SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spider_rat (Back to overview)

SPIDERPIG RAT

Actor(s): BlackTech

VTCollection    

There is no description at this point.

References
2022-09-29NTTNTT Security Holdings Corporation
Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2022-01-25Trend MicroHara Hiroaki
Ambiguously Black: The Current State of Earth Hundun's Arsenal
Flagpro SPIDERPIG RAT
2021-12-16Twitter (@nahamike01)MikeR
Tweet on SPIDERRAT malware used by CIRCUIT PANDA
SPIDERPIG RAT
Yara Rules
[TLP:WHITE] win_spider_rat_auto (20230808 | Detects win.spider_rat.)
rule win_spider_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.spider_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4883c708 488b1f 488bd3 488d8c2490000000 e8???????? }
            // n = 6, score = 200
            //   e9????????           |                     
            //   4883c708             | cmp                 al, dl
            //   488b1f               | je                  0xa6b
            //   488bd3               | dec                 eax
            //   488d8c2490000000     | mov                 ecx, edx
            //   e8????????           |                     

        $sequence_1 = { 418bc3 4c8d5c2460 498b5b18 498b7328 498be3 5f c3 }
            // n = 7, score = 200
            //   418bc3               | dec                 eax
            //   4c8d5c2460           | lea                 ebp, [ebp + ebp*2]
            //   498b5b18             | dec                 esp
            //   498b7328             | lea                 ebx, [0x5d63b]
            //   498be3               | dec                 eax
            //   5f                   | add                 ebp, ebp
            //   c3                   | inc                 ecx

        $sequence_2 = { 488b6c2438 488b742440 8958f0 488b07 4863cb 488b5c2430 c6040100 }
            // n = 7, score = 200
            //   488b6c2438           | mov                 dword ptr [esp + 0x40], 0xf
            //   488b742440           | dec                 esp
            //   8958f0               | mov                 dword ptr [esp + 0x38], ebp
            //   488b07               | test                edi, edi
            //   4863cb               | js                  0x1476
            //   488b5c2430           | dec                 eax
            //   c6040100             | mov                 ecx, dword ptr [esp + 0xe0]

        $sequence_3 = { e8???????? 488b4d70 4883c160 ff15???????? 90 488d05b726fbff eb00 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488b4d70             | mov                 eax, 0x80070057
            //   4883c160             | jmp                 0x90
            //   ff15????????         |                     
            //   90                   | dec                 eax
            //   488d05b726fbff       | mov                 eax, dword ptr [ecx]
            //   eb00                 | dec                 eax

        $sequence_4 = { 84c0 7471 4885f6 7505 83fd01 7415 488b8f88000000 }
            // n = 7, score = 200
            //   84c0                 | nop                 word ptr [eax + eax]
            //   7471                 | dec                 eax
            //   4885f6               | lea                 ecx, [edi + ebx]
            //   7505                 | inc                 ecx
            //   83fd01               | mov                 eax, 0x19000
            //   7415                 | dec                 eax
            //   488b8f88000000       | mov                 edx, ebx

        $sequence_5 = { 7458 6683fa01 7452 ff15???????? 4c8bc6 8bd5 0fb7cb }
            // n = 7, score = 200
            //   7458                 | mov                 edx, 1
            //   6683fa01             | dec                 eax
            //   7452                 | arpl                ax, bx
            //   ff15????????         |                     
            //   4c8bc6               | sub                 edx, dword ptr [ecx - 8]
            //   8bd5                 | inc                 esp
            //   0fb7cb               | mov                 dword ptr [esp + 0x30], esp

        $sequence_6 = { 7410 488b8f88000000 e8???????? 85c0 7802 33db 8bc3 }
            // n = 7, score = 200
            //   7410                 | movzx               eax, bx
            //   488b8f88000000       | inc                 esp
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [ebp + 4], ebx
            //   7802                 | inc                 esp
            //   33db                 | mov                 dword ptr [ebp + 8], ebx
            //   8bc3                 | inc                 esp

        $sequence_7 = { 498bd8 488bf2 488bf9 4d85c0 7430 4885d2 742b }
            // n = 7, score = 200
            //   498bd8               | dec                 edx
            //   488bf2               | mov                 edx, dword ptr [esi + ebp + 8]
            //   488bf9               | dec                 eax
            //   4d85c0               | mov                 ecx, edi
            //   7430                 | jne                 0x46c
            //   4885d2               | dec                 eax
            //   742b                 | mov                 ecx, ebx

        $sequence_8 = { ff15???????? 488bc8 e8???????? 488d15d3b00300 488bce 488905???????? ff15???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488bc8               | sub                 esp, 0x20
            //   e8????????           |                     
            //   488d15d3b00300       | dec                 eax
            //   488bce               | lea                 ebx, [0x5e079]
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_9 = { ba03000000 488d442440 448d4a61 448d42fe 4889442420 e8???????? }
            // n = 6, score = 200
            //   ba03000000           | movdqu              xmm0, xmmword ptr [eax + ebx + 0x10]
            //   488d442440           | dec                 eax
            //   448d4a61             | mov                 eax, dword ptr [ebp]
            //   448d42fe             | dec                 eax
            //   4889442420           | mov                 ecx, ebp
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1107968
}
Download all Yara Rules