SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shimrat (Back to overview)

Shim RAT

Actor(s): Mofang


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:0447134, author = {SecureWorks}, title = {{BRONZE WALKER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-walker}, language = {English}, urldate = {2020-05-23} } BRONZE WALKER
Shim RAT Mofang
2016-05-17Fox-ITYonathan Klijnsma, Danny Heppener, Mitchel Sahertian, Krijn de Mik, Maarten van Dantzig, Yun Zheng Hu, Lennart Haagsma, Martin van Hensbergen, Erik de Jong
@techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } Mofang: A politically motivated information stealing adversary
Shim RAT Mofang
Yara Rules
[TLP:WHITE] win_shimrat_auto (20220808 | Detects win.shimrat.)
rule win_shimrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.shimrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7535 83ec0c 8d45f0 }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   7535                 | jne                 0x37
            //   83ec0c               | sub                 esp, 0xc
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_1 = { 33c0 8901 894104 894108 c3 56 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   8901                 | mov                 dword ptr [ecx], eax
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_2 = { ff750c d1f8 40 50 ff7508 }
            // n = 5, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   d1f8                 | sar                 eax, 1
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 83c414 50 8d4f6c e8???????? 660fbe06 0fb7c0 8945fc }
            // n = 7, score = 100
            //   83c414               | add                 esp, 0x14
            //   50                   | push                eax
            //   8d4f6c               | lea                 ecx, [edi + 0x6c]
            //   e8????????           |                     
            //   660fbe06             | movsx               ax, byte ptr [esi]
            //   0fb7c0               | movzx               eax, ax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_4 = { 56 ffd7 5f 5e c3 56 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_5 = { e8???????? 8b4d30 50 e8???????? 85c0 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8b4d30               | mov                 ecx, dword ptr [ebp + 0x30]
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { ff75e8 ffd6 395dc8 7405 ff75c8 ffd6 8d4d18 }
            // n = 7, score = 100
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ffd6                 | call                esi
            //   395dc8               | cmp                 dword ptr [ebp - 0x38], ebx
            //   7405                 | je                  7
            //   ff75c8               | push                dword ptr [ebp - 0x38]
            //   ffd6                 | call                esi
            //   8d4d18               | lea                 ecx, [ebp + 0x18]

        $sequence_7 = { 8d45fc 56 50 e8???????? ff75fc e8???????? 0fb7c0 }
            // n = 7, score = 100
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   0fb7c0               | movzx               eax, ax

        $sequence_8 = { 56 6a02 6a10 68ff010f00 e8???????? bf???????? 50 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   6a02                 | push                2
            //   6a10                 | push                0x10
            //   68ff010f00           | push                0xf01ff
            //   e8????????           |                     
            //   bf????????           |                     
            //   50                   | push                eax

        $sequence_9 = { 7713 8d8550ffffff 68???????? 50 e8???????? 59 59 }
            // n = 7, score = 100
            //   7713                 | ja                  0x15
            //   8d8550ffffff         | lea                 eax, [ebp - 0xb0]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules