SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tclient (Back to overview)

TClient

aka: FIRESHADOW

Actor(s): Pirate Panda


Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.

References
2020-05-28Twitter (@stvemillertime)Steve Miller
@online{miller:20200528:tclient:cc952e5, author = {Steve Miller}, title = {{Tweet on TClient / FIRESHADOW used by Tropic Trooper}}, date = {2020-05-28}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1266050369370677249}, language = {English}, urldate = {2020-06-05} } Tweet on TClient / FIRESHADOW used by Tropic Trooper
TClient
Yara Rules
[TLP:WHITE] win_tclient_auto (20211008 | Detects win.tclient.)
rule win_tclient_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.tclient."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf0 8bfa ff75e8 e8???????? 8b4dec 33f0 8b45e8 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   8bfa                 | mov                 edi, edx
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   33f0                 | xor                 esi, eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_1 = { eb03 8b4dfc 33c0 c6862c03000004 ba00100000 8945f4 6685961c030000 }
            // n = 7, score = 100
            //   eb03                 | jmp                 5
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33c0                 | xor                 eax, eax
            //   c6862c03000004       | mov                 byte ptr [esi + 0x32c], 4
            //   ba00100000           | mov                 edx, 0x1000
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   6685961c030000       | test                word ptr [esi + 0x31c], dx

        $sequence_2 = { 742e 837dac01 7528 51 51 8d45e0 8bcc }
            // n = 7, score = 100
            //   742e                 | je                  0x30
            //   837dac01             | cmp                 dword ptr [ebp - 0x54], 1
            //   7528                 | jne                 0x2a
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   8bcc                 | mov                 ecx, esp

        $sequence_3 = { 53 e8???????? 59 85c0 0f88fe020000 e9???????? 8a83c0040000 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f88fe020000         | js                  0x304
            //   e9????????           |                     
            //   8a83c0040000         | mov                 al, byte ptr [ebx + 0x4c0]

        $sequence_4 = { 8d734c 8bcb a5 a5 a5 a5 }
            // n = 6, score = 100
            //   8d734c               | lea                 esi, dword ptr [ebx + 0x4c]
            //   8bcb                 | mov                 ecx, ebx
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_5 = { e8???????? 894314 85c0 0f84f1feffff 837d1001 8b7d08 0f852b010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   894314               | mov                 dword ptr [ebx + 0x14], eax
            //   85c0                 | test                eax, eax
            //   0f84f1feffff         | je                  0xfffffef7
            //   837d1001             | cmp                 dword ptr [ebp + 0x10], 1
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   0f852b010000         | jne                 0x131

        $sequence_6 = { 03f0 8955b4 57 baff000000 8d78ff 8a0e 884dbb }
            // n = 7, score = 100
            //   03f0                 | add                 esi, eax
            //   8955b4               | mov                 dword ptr [ebp - 0x4c], edx
            //   57                   | push                edi
            //   baff000000           | mov                 edx, 0xff
            //   8d78ff               | lea                 edi, dword ptr [eax - 1]
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   884dbb               | mov                 byte ptr [ebp - 0x45], cl

        $sequence_7 = { ffd0 83c40c 6a07 33c0 8d7dd4 59 f3ab }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   83c40c               | add                 esp, 0xc
            //   6a07                 | push                7
            //   33c0                 | xor                 eax, eax
            //   8d7dd4               | lea                 edi, dword ptr [ebp - 0x2c]
            //   59                   | pop                 ecx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_8 = { 83e908 8d7608 660fd60f 8d7f08 8b048d14354400 ffe0 f7c703000000 }
            // n = 7, score = 100
            //   83e908               | sub                 ecx, 8
            //   8d7608               | lea                 esi, dword ptr [esi + 8]
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, dword ptr [edi + 8]
            //   8b048d14354400       | mov                 eax, dword ptr [ecx*4 + 0x443514]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3

        $sequence_9 = { ff7510 8d4db4 ff750c ffb548faffff 53 e8???????? 83c420 }
            // n = 7, score = 100
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8d4db4               | lea                 ecx, dword ptr [ebp - 0x4c]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ffb548faffff         | push                dword ptr [ebp - 0x5b8]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20

    condition:
        7 of them and filesize < 1063936
}
Download all Yara Rules