SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sidetwist (Back to overview)

SideTwist

Actor(s): OilRig

VTCollection    

There is no description at this point.

References
2023-08-30NSFOCUSNSFOCUS
APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
SideTwist
2021-04-08CheckpointCheck Point Research
Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
Yara Rules
[TLP:WHITE] win_sidetwist_auto (20260504 | Detects win.sidetwist.)
rule win_sidetwist_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sidetwist."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec20 488d0564c80400 488901 488b05???????? 4889cb 488b4920 8b00 }
            // n = 7, score = 100
            //   4883ec20             | lea                 eax, [0xdcd3]
            //   488d0564c80400       | dec                 eax
            //   488901               | mov                 dword ptr [ebx + 8], 0
            //   488b05????????       |                     
            //   4889cb               | dec                 eax
            //   488b4920             | lea                 ecx, [ebx + 0xe0]
            //   8b00                 | dec                 eax

        $sequence_1 = { 4885c9 7415 4889c8 4939c0 72e8 750b }
            // n = 6, score = 100
            //   4885c9               | sub                 esp, 0x20
            //   7415                 | dec                 eax
            //   4889c8               | lea                 eax, [0x3c5dc]
            //   4939c0               | dec                 eax
            //   72e8                 | mov                 dword ptr [ecx], eax
            //   750b                 | dec                 eax

        $sequence_2 = { 0f95c0 4531c0 31d2 894108 488d05dc380500 488901 }
            // n = 6, score = 100
            //   0f95c0               | mov                 eax, dword ptr [esp + 0x84]
            //   4531c0               | or                  dword ptr [esp + 0xa4], eax
            //   31d2                 | nop                 
            //   894108               | mov                 esi, dword ptr [esp + 0x44]
            //   488d05dc380500       | test                esi, esi
            //   488901               | jbe                 0x957

        $sequence_3 = { 4889e9 e8???????? 31c0 660fefc0 4889e9 668983f0000000 488d0597a20500 }
            // n = 7, score = 100
            //   4889e9               | dec                 eax
            //   e8????????           |                     
            //   31c0                 | mov                 dword ptr [ebx + 0x10], eax
            //   660fefc0             | dec                 eax
            //   4889e9               | mov                 ebx, ecx
            //   668983f0000000       | setne               al
            //   488d0597a20500       | mov                 dword ptr [ecx + 8], eax

        $sequence_4 = { 4889f1 e8???????? 488d05ad7a0400 4889f9 488d5340 488903 c7434000000000 }
            // n = 7, score = 100
            //   4889f1               | dec                 eax
            //   e8????????           |                     
            //   488d05ad7a0400       | mov                 dword ptr [eax + 0x18], 0
            //   4889f9               | dec                 eax
            //   488d5340             | mov                 dword ptr [eax + 0x10], edx
            //   488903               | mov                 byte ptr [eax + 0x20], 0
            //   c7434000000000       | dec                 eax

        $sequence_5 = { 4839d0 0f8476010000 4839c2 488b8388000000 f30f7e4370 c6839800000000 0f95c2 }
            // n = 7, score = 100
            //   4839d0               | dec                 eax
            //   0f8476010000         | lea                 edx, [0x10bf5]
            //   4839c2               | dec                 eax
            //   488b8388000000       | test                eax, eax
            //   f30f7e4370           | je                  0x11e0
            //   c6839800000000       | dec                 eax
            //   0f95c2               | add                 esp, 0x20

        $sequence_6 = { 4401e8 0f92c2 08542445 4189c5 4183c601 }
            // n = 5, score = 100
            //   4401e8               | sete                ch
            //   0f92c2               | inc                 ebp
            //   08542445             | test                esi, esi
            //   4189c5               | sete                dl
            //   4183c601             | inc                 eax

        $sequence_7 = { 53 4883ec28 4c8d2d553e0300 488db1d0000000 4889cb 4989d4 4489c5 }
            // n = 7, score = 100
            //   53                   | dec                 eax
            //   4883ec28             | mov                 dword ptr [esp + 0x90], 0
            //   4c8d2d553e0300       | dec                 eax
            //   488db1d0000000       | mov                 dword ptr [esp + 0x70], edx
            //   4889cb               | dec                 eax
            //   4989d4               | mov                 edx, dword ptr [eax]
            //   4489c5               | dec                 ecx

        $sequence_8 = { 488d1589000200 8b0e 488914c7 488b05???????? c705????????01000000 4883c010 488905???????? }
            // n = 7, score = 100
            //   488d1589000200       | add                 esp, 0x30
            //   8b0e                 | dec                 eax
            //   488914c7             | lea                 eax, [0x367a8]
            //   488b05????????       |                     
            //   c705????????01000000     |     
            //   4883c010             | dec                 eax
            //   488905????????       |                     

        $sequence_9 = { b801000000 8705???????? 85c0 7551 488b1d???????? 488d0d43760d00 ffd3 }
            // n = 7, score = 100
            //   b801000000           | dec                 eax
            //   8705????????         |                     
            //   85c0                 | mov                 edi, eax
            //   7551                 | dec                 eax
            //   488b1d????????       |                     
            //   488d0d43760d00       | mov                 eax, dword ptr [esp + 0x170]
            //   ffd3                 | mov                 dword ptr [esp + 0x38], edx

    condition:
        7 of them and filesize < 2002944
}
Download all Yara Rules