SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shimrat (Back to overview)

Shim RAT

Actor(s): Mofang


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:0447134, author = {SecureWorks}, title = {{BRONZE WALKER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-walker}, language = {English}, urldate = {2020-05-23} } BRONZE WALKER
Shim RAT Mofang
2016-05-17Fox-ITYonathan Klijnsma, Danny Heppener, Mitchel Sahertian, Krijn de Mik, Maarten van Dantzig, Yun Zheng Hu, Lennart Haagsma, Martin van Hensbergen, Erik de Jong
@techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } Mofang: A politically motivated information stealing adversary
Shim RAT Mofang
Yara Rules
[TLP:WHITE] win_shimrat_auto (20220411 | Detects win.shimrat.)
rule win_shimrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.shimrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e c3 0fb6c1 f7d8 ebf6 33c0 837c240420 }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   0fb6c1               | movzx               eax, cl
            //   f7d8                 | neg                 eax
            //   ebf6                 | jmp                 0xfffffff8
            //   33c0                 | xor                 eax, eax
            //   837c240420           | cmp                 dword ptr [esp + 4], 0x20

        $sequence_1 = { 58 c3 0fb6c0 83e008 c3 55 }
            // n = 6, score = 100
            //   58                   | pop                 eax
            //   c3                   | ret                 
            //   0fb6c0               | movzx               eax, al
            //   83e008               | and                 eax, 8
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_2 = { c745f801000000 395df8 0f8492feffff 895df4 395df0 0f8488000000 53 }
            // n = 7, score = 100
            //   c745f801000000       | mov                 dword ptr [ebp - 8], 1
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   0f8492feffff         | je                  0xfffffe98
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   395df0               | cmp                 dword ptr [ebp - 0x10], ebx
            //   0f8488000000         | je                  0x8e
            //   53                   | push                ebx

        $sequence_3 = { 50 e8???????? 0fb745fc 32db 50 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   0fb745fc             | movzx               eax, word ptr [ebp - 4]
            //   32db                 | xor                 bl, bl
            //   50                   | push                eax

        $sequence_4 = { 8d4560 50 8d4d54 e8???????? 50 8d4d54 e8???????? }
            // n = 7, score = 100
            //   8d4560               | lea                 eax, dword ptr [ebp + 0x60]
            //   50                   | push                eax
            //   8d4d54               | lea                 ecx, dword ptr [ebp + 0x54]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4d54               | lea                 ecx, dword ptr [ebp + 0x54]
            //   e8????????           |                     

        $sequence_5 = { 53 881c30 ff15???????? 50 ff15???????? }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   881c30               | mov                 byte ptr [eax + esi], bl
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 8d85bcf7ffff 50 6a03 68???????? ff15???????? 8945e8 3bc3 }
            // n = 7, score = 100
            //   8d85bcf7ffff         | lea                 eax, dword ptr [ebp - 0x844]
            //   50                   | push                eax
            //   6a03                 | push                3
            //   68????????           |                     
            //   ff15????????         |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   3bc3                 | cmp                 eax, ebx

        $sequence_7 = { e9???????? f6456802 8d8550ffffff 740a 68???????? e9???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   f6456802             | test                byte ptr [ebp + 0x68], 2
            //   8d8550ffffff         | lea                 eax, dword ptr [ebp - 0xb0]
            //   740a                 | je                  0xc
            //   68????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 8ad0 46 80ea41 47 80fa19 }
            // n = 5, score = 100
            //   8ad0                 | mov                 dl, al
            //   46                   | inc                 esi
            //   80ea41               | sub                 dl, 0x41
            //   47                   | inc                 edi
            //   80fa19               | cmp                 dl, 0x19

        $sequence_9 = { 56 8d85bcefffff 50 8d4d18 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8d85bcefffff         | lea                 eax, dword ptr [ebp - 0x1044]
            //   50                   | push                eax
            //   8d4d18               | lea                 ecx, dword ptr [ebp + 0x18]

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules