SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shimrat (Back to overview)

Shim RAT

Actor(s): Mofang


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:0447134, author = {SecureWorks}, title = {{BRONZE WALKER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-walker}, language = {English}, urldate = {2020-05-23} } BRONZE WALKER
Shim RAT Mofang
2016-05-17Fox-ITYonathan Klijnsma, Danny Heppener, Mitchel Sahertian, Krijn de Mik, Maarten van Dantzig, Yun Zheng Hu, Lennart Haagsma, Martin van Hensbergen, Erik de Jong
@techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } Mofang: A politically motivated information stealing adversary
Shim RAT Mofang
Yara Rules
[TLP:WHITE] win_shimrat_auto (20230125 | Detects win.shimrat.)
rule win_shimrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.shimrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f849e030000 48 0f840b030000 48 0f85a3030000 }
            // n = 5, score = 100
            //   0f849e030000         | je                  0x3a4
            //   48                   | dec                 eax
            //   0f840b030000         | je                  0x311
            //   48                   | dec                 eax
            //   0f85a3030000         | jne                 0x3a9

        $sequence_1 = { e8???????? 8d4648 ebb9 33c0 5e 5d c21000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4648               | lea                 eax, [esi + 0x48]
            //   ebb9                 | jmp                 0xffffffbb
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c21000               | ret                 0x10

        $sequence_2 = { 50 8bce e8???????? 50 8d4d74 e8???????? 8d4d20 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4d74               | lea                 ecx, [ebp + 0x74]
            //   e8????????           |                     
            //   8d4d20               | lea                 ecx, [ebp + 0x20]

        $sequence_3 = { eb07 c7461403000000 837e1403 6a04 5b 7513 8bce }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   c7461403000000       | mov                 dword ptr [esi + 0x14], 3
            //   837e1403             | cmp                 dword ptr [esi + 0x14], 3
            //   6a04                 | push                4
            //   5b                   | pop                 ebx
            //   7513                 | jne                 0x15
            //   8bce                 | mov                 ecx, esi

        $sequence_4 = { 85c0 751e 8d4570 50 6a01 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   751e                 | jne                 0x20
            //   8d4570               | lea                 eax, [ebp + 0x70]
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_5 = { 8d4f60 e8???????? 660fbe06 0fb7c0 8945fc 0fb7c0 50 }
            // n = 7, score = 100
            //   8d4f60               | lea                 ecx, [edi + 0x60]
            //   e8????????           |                     
            //   660fbe06             | movsx               ax, byte ptr [esi]
            //   0fb7c0               | movzx               eax, ax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   0fb7c0               | movzx               eax, ax
            //   50                   | push                eax

        $sequence_6 = { 83f8ff 0f845c020000 81c690000000 8bce e8???????? 50 }
            // n = 6, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   0f845c020000         | je                  0x262
            //   81c690000000         | add                 esi, 0x90
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_7 = { 50 8d4704 50 ff75f8 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   8d4704               | lea                 eax, [edi + 4]
            //   50                   | push                eax
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_8 = { 8d4df0 e8???????? 8bce e8???????? e9???????? }
            // n = 5, score = 100
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_9 = { e8???????? 8b4d0c 33f6 56 56 6aff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   6aff                 | push                -1

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules