Unidentified 087 (Malware Family)

Unidentified 087

VTCollection
Symantec describes this family as an unidentified tool set used to target a range of organizations in South East Asia. The campaign was first noticed in September 2020.
References

2021-10-20 ⋅ Symantec ⋅ Threat Hunter Team
New Espionage Campaign Targets South East Asia
Unidentified 087
Yara Rules

[TLP:WHITE] win_unidentified_087_auto (20260504 | Detects win.unidentified_087.)
rule win_unidentified_087_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_087."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bfa ff15???????? ffc0 4863d0 }
            // n = 4, score = 200
            //   488bfa               | xor                 eax, eax
            //   ff15????????         |                     
            //   ffc0                 | dec                 ecx
            //   4863d0               | mov                 ecx, esi

        $sequence_1 = { 488d4d20 e8???????? 90 4883bd9800000010 720c 488b8d80000000 }
            // n = 6, score = 200
            //   488d4d20             | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 ecx, [ebp + 0x20]
            //   4883bd9800000010     | nop                 
            //   720c                 | dec                 eax
            //   488b8d80000000       | cmp                 dword ptr [ebp + 0x98], 0x10

        $sequence_2 = { 33c0 498bce 488bfb 66f2af 48f7d1 4c8d41ff 488bd3 }
            // n = 7, score = 200
            //   33c0                 | lea                 eax, [esp + 0x60]
            //   498bce               | inc                 ecx
            //   488bfb               | lea                 edx, [esp + 0x28]
            //   66f2af               | test                eax, eax
            //   48f7d1               | je                  0x68
            //   4c8d41ff             | dec                 esp
            //   488bd3               | lea                 eax, [ebp + 0x74]

        $sequence_3 = { 41b802000000 48c744245007000000 4c89742448 664489742438 e8???????? }
            // n = 5, score = 200
            //   41b802000000         | dec                 eax
            //   48c744245007000000     | mov    edi, ebx
            //   4c89742448           | repne scasd         eax, dword ptr es:[edi]
            //   664489742438         | dec                 eax
            //   e8????????           |                     

        $sequence_4 = { eb1a 4d85f6 7515 4c897310 }
            // n = 4, score = 200
            //   eb1a                 | dec                 eax
            //   4d85f6               | mov                 dword ptr [esp + 0x50], 7
            //   7515                 | dec                 esp
            //   4c897310             | mov                 dword ptr [esp + 0x48], esi

        $sequence_5 = { 488bc8 4c8d442460 418d542428 ff15???????? 85c0 745f 4c8d4574 }
            // n = 7, score = 200
            //   488bc8               | jb                  0xe
            //   4c8d442460           | dec                 eax
            //   418d542428           | mov                 ecx, dword ptr [ebp + 0x80]
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   745f                 | mov                 ecx, eax
            //   4c8d4574             | dec                 esp

        $sequence_6 = { eb03 498bc6 803c303d 0f84be010000 4883f910 7205 498b06 }
            // n = 7, score = 200
            //   eb03                 | dec                 eax
            //   498bc6               | mov                 edi, edx
            //   803c303d             | inc                 eax
            //   0f84be010000         | dec                 eax
            //   4883f910             | arpl                ax, dx
            //   7205                 | inc                 ecx
            //   498b06               | mov                 eax, 2

        $sequence_7 = { 0f84bf010000 48895c2420 4d8bcd 4d8bc4 }
            // n = 4, score = 200
            //   0f84bf010000         | inc                 sp
            //   48895c2420           | mov                 dword ptr [esp + 0x38], esi
            //   4d8bcd               | mov                 byte ptr [ebp + 0x17], 0
            //   4d8bc4               | dec                 esp

        $sequence_8 = { 33c0 e9???????? 8975e4 33c0 39b8a0080210 0f8491000000 ff45e4 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   33c0                 | xor                 eax, eax
            //   39b8a0080210         | cmp                 dword ptr [eax + 0x100208a0], edi
            //   0f8491000000         | je                  0x97
            //   ff45e4               | inc                 dword ptr [ebp - 0x1c]

        $sequence_9 = { bf0f000000 8bc6 897c2430 895c242c }
            // n = 4, score = 100
            //   bf0f000000           | mov                 edi, 0xf
            //   8bc6                 | mov                 eax, esi
            //   897c2430             | mov                 dword ptr [esp + 0x30], edi
            //   895c242c             | mov                 dword ptr [esp + 0x2c], ebx

        $sequence_10 = { 83ec1c 8bcc 89a520feffff 33db }
            // n = 4, score = 100
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89a520feffff         | mov                 dword ptr [ebp - 0x1e0], esp
            //   33db                 | xor                 ebx, ebx

        $sequence_11 = { c745fc01000000 e9???????? 8b11 8b421c ffd0 c745fc01000000 eb74 }
            // n = 7, score = 100
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   e9????????           |                     
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]
            //   ffd0                 | call                eax
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   eb74                 | jmp                 0x76

        $sequence_12 = { 2d08030000 7435 83e805 0f8510010000 }
            // n = 4, score = 100
            //   2d08030000           | sub                 eax, 0x308
            //   7435                 | je                  0x37
            //   83e805               | sub                 eax, 5
            //   0f8510010000         | jne                 0x116

        $sequence_13 = { 57 83c170 e8???????? 57 e8???????? 83c404 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   83c170               | add                 ecx, 0x70
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_14 = { 03f7 c745f001000000 e8???????? 6a20 8d5f10 56 895e38 }
            // n = 7, score = 100
            //   03f7                 | add                 esi, edi
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   8d5f10               | lea                 ebx, [edi + 0x10]
            //   56                   | push                esi
            //   895e38               | mov                 dword ptr [esi + 0x38], ebx

        $sequence_15 = { 52 8d8da4feffff 51 a3???????? 33db c785a4feffff01000600 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   8d8da4feffff         | lea                 ecx, [ebp - 0x15c]
            //   51                   | push                ecx
            //   a3????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   c785a4feffff01000600     | mov    dword ptr [ebp - 0x15c], 0x60001

    condition:
        7 of them and filesize < 462848
}
Download all Yara Rules
Unidentified 087 Propose Change

References

Yara Rules

Unidentified 087
