SlipScreen (Malware Family)

SlipScreen

Actor(s): RomCom
VTCollection
According to Proofpoint, SlipScreen is a first stage loader and has variants written in Rust and in C++. Its crypter is updated for each campaign, making static detection difficult.
References

2025-06-30 ⋅ Proofpoint ⋅ David Galazin, Greg Lesnewich, Kelsey Merriman, Proofpoint Threat Research Team, Selena Larson
10 Things I Hate About Attribution: RomCom vs. TransferLoader
DustyHammock MeltingClaw RustyClaw ShadyHammock SlipScreen TransferLoader TA829
Yara Rules

[TLP:WHITE] win_slip_screen_auto (20260504 | Detects win.slip_screen.)
rule win_slip_screen_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.slip_screen."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slip_screen"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb0f 488bd3 488d0dec090100 e8???????? 33d2 }
            // n = 5, score = 100
            //   eb0f                 | lock xadd           dword ptr [ecx + 0x15c], eax
            //   488bd3               | dec                 eax
            //   488d0dec090100       | lea                 eax, [0xdae7]
            //   e8????????           |                     
            //   33d2                 | dec                 eax

        $sequence_1 = { 480bc8 0fb7c1 664133c0 4c8d442470 6689442446 488bc2 f20f10442440 }
            // n = 7, score = 100
            //   480bc8               | mov                 word ptr [edi - 0xc], ax
            //   0fb7c1               | dec                 esp
            //   664133c0             | imul                edx, esi
            //   4c8d442470           | dec                 eax
            //   6689442446           | shr                 edx, 0x20
            //   488bc2               | dec                 eax
            //   f20f10442440         | or                  edx, eax

        $sequence_2 = { f20f104110 498bd2 480faf5108 f20f11442470 66895c2450 488bc2 }
            // n = 6, score = 100
            //   f20f104110           | mov                 word ptr [esp + 0x34], ax
            //   498bd2               | dec                 eax
            //   480faf5108           | mov                 eax, edx
            //   f20f11442470         | dec                 ecx
            //   66895c2450           | imul                eax, edx
            //   488bc2               | dec                 eax

        $sequence_3 = { 57 4154 4155 4156 4157 4883ec70 b84d5a0000 }
            // n = 7, score = 100
            //   57                   | mov                 eax, dword ptr [edi + 0xd0]
            //   4154                 | dec                 eax
            //   4155                 | lea                 ecx, [esp + 0x40]
            //   4156                 | dec                 eax
            //   4157                 | mov                 dword ptr [esp + 0x28], ebx
            //   4883ec70             | dec                 esp
            //   b84d5a0000           | lea                 ecx, [esp + 0xc8]

        $sequence_4 = { eb07 488d3d21990000 4533ed 4584f6 740a 418d4d03 e8???????? }
            // n = 7, score = 100
            //   eb07                 | mov                 ecx, ebp
            //   488d3d21990000       | test                eax, eax
            //   4533ed               | je                  0x16e8
            //   4584f6               | inc                 ebp
            //   740a                 | xor                 eax, eax
            //   418d4d03             | inc                 esp
            //   e8????????           |                     

        $sequence_5 = { 8bd5 488bce 41ffd2 488b8424c0000000 4885c0 0f8421010000 4183bf8c00000000 }
            // n = 7, score = 100
            //   8bd5                 | add                 edx, eax
            //   488bce               | dec                 ecx
            //   41ffd2               | mov                 eax, edx
            //   488b8424c0000000     | dec                 eax
            //   4885c0               | shr                 eax, 0x10
            //   0f8421010000         | movzx               eax, ax
            //   4183bf8c00000000     | inc                 ecx

        $sequence_6 = { 0fb7c1 66334304 66894704 488d040a }
            // n = 4, score = 100
            //   0fb7c1               | jne                 0x2fc
            //   66334304             | mov                 edx, edi
            //   66894704             | dec                 esp
            //   488d040a             | mov                 esi, edi

        $sequence_7 = { 8bcf e8???????? 488bd7 4c8d0583690000 }
            // n = 4, score = 100
            //   8bcf                 | mov                 eax, dword ptr [ecx + ebp*8 + 0x1a210]
            //   e8????????           |                     
            //   488bd7               | dec                 edx
            //   4c8d0583690000       | mov                 eax, dword ptr [eax + edi*8 + 0x28]

        $sequence_8 = { 6685c0 7438 8d4abf 6683f919 448d4220 8d4820 66440f47c2 }
            // n = 7, score = 100
            //   6685c0               | dec                 eax
            //   7438                 | mov                 ecx, ebx
            //   8d4abf               | dec                 eax
            //   6683f919             | mov                 dword ptr [edi + 0x48], eax
            //   448d4220             | dec                 eax
            //   8d4820               | test                eax, eax
            //   66440f47c2           | je                  0x2116

        $sequence_9 = { 488b13 33c9 4883c202 4803d6 380a 740f 488bc2 }
            // n = 7, score = 100
            //   488b13               | shr                 ecx, 0x20
            //   33c9                 | dec                 eax
            //   4883c202             | or                  ecx, eax
            //   4803d6               | dec                 edx
            //   380a                 | lea                 eax, [ecx + ecx]
            //   740f                 | dec                 eax
            //   488bc2               | add                 eax, edx

    condition:
        7 of them and filesize < 282624
}
Download all Yara Rules
SlipScreen Propose Change

References

Yara Rules

SlipScreen
