 4
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 7574 53 8d45e8 56 50 e8???????? 6a06 }
            // n = 7, score = 100
            //   7574                 | jne                 0x76
            //   53                   | push                ebx
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a06                 | push                6

        $sequence_5 = { 8d4f60 e8???????? 660fbe06 0fb7c0 8945fc 0fb7c0 50 }
            // n = 7, score = 100
            //   8d4f60               | lea                 ecx, dword ptr [edi + 0x60]
            //   e8????????           |                     
            //   660fbe06             | movsx               ax, byte ptr [esi]
            //   0fb7c0               | movzx               eax, ax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   0fb7c0               | movzx               eax, ax
            //   50                   | push                eax

        $sequence_6 = { 8b3d???????? 53 8d4504 50 8d4564 }
            // n = 5, score = 100
            //   8b3d????????         |                     
            //   53                   | push                ebx
            //   8d4504               | lea                 eax, dword ptr [ebp + 4]
            //   50                   | push                eax
            //   8d4564               | lea                 eax, dword ptr [ebp + 0x64]

        $sequence_7 = { 0f8407010000 8d4534 50 8d85a8feffff 50 ffd7 0fb74540 }
            // n = 7, score = 100
            //   0f8407010000         | je                  0x10d
            //   8d4534               | lea                 eax, dword ptr [ebp + 0x34]
            //   50                   | push                eax
            //   8d85a8feffff         | lea                 eax, dword ptr [ebp - 0x158]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   0fb74540             | movzx               eax, word ptr [ebp + 0x40]

        $sequence_8 = { 83c410 c645ff61 33db be???????? 8a45ff 8845d4 33c0 }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   c645ff61             | mov                 byte ptr [ebp - 1], 0x61
            //   33db                 | xor                 ebx, ebx
            //   be????????           |                     
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   8845d4               | mov                 byte ptr [ebp - 0x2c], al
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { e8???????? 8b4d0c 33f6 56 56 6aff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   6aff                 | push                -1

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules