Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.
rule win_unidentified_091_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.unidentified_091." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 89552c 44894550 4c8d14c1 44894530 4803c2 4c895520 c7455402000000 } // n = 7, score = 100 // 89552c | inc ebp // 44894550 | xor ebx, dword ptr [esp + ecx*4] // 4c8d14c1 | inc ecx // 44894530 | movzx ecx, cl // 4803c2 | inc ebp // 4c895520 | mov ecx, edx // c7455402000000 | inc ebp $sequence_1 = { 8b542420 443bd3 0f8481000000 443bd2 0f82df000000 453bd3 0f83d6000000 } // n = 7, score = 100 // 8b542420 | inc ebp // 443bd3 | test edi, edi // 0f8481000000 | je 0x116b // 443bd2 | dec eax // 0f82df000000 | mov ecx, edi // 453bd3 | dec eax // 0f83d6000000 | mov eax, dword ptr [ebx + 0xa8] $sequence_2 = { ff15???????? 48898378040000 4883f8ff 742c c7837004000001000000 4885ff 744e } // n = 7, score = 100 // ff15???????? | // 48898378040000 | mov eax, dword ptr [esi + 8] // 4883f8ff | inc edx // 742c | movzx eax, word ptr [eax + eax*2] // c7837004000001000000 | shr eax, 6 // 4885ff | and eax, 1 // 744e | dec ebp $sequence_3 = { 7593 b841000000 b9b6000000 ba6d000000 894c2420 4c8d0d366d1200 448bc0 } // n = 7, score = 100 // 7593 | xor edx, eax // b841000000 | xor eax, ebp // b9b6000000 | inc esp // ba6d000000 | add ecx, eax // 894c2420 | inc ecx // 4c8d0d366d1200 | mov edx, ebx // 448bc0 | mov eax, dword ptr [esp + 0xc8] $sequence_4 = { e9???????? c6456807 816568fffeffff 0f57c0 f30f7f4570 4c89bd80000000 b910000000 } // n = 7, score = 100 // e9???????? | // c6456807 | dec eax // 816568fffeffff | mov dword ptr [ebp + 0xb8], eax // 0f57c0 | dec eax // f30f7f4570 | mov dword ptr [ebp + 0x4a0], eax // 4c89bd80000000 | dec esp // b910000000 | mov edx, dword ptr [ebp + 0x508] $sequence_5 = { 7511 c7442428c60c0000 8d5050 448d4810 eb69 41b901000000 4c8bc7 } // n = 7, score = 100 // 7511 | dec ecx // c7442428c60c0000 | mov dword ptr [eax], eax // 8d5050 | mov eax, 1 // 448d4810 | inc ecx // eb69 | mov dword ptr [ecx], 0xf // 41b901000000 | inc ecx // 4c8bc7 | mov dword ptr [ecx], 0x14 $sequence_6 = { c744242801000000 488d0d028a1400 4c8bc3 89442420 e8???????? 4883c430 5b } // n = 7, score = 100 // c744242801000000 | cmp eax, -1 // 488d0d028a1400 | je 0xf54 // 4c8bc3 | dec eax // 89442420 | mov ebx, dword ptr [esp + 0x60] // e8???????? | // 4883c430 | dec eax // 5b | mov dword ptr [esp + 0x50], ebx $sequence_7 = { 8945a7 8945f3 8bc7 3345ab c1c00c 4403f0 418bd6 } // n = 7, score = 100 // 8945a7 | mov eax, dword ptr [esp + 0x40] // 8945f3 | cmp ebx, dword ptr [esp + 0x24] // 8bc7 | inc ebp // 3345ab | cmove ecx, edx // c1c00c | dec esp // 4403f0 | cmp dword ptr [edx + 0xc0], ebp // 418bd6 | je 0x16d9 $sequence_8 = { c3 ba50000000 c7442428d1010000 488d0568001300 41b8d5010000 488bcb 4889442420 } // n = 7, score = 100 // c3 | mov ecx, eax // ba50000000 | dec eax // c7442428d1010000 | add edx, 0x27 // 488d0568001300 | dec esp // 41b8d5010000 | mov eax, dword ptr [ecx - 8] // 488bcb | dec ecx // 4889442420 | sub ecx, eax $sequence_9 = { 7415 41b8240b0000 488d1558971100 488bcb e8???????? 488b5c2430 b801000000 } // n = 7, score = 100 // 7415 | mov eax, 0x44 // 41b8240b0000 | dec esp // 488d1558971100 | lea ecx, [0x153e2c] // 488bcb | mov dword ptr [esp + 0x20], eax // e8???????? | // 488b5c2430 | mov edx, 0x139 // b801000000 | mov ecx, 0x14 condition: 7 of them and filesize < 5777408 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY