SlothfulMedia (Malware Family)

SlothfulMedia

aka: QueenOfClubs
VTCollection
According to MITRE, SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.
References

2020-10-15 ⋅ Kaspersky Labs ⋅ Félix Aime, Ivan Kwiatkowski, Pierre Delcher
IAmTheKing and the SlothfulMedia malware family
SlothfulMedia
2020-10-01 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-275A): Remote Access Trojan: SLOTHFULMEDIA
SlothfulMedia
Yara Rules

[TLP:WHITE] win_slothfulmedia_auto (20260504 | Detects win.slothfulmedia.)
rule win_slothfulmedia_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.slothfulmedia."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 33c0 33ff 6806020000 668985ecfdffff 8d85eefdffff }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   33c0                 | xor                 eax, eax
            //   33ff                 | xor                 edi, edi
            //   6806020000           | push                0x206
            //   668985ecfdffff       | mov                 word ptr [ebp - 0x214], ax
            //   8d85eefdffff         | lea                 eax, [ebp - 0x212]

        $sequence_1 = { 89443110 8bc3 5b 5e c9 c3 }
            // n = 6, score = 200
            //   89443110             | mov                 dword ptr [ecx + esi + 0x10], eax
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_2 = { 8b86540e0000 3bc7 7438 57 }
            // n = 4, score = 200
            //   8b86540e0000         | mov                 eax, dword ptr [esi + 0xe54]
            //   3bc7                 | cmp                 eax, edi
            //   7438                 | je                  0x3a
            //   57                   | push                edi

        $sequence_3 = { 8bf8 ff15???????? 56 6a00 50 8945fc e8???????? }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     

        $sequence_4 = { 8bd8 895df0 3bdf 0f8434020000 }
            // n = 4, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   3bdf                 | cmp                 ebx, edi
            //   0f8434020000         | je                  0x23a

        $sequence_5 = { 6a07 5a 3bc2 0f8756090000 ff2485ed374000 838de8fdffffff 89b5c4fdffff }
            // n = 7, score = 200
            //   6a07                 | push                7
            //   5a                   | pop                 edx
            //   3bc2                 | cmp                 eax, edx
            //   0f8756090000         | ja                  0x95c
            //   ff2485ed374000       | jmp                 dword ptr [eax*4 + 0x4037ed]
            //   838de8fdffffff       | or                  dword ptr [ebp - 0x218], 0xffffffff
            //   89b5c4fdffff         | mov                 dword ptr [ebp - 0x23c], esi

        $sequence_6 = { 0f84db000000 80bb3802000000 0f85ce000000 ff742410 ff15???????? }
            // n = 5, score = 200
            //   0f84db000000         | je                  0xe1
            //   80bb3802000000       | cmp                 byte ptr [ebx + 0x238], 0
            //   0f85ce000000         | jne                 0xd4
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff15????????         |                     

        $sequence_7 = { ff15???????? eb0a 53 8b1b }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   eb0a                 | jmp                 0xc
            //   53                   | push                ebx
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

        $sequence_8 = { ffd6 85c0 7507 ffd7 83f805 }
            // n = 5, score = 100
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   ffd7                 | call                edi
            //   83f805               | cmp                 eax, 5

        $sequence_9 = { e8???????? 83c40c 6804010000 8d44240c 50 6a00 ff15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6804010000           | push                0x104
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_10 = { 89842408020000 56 57 68d0070000 ff15???????? 33c0 }
            // n = 6, score = 100
            //   89842408020000       | mov                 dword ptr [esp + 0x208], eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   68d0070000           | push                0x7d0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax

        $sequence_11 = { 6a00 8d4c2410 51 ff15???????? 8b8c2410020000 5f }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b8c2410020000       | mov                 ecx, dword ptr [esp + 0x210]
            //   5f                   | pop                 edi

        $sequence_12 = { 6689442414 e8???????? 83c40c 6a00 }
            // n = 4, score = 100
            //   6689442414           | mov                 word ptr [esp + 0x14], ax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a00                 | push                0

        $sequence_13 = { 83f805 74ee 6804010000 8d54240c 6a00 52 e8???????? }
            // n = 7, score = 100
            //   83f805               | cmp                 eax, 5
            //   74ee                 | je                  0xfffffff0
            //   6804010000           | push                0x104
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   6a00                 | push                0
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_14 = { 33c0 e8???????? 81c40c020000 c21000 3b0d???????? 7502 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   81c40c020000         | add                 esp, 0x20c
            //   c21000               | ret                 0x10
            //   3b0d????????         |                     
            //   7502                 | jne                 4

    condition:
        7 of them and filesize < 122880
}
Download all Yara Rules
SlothfulMedia Propose Change

References

Yara Rules

SlothfulMedia
