SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smanager (Back to overview)

SManager

aka: PhantomNet

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-03Group-IBAnastasia Tikhonova, Dmitry Kupin
@online{tikhonova:20210803:art:d715071, author = {Anastasia Tikhonova and Dmitry Kupin}, title = {{The Art of Cyberwarfare Chinese APTs attack Russia}}, date = {2021-08-03}, organization = {Group-IB}, url = {https://blog.group-ib.com/task}, language = {English}, urldate = {2021-08-06} } The Art of Cyberwarfare Chinese APTs attack Russia
Albaniiutas Mail-O SManager
2021-06-08SentinelOneJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210608:thundercats:8eac3cd, author = {Juan Andrés Guerrero-Saade}, title = {{ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op}}, date = {2021-06-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/}, language = {English}, urldate = {2021-06-09} } ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op
Mail-O SManager Tmanger
2021-02-19Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210219:how:5fed055, author = {0xthreatintel}, title = {{How to unpack SManager APT tool?}}, date = {2021-02-19}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214}, language = {English}, urldate = {2021-02-20} } How to unpack SManager APT tool?
SManager
2021-02-17VinCSSTrương Quốc Ngân
@online{ngn:20210217:re020:76db05d, author = {Trương Quốc Ngân}, title = {{[RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT}}, date = {2021-02-17}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html}, language = {English}, urldate = {2021-02-20} } [RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT
SManager
2021-01-26Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210126:reversing:716c09c, author = {0xthreatintel}, title = {{Reversing APT Tool : SManager (Unpacked)}}, date = {2021-01-26}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4}, language = {English}, urldate = {2021-01-27} } Reversing APT Tool : SManager (Unpacked)
SManager
2020-12-25VinCSSTrương Quốc Ngân
@online{ngn:20201225:re0182:4a2ca92, author = {Trương Quốc Ngân}, title = {{[RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 2}}, date = {2020-12-25}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1}, language = {English}, urldate = {2020-12-26} } [RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 2
SManager
2020-12-19VinCSSTrương Quốc Ngân
@online{ngn:20201219:re0172:c0a6b21, author = {Trương Quốc Ngân}, title = {{[RE017-2] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 2)}}, date = {2020-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html}, language = {English}, urldate = {2020-12-19} } [RE017-2] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 2)
SManager
2020-12-19VinCSSTrương Quốc Ngân
@online{ngn:20201219:re0181:bd0904c, author = {Trương Quốc Ngân}, title = {{[RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 1}}, date = {2020-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html}, language = {English}, urldate = {2020-12-23} } [RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 1
SManager
2020-12-17VinCSSVinCSS
@online{vincss:20201217:re0171:a4d3525, author = {VinCSS}, title = {{[RE017-1] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 1)}}, date = {2020-12-17}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html}, language = {Vietnamese}, urldate = {2020-12-19} } [RE017-1] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 1)
SManager
2020-12-17ESET ResearchIgnacio Sanmillan, Matthieu Faou
@online{sanmillan:20201217:operation:6822847, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia}}, date = {2020-12-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/}, language = {English}, urldate = {2020-12-18} } Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia
SManager
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
Yara Rules
[TLP:WHITE] win_smanager_auto (20220516 | Detects win.smanager.)
rule win_smanager_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.smanager."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7604 6a00 6a00 56 }
            // n = 4, score = 600
            //   8b7604               | mov                 ebx, eax
            //   6a00                 | dec                 esp
            //   6a00                 | lea                 eax, [eax + 0x20]
            //   56                   | dec                 esp

        $sequence_1 = { 85f6 7417 8b0e 85c9 }
            // n = 4, score = 600
            //   85f6                 | add                 esp, 0xc
            //   7417                 | mov                 dword ptr [esi + 8], 0
            //   8b0e                 | mov                 esi, dword ptr [esi + 4]
            //   85c9                 | push                0

        $sequence_2 = { 7410 6a00 6a00 6830001100 }
            // n = 4, score = 600
            //   7410                 | push                eax
            //   6a00                 | push                0
            //   6a00                 | mov                 edi, eax
            //   6830001100           | mov                 dword ptr [esi + 0x28], edi

        $sequence_3 = { 6a0d e8???????? 83c404 8bf0 }
            // n = 4, score = 600
            //   6a0d                 | add                 esp, 0x20
            //   e8????????           |                     
            //   83c404               | add                 esi, 2
            //   8bf0                 | push                0x22

        $sequence_4 = { 7409 6a02 51 51 ffd0 83c40c c7460800000000 }
            // n = 7, score = 600
            //   7409                 | lea                 ebp, [eax - 0x658]
            //   6a02                 | dec                 eax
            //   51                   | sub                 esp, 0x740
            //   51                   | dec                 eax
            //   ffd0                 | mov                 dword ptr [esp + 0x50], 0xfffffffe
            //   83c40c               | dec                 eax
            //   c7460800000000       | mov                 dword ptr [eax + 0x10], ebx

        $sequence_5 = { 83c602 6a22 56 e8???????? 83c408 85c0 }
            // n = 6, score = 600
            //   83c602               | push                esi
            //   6a22                 | dec                 eax
            //   56                   | sub                 esp, 0x20
            //   e8????????           |                     
            //   83c408               | xor                 esi, esi
            //   85c0                 | inc                 ecx

        $sequence_6 = { 6a00 ff15???????? 8bf8 897e28 }
            // n = 4, score = 600
            //   6a00                 | je                  0x81
            //   ff15????????         |                     
            //   8bf8                 | mov                 ecx, dword ptr [ebx]
            //   897e28               | dec                 eax

        $sequence_7 = { 8b4510 85c0 7407 50 }
            // n = 4, score = 600
            //   8b4510               | mov                 ecx, eax
            //   85c0                 | mov                 word ptr [eax + 0x18], 0
            //   7407                 | dec                 ebp
            //   50                   | test                eax, eax

        $sequence_8 = { ff15???????? 32c0 e9???????? 0f1005???????? }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   0f1005????????       |                     

        $sequence_9 = { 0001 ce 50 0008 }
            // n = 4, score = 100
            //   0001                 | cmp                 eax, 0x2745
            //   ce                   | je                  0xe
            //   50                   | cmp                 eax, 0x2746
            //   0008                 | add                 byte ptr [eax], al

        $sequence_10 = { 0007 b15a 00c4 b15a }
            // n = 4, score = 100
            //   0007                 | mov                 cl, 0x5a
            //   b15a                 | add                 byte ptr [ecx - 0x76ffa550], cl
            //   00c4                 | mov                 al, 0x5a
            //   b15a                 | add                 byte ptr [edi], al

        $sequence_11 = { 48896c2410 4889742418 48897c2420 4156 4883ec20 33f6 418bd8 }
            // n = 7, score = 100
            //   48896c2410           | sub                 esp, 0x20
            //   4889742418           | dec                 eax
            //   48897c2420           | lea                 ebx, [0x11b9f]
            //   4156                 | dec                 eax
            //   4883ec20             | lea                 edi, [0x11b98]
            //   33f6                 | jmp                 0x23
            //   418bd8               | dec                 ecx

        $sequence_12 = { 48895c2408 57 4883ec20 488d1d9f1b0100 488d3d981b0100 eb0e }
            // n = 6, score = 100
            //   48895c2408           | mov                 edi, eax
            //   57                   | dec                 eax
            //   4883ec20             | mov                 dword ptr [esp + 0x20], eax
            //   488d1d9f1b0100       | jmp                 0xffffff99
            //   488d3d981b0100       | dec                 eax
            //   eb0e                 | lea                 edx, [0xc43d]

        $sequence_13 = { 0000 80ed4a 0044feff ff900100008c }
            // n = 4, score = 100
            //   0000                 | mov                 dword ptr [esi + 8], 0
            //   80ed4a               | push                0
            //   0044feff             | mov                 edi, eax
            //   ff900100008c         | mov                 dword ptr [esi + 0x28], edi

        $sequence_14 = { 4c8bf8 4889442438 488bf8 4889442420 eb97 488d153dc40000 488d0d16c40000 }
            // n = 7, score = 100
            //   4c8bf8               | dec                 eax
            //   4889442438           | lea                 eax, [esp + 0x70]
            //   488bf8               | dec                 esp
            //   4889442420           | mov                 edi, eax
            //   eb97                 | dec                 eax
            //   488d153dc40000       | mov                 dword ptr [esp + 0x38], eax
            //   488d0d16c40000       | dec                 eax

        $sequence_15 = { 0007 b15a 0007 b15a }
            // n = 4, score = 100
            //   0007                 | add                 byte ptr [eax], cl
            //   b15a                 | into                
            //   0007                 | push                eax
            //   b15a                 | add                 byte ptr [ecx], al

        $sequence_16 = { 0008 53 4f 00ef }
            // n = 4, score = 100
            //   0008                 | mov                 al, 0x5a
            //   53                   | add                 byte ptr [edi], al
            //   4f                   | mov                 cl, 0x5a
            //   00ef                 | add                 byte ptr [edi], al

        $sequence_17 = { 488da8a8f9ffff 4881ec40070000 48c7442450feffffff 48895810 }
            // n = 4, score = 100
            //   488da8a8f9ffff       | mov                 esi, dword ptr [esp + 0x80]
            //   4881ec40070000       | cmp                 esi, 0xc
            //   48c7442450feffffff     | dec    eax
            //   48895810             | mov                 dword ptr [esp + 0x10], ebp

        $sequence_18 = { 0007 b15a 0089b05a0089 b05a }
            // n = 4, score = 100
            //   0007                 | or                  al, 0xc
            //   b15a                 | or                  al, 0xc
            //   0089b05a0089         | or                  al, 0xc
            //   b05a                 | add                 byte ptr [ebx], al

        $sequence_19 = { 0003 b157 0000 0c0c }
            // n = 4, score = 100
            //   0003                 | call                dword ptr [eax - 0x73ffffff]
            //   b157                 | in                  eax, dx
            //   0000                 | dec                 edx
            //   0c0c                 | add                 byte ptr [eax], al

        $sequence_20 = { 4c8d4020 4c8bc8 66c740180000 4d85c0 7473 8b0b }
            // n = 6, score = 100
            //   4c8d4020             | mov                 edi, ecx
            //   4c8bc8               | dec                 eax
            //   66c740180000         | mov                 ebx, ecx
            //   4d85c0               | dec                 ebp
            //   7473                 | test                ecx, ecx
            //   8b0b                 | je                  0x175

        $sequence_21 = { 0000 0c0c 0c0c 0c0c 0c0c 0c0c 0102 }
            // n = 7, score = 100
            //   0000                 | cmp                 eax, 0x2745
            //   0c0c                 | je                  9
            //   0c0c                 | cmp                 eax, 0x2746
            //   0c0c                 | push                ecx
            //   0c0c                 | push                ecx
            //   0c0c                 | call                eax
            //   0102                 | add                 esp, 0xc

        $sequence_22 = { 498bf9 488bd9 4d85c9 0f8469010000 8bb42480000000 83fe0c }
            // n = 6, score = 100
            //   498bf9               | dec                 eax
            //   488bd9               | lea                 ecx, [0xc416]
            //   4d85c9               | dec                 eax
            //   0f8469010000         | mov                 dword ptr [esp + 8], ebx
            //   8bb42480000000       | push                edi
            //   83fe0c               | dec                 eax

        $sequence_23 = { c644244800 807c247000 7505 4533c0 eb1c 488d442470 }
            // n = 6, score = 100
            //   c644244800           | mov                 byte ptr [esp + 0x48], 0
            //   807c247000           | cmp                 byte ptr [esp + 0x70], 0
            //   7505                 | jne                 7
            //   4533c0               | inc                 ebp
            //   eb1c                 | xor                 eax, eax
            //   488d442470           | jmp                 0x1e

    condition:
        7 of them and filesize < 10013696
}
Download all Yara Rules