SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spider_rat (Back to overview)

SPIDERPIG RAT

Actor(s): BlackTech

There is no description at this point.

References
2022-09-29NTTNTT Security Holdings Corporation
@techreport{corporation:20220929:report:1615dab, author = {NTT Security Holdings Corporation}, title = {{Report on APT Attacks by BlackTech}}, date = {2022-09-29}, institution = {NTT}, url = {https://jp.security.ntt/resources/EN-BlackTech_2021.pdf}, language = {English}, urldate = {2022-09-30} } Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2022-01-25Trend MicroHara Hiroaki
@techreport{hiroaki:20220125:ambiguously:a846748, author = {Hara Hiroaki}, title = {{Ambiguously Black: The Current State of Earth Hundun's Arsenal}}, date = {2022-01-25}, institution = {Trend Micro}, url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf}, language = {English}, urldate = {2022-04-04} } Ambiguously Black: The Current State of Earth Hundun's Arsenal
Flagpro SPIDERPIG RAT
2021-12-16Twitter (@nahamike01)MikeR
@online{miker:20211216:spiderrat:e0c4858, author = {MikeR}, title = {{Tweet on SPIDERRAT malware used by CIRCUIT PANDA}}, date = {2021-12-16}, organization = {Twitter (@nahamike01)}, url = {https://twitter.com/nahamike01/status/1471496800582664193?s=20}, language = {English}, urldate = {2022-01-17} } Tweet on SPIDERRAT malware used by CIRCUIT PANDA
SPIDERPIG RAT
Yara Rules
[TLP:WHITE] win_spider_rat_auto (20221125 | Detects win.spider_rat.)
rule win_spider_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.spider_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? cc 488b4138 488d1c02 4885db 790f 83caff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   cc                   | jg                  0x1099
            //   488b4138             | dec                 eax
            //   488d1c02             | mov                 esi, dword ptr [ecx + 0x40]
            //   4885db               | dec                 eax
            //   790f                 | sub                 esp, 0x30
            //   83caff               | xor                 esi, esi

        $sequence_1 = { 488b5c2450 4883c440 5f c3 e8???????? 488bf8 0fb708 }
            // n = 7, score = 200
            //   488b5c2450           | dec                 eax
            //   4883c440             | mov                 dword ptr [esp + 0x40], eax
            //   5f                   | test                eax, eax
            //   c3                   | jne                 0x1554
            //   e8????????           |                     
            //   488bf8               | mov                 eax, dword ptr [ebp + 0x10]
            //   0fb708               | dec                 eax

        $sequence_2 = { 488b8c2460240300 4833cc e8???????? 4c8d9c2470240300 498b5b28 498b7330 498be3 }
            // n = 7, score = 200
            //   488b8c2460240300     | dec                 edx
            //   4833cc               | mov                 dword ptr [ebx + 0x44], ecx
            //   e8????????           |                     
            //   4c8d9c2470240300     | dec                 eax
            //   498b5b28             | mov                 eax, ebx
            //   498b7330             | mov                 dword ptr [ebx + 0x58], 2
            //   498be3               | mov                 dword ptr [ebx + 0x54], 0x2710

        $sequence_3 = { 4c8b8fa8000000 45385938 742a 418bcb 4d395918 764c 4d8b4128 }
            // n = 7, score = 200
            //   4c8b8fa8000000       | inc                 ecx
            //   45385938             | pop                 edi
            //   742a                 | call                dword ptr [esp + 0x40]
            //   418bcb               | dec                 eax
            //   4d395918             | mov                 ecx, ebp
            //   764c                 | mov                 dword ptr [esp + 0x60], eax
            //   4d8b4128             | dec                 eax

        $sequence_4 = { 0fb701 4883c102 663bc5 75f4 66443921 7506 4883c104 }
            // n = 7, score = 200
            //   0fb701               | dec                 eax
            //   4883c102             | mov                 dword ptr [edi], eax
            //   663bc5               | dec                 eax
            //   75f4                 | lea                 eax, [0x2b1b7]
            //   66443921             | dec                 eax
            //   7506                 | mov                 dword ptr [edi + 8], eax
            //   4883c104             | dec                 eax

        $sequence_5 = { e9???????? 81e982000000 0f8494020000 83e901 0f84f6010000 83e902 0f8452010000 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   81e982000000         | dec                 eax
            //   0f8494020000         | and                 dword ptr [esp + 0x40], 0
            //   83e901               | dec                 eax
            //   0f84f6010000         | mov                 eax, dword ptr [ecx]
            //   83e902               | call                dword ptr [eax + 0x10]
            //   0f8452010000         | dec                 eax

        $sequence_6 = { 740a 488bcf e8???????? eb05 4883670800 488b5c2448 488b742450 }
            // n = 7, score = 200
            //   740a                 | mov                 ebx, dword ptr [esp + 0x50]
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   eb05                 | mov                 ebp, dword ptr [esp + 0x58]
            //   4883670800           | dec                 eax
            //   488b5c2448           | mov                 esi, dword ptr [esp + 0x60]
            //   488b742450           | dec                 eax

        $sequence_7 = { 33c9 898c2488000000 899c248c000000 4c8b4778 438b440434 89842490000000 898c2494000000 }
            // n = 7, score = 200
            //   33c9                 | jl                  0x1659
            //   898c2488000000       | inc                 ecx
            //   899c248c000000       | mov                 eax, ebp
            //   4c8b4778             | dec                 esp
            //   438b440434           | cmp                 dword ptr [esp + 0xf0], ebp
            //   89842490000000       | dec                 eax
            //   898c2494000000       | lea                 edx, [0xffff76ec]

        $sequence_8 = { 7414 eb2b 498b8510010000 663908 751f 4183cfff eb2c }
            // n = 7, score = 200
            //   7414                 | dec                 eax
            //   eb2b                 | add                 esp, 0x28
            //   498b8510010000       | ret                 
            //   663908               | dec                 eax
            //   751f                 | mov                 eax, esp
            //   4183cfff             | dec                 eax
            //   eb2c                 | mov                 dword ptr [eax + 8], ebx

        $sequence_9 = { 4156 4881ecc0010000 48c7442440feffffff 488b05???????? 4833c4 48898424b0010000 4d8be0 }
            // n = 7, score = 200
            //   4156                 | mov                 dword ptr [ecx + eax + 0x20], 8
            //   4881ecc0010000       | dec                 ecx
            //   48c7442440feffffff     | mov    eax, dword ptr [esp + 0x20]
            //   488b05????????       |                     
            //   4833c4               | inc                 ecx
            //   48898424b0010000     | mov                 byte ptr [eax + eax], 1
            //   4d8be0               | dec                 ecx

    condition:
        7 of them and filesize < 1107968
}
Download all Yara Rules