SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_080 (Back to overview)

Unidentified 080

Actor(s): EMISSARY PANDA

VTCollection    

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.
It is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

References
2018-09-10Kaspersky LabsGReAT
LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
Unidentified 080 APT27
Yara Rules
[TLP:WHITE] win_unidentified_080_auto (20260504 | Detects win.unidentified_080.)
rule win_unidentified_080_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_080."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d3c85c0a20210 8bf3 83e61f c1e606 8b07 0fbe443004 83e001 }
            // n = 7, score = 100
            //   8d3c85c0a20210       | lea                 edi, [eax*4 + 0x1002a2c0]
            //   8bf3                 | mov                 esi, ebx
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0fbe443004           | movsx               eax, byte ptr [eax + esi + 4]
            //   83e001               | and                 eax, 1

        $sequence_1 = { 8975f0 e8???????? 85c0 0f848a000000 8b5dec 8975d8 8975dc }
            // n = 7, score = 100
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f848a000000         | je                  0x90
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   8975d8               | mov                 dword ptr [ebp - 0x28], esi
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi

        $sequence_2 = { 8b37 83c6f4 837e0400 743e 833e00 7c2a }
            // n = 6, score = 100
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   83c6f4               | add                 esi, -0xc
            //   837e0400             | cmp                 dword ptr [esi + 4], 0
            //   743e                 | je                  0x40
            //   833e00               | cmp                 dword ptr [esi], 0
            //   7c2a                 | jl                  0x2c

        $sequence_3 = { 895c2434 895c2438 c744241c28290210 8b4c244c 53 8d9424a4000000 52 }
            // n = 7, score = 100
            //   895c2434             | mov                 dword ptr [esp + 0x34], ebx
            //   895c2438             | mov                 dword ptr [esp + 0x38], ebx
            //   c744241c28290210     | mov                 dword ptr [esp + 0x1c], 0x10022928
            //   8b4c244c             | mov                 ecx, dword ptr [esp + 0x4c]
            //   53                   | push                ebx
            //   8d9424a4000000       | lea                 edx, [esp + 0xa4]
            //   52                   | push                edx

        $sequence_4 = { 56 ff15???????? 89859cfdffff 83f8ff 7532 83c6f4 81fe???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   89859cfdffff         | mov                 dword ptr [ebp - 0x264], eax
            //   83f8ff               | cmp                 eax, -1
            //   7532                 | jne                 0x34
            //   83c6f4               | add                 esi, -0xc
            //   81fe????????         |                     

        $sequence_5 = { 85c0 742d 33c9 c70001000000 897004 897008 66894c700c }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   742d                 | je                  0x2f
            //   33c9                 | xor                 ecx, ecx
            //   c70001000000         | mov                 dword ptr [eax], 1
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   897008               | mov                 dword ptr [eax + 8], esi
            //   66894c700c           | mov                 word ptr [eax + esi*2 + 0xc], cx

        $sequence_6 = { e8???????? 33c9 83c424 3bc3 0f94c1 8bf1 eb1a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   83c424               | add                 esp, 0x24
            //   3bc3                 | cmp                 eax, ebx
            //   0f94c1               | sete                cl
            //   8bf1                 | mov                 esi, ecx
            //   eb1a                 | jmp                 0x1c

        $sequence_7 = { 894f08 c7442438ffffffff 8b44241c 33db 3bc3 740f }
            // n = 6, score = 100
            //   894f08               | mov                 dword ptr [edi + 8], ecx
            //   c7442438ffffffff     | mov                 dword ptr [esp + 0x38], 0xffffffff
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   740f                 | je                  0x11

        $sequence_8 = { 8bec 83ec10 53 8bd8 ff4320 56 33f6 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   8bd8                 | mov                 ebx, eax
            //   ff4320               | inc                 dword ptr [ebx + 0x20]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi

        $sequence_9 = { 0fb77448fe 33c9 83fe5c 0f94c1 3bcb 7516 }
            // n = 6, score = 100
            //   0fb77448fe           | movzx               esi, word ptr [eax + ecx*2 - 2]
            //   33c9                 | xor                 ecx, ecx
            //   83fe5c               | cmp                 esi, 0x5c
            //   0f94c1               | sete                cl
            //   3bcb                 | cmp                 ecx, ebx
            //   7516                 | jne                 0x18

    condition:
        7 of them and filesize < 392192
}
Download all Yara Rules