SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_076 (Back to overview)

Unidentified 076 (Higaisa LNK to Shellcode)

Actor(s): Higaisa

VTCollection    

There is no description at this point.

References
2020-11-13Youtube (The Standoff)Alexey Zakharov, Positive Technologies
FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-14BushidoTokenBushidoToken
Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-11ZscalerAtinderpal Singh, Sudeep Singh
The Return of the Higaisa APT
Unidentified 076 (Higaisa LNK to Shellcode)
Yara Rules
[TLP:WHITE] win_unidentified_076_auto (20260504 | Detects win.unidentified_076.)
rule win_unidentified_076_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_076."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bcb ff9040070000 488b87c8000000 4c634e04 8b8f48030000 4c8bc3 ba78000000 }
            // n = 7, score = 100
            //   488bcb               | lea                 edx, [0x7132]
            //   ff9040070000         | dec                 eax
            //   488b87c8000000       | lea                 ecx, [ebp + 0x8cc]
            //   4c634e04             | dec                 eax
            //   8b8f48030000         | lea                 edx, [0x7139]
            //   4c8bc3               | dec                 eax
            //   ba78000000           | lea                 ecx, [ebp + 0x538]

        $sequence_1 = { 488bcf e8???????? 448b8c2418010000 4181f9c8000000 0f8f46ffffff 498bc4 803c03ad }
            // n = 7, score = 100
            //   488bcf               | dec                 esp
            //   e8????????           |                     
            //   448b8c2418010000     | lea                 esi, [esi + 5]
            //   4181f9c8000000       | inc                 esp
            //   0f8f46ffffff         | mov                 eax, ebx
            //   498bc4               | xor                 edx, edx
            //   803c03ad             | dec                 eax

        $sequence_2 = { 44897dff 48894503 4889450b 48894513 89451b 44897d1f 48894527 }
            // n = 7, score = 100
            //   44897dff             | dec                 eax
            //   48894503             | sub                 esp, 0x30
            //   4889450b             | dec                 eax
            //   48894513             | mov                 ebp, dword ptr [ecx + 0x58]
            //   89451b               | mov                 word ptr [eax + 8], 0xa2c
            //   44897d1f             | mov                 byte ptr [eax + 0xa], 0
            //   48894527             | dec                 eax

        $sequence_3 = { ff15???????? ff15???????? 448bc0 b8d34d6210 41f7e8 c1fa04 8bca }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   448bc0               | inc                 esp
            //   b8d34d6210           | cmp                 dword ptr [ebp + 0x1530], esp
            //   41f7e8               | je                  0x9ca
            //   c1fa04               | dec                 eax
            //   8bca                 | lea                 edx, [0x740f]

        $sequence_4 = { eb02 33ff 488b5c2440 488b6c2448 488b742450 8bc7 488b7c2458 }
            // n = 7, score = 100
            //   eb02                 | je                  0xec0
            //   33ff                 | inc                 ecx
            //   488b5c2440           | mov                 ecx, 0xa0
            //   488b6c2448           | inc                 ecx
            //   488b742450           | cmp                 dword ptr [edi], 1
            //   8bc7                 | cmp                 dword ptr [ecx + 0xf0], 0
            //   488b7c2458           | je                  0xfd9

        $sequence_5 = { 668993b0080000 66898bb2080000 8b8bf00a0000 413bcc 7509 4489a3dc020000 eb28 }
            // n = 7, score = 100
            //   668993b0080000       | lea                 eax, [edx + 0xa]
            //   66898bb2080000       | jne                 0x6a
            //   8b8bf00a0000         | mov                 edx, 0x1f4
            //   413bcc               | inc                 ebp
            //   7509                 | mov                 ecx, esp
            //   4489a3dc020000       | dec                 eax
            //   eb28                 | mov                 ecx, esi

        $sequence_6 = { 0f8ec2000000 3b7708 488b8708010000 448bee 440f4f6f08 33c9 41b800100000 }
            // n = 7, score = 100
            //   0f8ec2000000         | inc                 ecx
            //   3b7708               | mov                 eax, ebp
            //   488b8708010000       | dec                 eax
            //   448bee               | mov                 ebx, dword ptr [esp + 0x50]
            //   440f4f6f08           | dec                 eax
            //   33c9                 | mov                 ebp, dword ptr [esp + 0x58]
            //   41b800100000         | dec                 eax

        $sequence_7 = { 488bcf e8???????? eb54 8d41fc 83f802 }
            // n = 5, score = 100
            //   488bcf               | sub                 edi, esi
            //   e8????????           |                     
            //   eb54                 | test                edi, edi
            //   8d41fc               | jle                 0x152d
            //   83f802               | jne                 0x1607

        $sequence_8 = { 41b800100000 8bd7 33c9 ff95f8000000 41b904000000 41b800100000 8bd7 }
            // n = 7, score = 100
            //   41b800100000         | mov                 ebx, eax
            //   8bd7                 | inc                 ebp
            //   33c9                 | mov                 eax, ebp
            //   ff95f8000000         | inc                 esp
            //   41b904000000         | lea                 ebp, [ebx + 0x7c]
            //   41b800100000         | inc                 esp
            //   8bd7                 | mov                 ecx, ebx

        $sequence_9 = { 488d8fbc050000 48898424a0000000 49891f ff97e8000000 }
            // n = 4, score = 100
            //   488d8fbc050000       | push                esi
            //   48898424a0000000     | dec                 eax
            //   49891f               | sub                 esp, 0x20
            //   ff97e8000000         | dec                 esp

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules