SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shimrat (Back to overview)

Shim RAT

Actor(s): Mofang


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:0447134, author = {SecureWorks}, title = {{BRONZE WALKER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-walker}, language = {English}, urldate = {2020-05-23} } BRONZE WALKER
Shim RAT Mofang
2016-05-17Fox-ITYonathan Klijnsma, Danny Heppener, Mitchel Sahertian, Krijn de Mik, Maarten van Dantzig, Yun Zheng Hu, Lennart Haagsma, Martin van Hensbergen, Erik de Jong
@techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } Mofang: A politically motivated information stealing adversary
Shim RAT Mofang
Yara Rules
[TLP:WHITE] win_shimrat_auto (20230808 | Detects win.shimrat.)
rule win_shimrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.shimrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 59 59 6a01 8d452c }
            // n = 5, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   6a01                 | push                1
            //   8d452c               | lea                 eax, [ebp + 0x2c]

        $sequence_1 = { eb1a 83f802 7513 83ec0c 8d4660 8bcc 50 }
            // n = 7, score = 100
            //   eb1a                 | jmp                 0x1c
            //   83f802               | cmp                 eax, 2
            //   7513                 | jne                 0x15
            //   83ec0c               | sub                 esp, 0xc
            //   8d4660               | lea                 eax, [esi + 0x60]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax

        $sequence_2 = { ff7508 8d85fcfeffff 50 e8???????? 59 59 85c0 }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_3 = { ff15???????? 8d4df4 e8???????? 8d4d08 e8???????? 5e }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   e8????????           |                     
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   e8????????           |                     
            //   5e                   | pop                 esi

        $sequence_4 = { e8???????? 59 59 895e1c ff15???????? 8bce 899ec0000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   895e1c               | mov                 dword ptr [esi + 0x1c], ebx
            //   ff15????????         |                     
            //   8bce                 | mov                 ecx, esi
            //   899ec0000000         | mov                 dword ptr [esi + 0xc0], ebx

        $sequence_5 = { ff15???????? 8bce 899ec0000000 e8???????? 85c0 750e }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8bce                 | mov                 ecx, esi
            //   899ec0000000         | mov                 dword ptr [esi + 0xc0], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10

        $sequence_6 = { 837d0800 7424 837d0c00 741e ff7510 ff750c }
            // n = 6, score = 100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7424                 | je                  0x26
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   741e                 | je                  0x20
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_7 = { 50 8bce e8???????? 85c0 74d9 ff75e8 8d4df0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   74d9                 | je                  0xffffffdb
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   8d4df0               | lea                 ecx, [ebp - 0x10]

        $sequence_8 = { 6a00 68???????? 53 ffd7 ff7570 ff15???????? e9???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   68????????           |                     
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   ff7570               | push                dword ptr [ebp + 0x70]
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_9 = { 83c414 50 8d4f6c e8???????? }
            // n = 4, score = 100
            //   83c414               | add                 esp, 0x14
            //   50                   | push                eax
            //   8d4f6c               | lea                 ecx, [edi + 0x6c]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules