SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smanager (Back to overview)

SManager

aka: PhantomNet

There is no description at this point.

References
2021-06-08SentinelOneJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210608:thundercats:8eac3cd, author = {Juan Andrés Guerrero-Saade}, title = {{ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op}}, date = {2021-06-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/}, language = {English}, urldate = {2021-06-09} } ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op
Mail-O SManager Tmanger
2021-02-19Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210219:how:5fed055, author = {0xthreatintel}, title = {{How to unpack SManager APT tool?}}, date = {2021-02-19}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214}, language = {English}, urldate = {2021-02-20} } How to unpack SManager APT tool?
SManager
2021-02-17VinCSSTrương Quốc Ngân
@online{ngn:20210217:re020:76db05d, author = {Trương Quốc Ngân}, title = {{[RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT}}, date = {2021-02-17}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html}, language = {English}, urldate = {2021-02-20} } [RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT
SManager
2021-01-26Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210126:reversing:716c09c, author = {0xthreatintel}, title = {{Reversing APT Tool : SManager (Unpacked)}}, date = {2021-01-26}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4}, language = {English}, urldate = {2021-01-27} } Reversing APT Tool : SManager (Unpacked)
SManager
2020-12-25VinCSSTrương Quốc Ngân
@online{ngn:20201225:re0182:4a2ca92, author = {Trương Quốc Ngân}, title = {{[RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 2}}, date = {2020-12-25}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1}, language = {English}, urldate = {2020-12-26} } [RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 2
SManager
2020-12-19VinCSSTrương Quốc Ngân
@online{ngn:20201219:re0172:c0a6b21, author = {Trương Quốc Ngân}, title = {{[RE017-2] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 2)}}, date = {2020-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html}, language = {English}, urldate = {2020-12-19} } [RE017-2] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 2)
SManager
2020-12-19VinCSSTrương Quốc Ngân
@online{ngn:20201219:re0181:bd0904c, author = {Trương Quốc Ngân}, title = {{[RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 1}}, date = {2020-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html}, language = {English}, urldate = {2020-12-23} } [RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 1
SManager
2020-12-17VinCSSVinCSS
@online{vincss:20201217:re0171:a4d3525, author = {VinCSS}, title = {{[RE017-1] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 1)}}, date = {2020-12-17}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html}, language = {Vietnamese}, urldate = {2020-12-19} } [RE017-1] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 1)
SManager
2020-12-17ESET ResearchIgnacio Sanmillan, Matthieu Faou
@online{sanmillan:20201217:operation:6822847, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia}}, date = {2020-12-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/}, language = {English}, urldate = {2020-12-18} } Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia
SManager
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
Yara Rules
[TLP:WHITE] win_smanager_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_smanager_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75ea 8b4dfc be04000000 03cb 2bf3 894dfc 85f6 }
            // n = 7, score = 100
            //   75ea                 | jne                 0xffffffec
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   be04000000           | mov                 esi, 4
            //   03cb                 | add                 ecx, ebx
            //   2bf3                 | sub                 esi, ebx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   85f6                 | test                esi, esi

        $sequence_1 = { 83c404 ff75bc ff15???????? e9???????? c645fc01 }
            // n = 5, score = 100
            //   83c404               | add                 esp, 4
            //   ff75bc               | push                dword ptr [ebp - 0x44]
            //   ff15????????         |                     
            //   e9????????           |                     
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1

        $sequence_2 = { 8b08 8d55b0 52 8d55dc 52 }
            // n = 5, score = 100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8d55b0               | lea                 edx, [ebp - 0x50]
            //   52                   | push                edx
            //   8d55dc               | lea                 edx, [ebp - 0x24]
            //   52                   | push                edx

        $sequence_3 = { 3d70001100 7430 3d78ba7c54 7554 85c9 7450 8b4510 }
            // n = 7, score = 100
            //   3d70001100           | cmp                 eax, 0x110070
            //   7430                 | je                  0x32
            //   3d78ba7c54           | cmp                 eax, 0x547cba78
            //   7554                 | jne                 0x56
            //   85c9                 | test                ecx, ecx
            //   7450                 | je                  0x52
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_4 = { 50 ff15???????? 6a2c e8???????? 8bf0 83c404 8bce }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a2c                 | push                0x2c
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 8bf8 83c102 51 6a00 57 e8???????? }
            // n = 6, score = 100
            //   8bf8                 | mov                 edi, eax
            //   83c102               | add                 ecx, 2
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_6 = { e8???????? 0f57c0 a3???????? 83c404 0f1100 0f114010 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0f57c0               | xorps               xmm0, xmm0
            //   a3????????           |                     
            //   83c404               | add                 esp, 4
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   0f114010             | movups              xmmword ptr [eax + 0x10], xmm0
            //   e8????????           |                     

        $sequence_7 = { 81784808950210 7409 ff7048 e8???????? 59 c70701000000 8bcf }
            // n = 7, score = 100
            //   81784808950210       | cmp                 dword ptr [eax + 0x48], 0x10029508
            //   7409                 | je                  0xb
            //   ff7048               | push                dword ptr [eax + 0x48]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c70701000000         | mov                 dword ptr [edi], 1
            //   8bcf                 | mov                 ecx, edi

        $sequence_8 = { 8901 66c7400c0101 c3 55 8bec 6aff }
            // n = 6, score = 100
            //   8901                 | mov                 dword ptr [ecx], eax
            //   66c7400c0101         | mov                 word ptr [eax + 0xc], 0x101
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6aff                 | push                -1

        $sequence_9 = { 85ff 7515 33c0 5f 5e }
            // n = 5, score = 100
            //   85ff                 | test                edi, edi
            //   7515                 | jne                 0x17
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 398336
}
Download all Yara Rules