Actor(s): TA410
There is no description at this point.
rule win_tendyron_dropper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.tendyron_dropper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tendyron_dropper" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 68???????? 53 53 891d???????? 895de8 ff15???????? } // n = 6, score = 100 // 68???????? | // 53 | push ebx // 53 | push ebx // 891d???????? | // 895de8 | mov dword ptr [ebp - 0x18], ebx // ff15???????? | $sequence_1 = { 0145f8 6a00 6a04 8d45f8 } // n = 4, score = 100 // 0145f8 | add dword ptr [ebp - 8], eax // 6a00 | push 0 // 6a04 | push 4 // 8d45f8 | lea eax, [ebp - 8] $sequence_2 = { 50 ff15???????? 8bd8 85db 74ea 6a18 } // n = 6, score = 100 // 50 | push eax // ff15???????? | // 8bd8 | mov ebx, eax // 85db | test ebx, ebx // 74ea | je 0xffffffec // 6a18 | push 0x18 $sequence_3 = { 4e 75f4 8d45d8 50 57 } // n = 5, score = 100 // 4e | dec esi // 75f4 | jne 0xfffffff6 // 8d45d8 | lea eax, [ebp - 0x28] // 50 | push eax // 57 | push edi $sequence_4 = { 66894598 8d459a 81e6ffffff7f 037578 50 e8???????? } // n = 6, score = 100 // 66894598 | mov word ptr [ebp - 0x68], ax // 8d459a | lea eax, [ebp - 0x66] // 81e6ffffff7f | and esi, 0x7fffffff // 037578 | add esi, dword ptr [ebp + 0x78] // 50 | push eax // e8???????? | $sequence_5 = { 85c0 7506 0fb7c7 89457c 8b7d7c } // n = 5, score = 100 // 85c0 | test eax, eax // 7506 | jne 8 // 0fb7c7 | movzx eax, di // 89457c | mov dword ptr [ebp + 0x7c], eax // 8b7d7c | mov edi, dword ptr [ebp + 0x7c] $sequence_6 = { 399decfdffff 7420 68???????? ffb5ecfdffff e8???????? 59 59 } // n = 7, score = 100 // 399decfdffff | cmp dword ptr [ebp - 0x214], ebx // 7420 | je 0x22 // 68???????? | // ffb5ecfdffff | push dword ptr [ebp - 0x214] // e8???????? | // 59 | pop ecx // 59 | pop ecx $sequence_7 = { ff75d4 ffd0 85c0 0f85fc010000 8b45f4 6a40 6800300000 } // n = 7, score = 100 // ff75d4 | push dword ptr [ebp - 0x2c] // ffd0 | call eax // 85c0 | test eax, eax // 0f85fc010000 | jne 0x202 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 6a40 | push 0x40 // 6800300000 | push 0x3000 $sequence_8 = { eb04 32c2 02c2 8801 41 4e } // n = 6, score = 100 // eb04 | jmp 6 // 32c2 | xor al, dl // 02c2 | add al, dl // 8801 | mov byte ptr [ecx], al // 41 | inc ecx // 4e | dec esi $sequence_9 = { ff15???????? 85c0 0f84b0010000 33c0 8945f8 394714 } // n = 6, score = 100 // ff15???????? | // 85c0 | test eax, eax // 0f84b0010000 | je 0x1b6 // 33c0 | xor eax, eax // 8945f8 | mov dword ptr [ebp - 8], eax // 394714 | cmp dword ptr [edi + 0x14], eax condition: 7 of them and filesize < 58368 }
rule win_tendyron_dropper_w0 { meta: description = "TA410 Tendyron Dropper" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" author = "ESET Research" date = "2020-12-09" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tendyron_dropper" malpedia_rule_date = "20251015" malpedia_hash = "" malpedia_version = "20251015" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "Global\\{F473B3BE-08EE-4710-A727-9E248F804F4A}" wide $s2 = "Global\\8D32CCB321B2" wide $s3 = "Global\\E4FE94F75490" wide $s4 = "Program Files (x86)\\Internet Explorer\\iexplore.exe" wide $s5 = "\\RPC Control\\OLE" wide $s6 = "ALPC Port" wide condition: int16(0) == 0x5A4D and 4 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY