SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spider_rat (Back to overview)

SPIDERPIG RAT

Actor(s): BlackTech

VTCollection    

There is no description at this point.

References
2022-09-29NTTNTT Security Holdings Corporation
Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2022-01-25Trend MicroHara Hiroaki
Ambiguously Black: The Current State of Earth Hundun's Arsenal
Flagpro SPIDERPIG RAT
2021-12-16Twitter (@nahamike01)MikeR
Tweet on SPIDERRAT malware used by CIRCUIT PANDA
SPIDERPIG RAT
Yara Rules
[TLP:WHITE] win_spider_rat_auto (20260504 | Detects win.spider_rat.)
rule win_spider_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.spider_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b442440 83a0c8000000fd 33c0 eb1a 1bc0 83e002 ffc8 }
            // n = 7, score = 200
            //   488b442440           | dec                 ecx
            //   83a0c8000000fd       | mov                 ebx, dword ptr [ebx + 0x20]
            //   33c0                 | dec                 ecx
            //   eb1a                 | mov                 ebp, dword ptr [ebx + 0x30]
            //   1bc0                 | nop                 
            //   83e002               | dec                 eax
            //   ffc8                 | lea                 eax, [0x4e30f]

        $sequence_1 = { 448d4201 e8???????? 4c8d0d7d60feff 4c8bd8 4b8b84f1e07a0700 4c895c3040 4b8b84f1e07a0700 }
            // n = 7, score = 200
            //   448d4201             | mov                 ecx, dword ptr [edx + 0x40]
            //   e8????????           |                     
            //   4c8d0d7d60feff       | dec                 ebp
            //   4c8bd8               | mov                 edi, esp
            //   4b8b84f1e07a0700     | mov                 ebp, dword ptr [esp + 0x1c8]
            //   4c895c3040           | cmp                 ebp, 4
            //   4b8b84f1e07a0700     | jb                  0x631

        $sequence_2 = { 5f c3 4053 4883ec20 83a12001000000 83a12401000000 488bd9 }
            // n = 7, score = 200
            //   5f                   | dec                 eax
            //   c3                   | and                 dword ptr [esp + 0x30], 0
            //   4053                 | dec                 esp
            //   4883ec20             | lea                 eax, [esp + 0x48]
            //   83a12001000000       | dec                 eax
            //   83a12401000000       | lea                 edx, [0x379a4]
            //   488bd9               | call                dword ptr [eax]

        $sequence_3 = { 4889442428 33d2 33c9 897c2420 e8???????? 488983c0020000 }
            // n = 6, score = 200
            //   4889442428           | xor                 ecx, ecx
            //   33d2                 | inc                 ecx
            //   33c9                 | lea                 edx, [ecx + 0x66]
            //   897c2420             | inc                 ebp
            //   e8????????           |                     
            //   488983c0020000       | lea                 eax, [ecx + 0x68]

        $sequence_4 = { 498b00 488d153a400200 4c8d442438 498bc9 ff10 488b4c2438 4885c9 }
            // n = 7, score = 200
            //   498b00               | mov                 ecx, dword ptr [esp + 0x40]
            //   488d153a400200       | dec                 eax
            //   4c8d442438           | cmp                 ecx, edi
            //   498bc9               | je                  0x13d3
            //   ff10                 | dec                 eax
            //   488b4c2438           | mov                 eax, dword ptr [ecx]
            //   4885c9               | dec                 eax

        $sequence_5 = { 4885c9 7406 e8???????? 90 488d050720feff eb00 4883c420 }
            // n = 7, score = 200
            //   4885c9               | dec                 eax
            //   7406                 | lea                 eax, [ebp + 0x50]
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488d050720feff       | mov                 dword ptr [esp + 0x28], eax
            //   eb00                 | mov                 dword ptr [esp + 0x20], 0x6d
            //   4883c420             | dec                 esp

        $sequence_6 = { 0fb64308 488907 4903f8 eb1f 480fbe4308 }
            // n = 5, score = 200
            //   0fb64308             | mov                 esi, eax
            //   488907               | dec                 eax
            //   4903f8               | test                eax, eax
            //   eb1f                 | or                  edx, 0xffffffff
            //   480fbe4308           | dec                 eax

        $sequence_7 = { 5f c3 c60300 33c0 ebe4 e8???????? cc }
            // n = 7, score = 200
            //   5f                   | mov                 edi, eax
            //   c3                   | dec                 eax
            //   c60300               | and                 dword ptr [esp + 0x38], 0
            //   33c0                 | dec                 ebp
            //   ebe4                 | test                eax, eax
            //   e8????????           |                     
            //   cc                   | je                  0x1c8e

        $sequence_8 = { ff15???????? 458d9c249a130000 4183fb12 0f8781070000 488d151a83fdff 4963c3 8b8c8290840200 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   458d9c249a130000     | je                  0x1d98
            //   4183fb12             | dec                 eax
            //   0f8781070000         | mov                 ecx, edi
            //   488d151a83fdff       | dec                 eax
            //   4963c3               | cmp                 ebx, eax
            //   8b8c8290840200       | je                  0x1dbf

        $sequence_9 = { 4883a3f001000000 83a3f801000000 83a3fc01000000 4883a30802000000 488bcb e8???????? 89bb08010000 }
            // n = 7, score = 200
            //   4883a3f001000000     | test                eax, eax
            //   83a3f801000000       | js                  0x1344
            //   83a3fc01000000       | dec                 eax
            //   4883a30802000000     | mov                 ecx, dword ptr [esp + 0x50]
            //   488bcb               | dec                 esp
            //   e8????????           |                     
            //   89bb08010000         | lea                 eax, [esp + 0x50]

    condition:
        7 of them and filesize < 1107968
}
Download all Yara Rules