SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_094 (Back to overview)

Unidentified 094

aka: ClaimLoader, PUBLOAD

There is no description at this point.

References
2022-11-18Trend MicroNick Dai, Vickie Su, Sunny Lu
@online{dai:20221118:earth:e3e474b, author = {Nick Dai and Vickie Su and Sunny Lu}, title = {{Earth Preta Spear-Phishing Governments Worldwide}}, date = {2022-11-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html}, language = {English}, urldate = {2023-08-03} } Earth Preta Spear-Phishing Governments Worldwide
TONESHELL Unidentified 094 MUSTANG PANDA
2022-11-17LAC WATCHYoshihiro Ishikawa
@online{ishikawa:20221117:chinabased:2fb560f, author = {Yoshihiro Ishikawa}, title = {{China-based Mustang Panda is a targeted attack with malware "Claimloader", may affect Japan}}, date = {2022-11-17}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20221117_003189.html}, language = {English}, urldate = {2023-08-03} } China-based Mustang Panda is a targeted attack with malware "Claimloader", may affect Japan
Unidentified 094
2022-08-09Twitter (@Katechondic)Katechondic
@online{katechondic:20220809:malware:2d6d764, author = {Katechondic}, title = {{Tweet on malware, suspected to be from China based actor, targeting Taiwan}}, date = {2022-08-09}, organization = {Twitter (@Katechondic)}, url = {https://twitter.com/katechondic/status/1556940169483264000}, language = {English}, urldate = {2022-09-19} } Tweet on malware, suspected to be from China based actor, targeting Taiwan
Unidentified 094
2022-05-05Cisco TalosJung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
@online{an:20220505:mustang:cbc06e9, author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay}, title = {{Mustang Panda deploys a new wave of malware targeting Europe}}, date = {2022-05-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html}, language = {English}, urldate = {2023-08-03} } Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX Unidentified 094
Yara Rules
[TLP:WHITE] win_unidentified_094_auto (20230715 | Detects win.unidentified_094.)
rule win_unidentified_094_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.unidentified_094."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_094"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb611 889078aa0110 0fb65101 88907caa0110 40 83c104 83f804 }
            // n = 7, score = 100
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   889078aa0110         | mov                 byte ptr [eax + 0x1001aa78], dl
            //   0fb65101             | movzx               edx, byte ptr [ecx + 1]
            //   88907caa0110         | mov                 byte ptr [eax + 0x1001aa7c], dl
            //   40                   | inc                 eax
            //   83c104               | add                 ecx, 4
            //   83f804               | cmp                 eax, 4

        $sequence_1 = { c7459ca50e628a c745a039663866 c745a432373561 c745a864633662 c745ac62633633 c745b066343636 c745b466323734 }
            // n = 7, score = 100
            //   c7459ca50e628a       | mov                 dword ptr [ebp - 0x64], 0x8a620ea5
            //   c745a039663866       | mov                 dword ptr [ebp - 0x60], 0x66386639
            //   c745a432373561       | mov                 dword ptr [ebp - 0x5c], 0x61353732
            //   c745a864633662       | mov                 dword ptr [ebp - 0x58], 0x62366364
            //   c745ac62633633       | mov                 dword ptr [ebp - 0x54], 0x33366362
            //   c745b066343636       | mov                 dword ptr [ebp - 0x50], 0x36363466
            //   c745b466323734       | mov                 dword ptr [ebp - 0x4c], 0x34373266

        $sequence_2 = { 8d4d80 51 56 c74580cb9cc0f2 c74584620c1cd7 c74588fb01efe4 c7458c93ecc281 }
            // n = 7, score = 100
            //   8d4d80               | lea                 ecx, [ebp - 0x80]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   c74580cb9cc0f2       | mov                 dword ptr [ebp - 0x80], 0xf2c09ccb
            //   c74584620c1cd7       | mov                 dword ptr [ebp - 0x7c], 0xd71c0c62
            //   c74588fb01efe4       | mov                 dword ptr [ebp - 0x78], 0xe4ef01fb
            //   c7458c93ecc281       | mov                 dword ptr [ebp - 0x74], 0x81c2ec93

        $sequence_3 = { 8bd8 ffd6 50 ffd7 68???????? 68???????? 8945fc }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   ffd6                 | call                esi
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   68????????           |                     
            //   68????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_4 = { 56 c74580f59a8adc c745844c9f1f78 c7458887e8b3a4 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   c74580f59a8adc       | mov                 dword ptr [ebp - 0x80], 0xdc8a9af5
            //   c745844c9f1f78       | mov                 dword ptr [ebp - 0x7c], 0x781f9f4c
            //   c7458887e8b3a4       | mov                 dword ptr [ebp - 0x78], 0xa4b3e887

        $sequence_5 = { 33f6 bf???????? 833cf51492011001 751d 8d04f510920110 8938 68a00f0000 }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   bf????????           |                     
            //   833cf51492011001     | cmp                 dword ptr [esi*8 + 0x10019214], 1
            //   751d                 | jne                 0x1f
            //   8d04f510920110       | lea                 eax, [esi*8 + 0x10019210]
            //   8938                 | mov                 dword ptr [eax], edi
            //   68a00f0000           | push                0xfa0

        $sequence_6 = { 0fb65004 3015???????? 0fb64805 300d???????? 0fb65006 3015???????? }
            // n = 6, score = 100
            //   0fb65004             | movzx               edx, byte ptr [eax + 4]
            //   3015????????         |                     
            //   0fb64805             | movzx               ecx, byte ptr [eax + 5]
            //   300d????????         |                     
            //   0fb65006             | movzx               edx, byte ptr [eax + 6]
            //   3015????????         |                     

        $sequence_7 = { 889070aa0110 0fb651ff 889074aa0110 0fb611 }
            // n = 4, score = 100
            //   889070aa0110         | mov                 byte ptr [eax + 0x1001aa70], dl
            //   0fb651ff             | movzx               edx, byte ptr [ecx - 1]
            //   889074aa0110         | mov                 byte ptr [eax + 0x1001aa74], dl
            //   0fb611               | movzx               edx, byte ptr [ecx]

        $sequence_8 = { 51 50 ff15???????? 837dfc01 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   837dfc01             | cmp                 dword ptr [ebp - 4], 1

        $sequence_9 = { c745d83bea7551 c745dc10f337b0 c745e0584b9589 c745e45932ae93 c745e899570ea7 }
            // n = 5, score = 100
            //   c745d83bea7551       | mov                 dword ptr [ebp - 0x28], 0x5175ea3b
            //   c745dc10f337b0       | mov                 dword ptr [ebp - 0x24], 0xb037f310
            //   c745e0584b9589       | mov                 dword ptr [ebp - 0x20], 0x89954b58
            //   c745e45932ae93       | mov                 dword ptr [ebp - 0x1c], 0x93ae3259
            //   c745e899570ea7       | mov                 dword ptr [ebp - 0x18], 0xa70e5799

    condition:
        7 of them and filesize < 231424
}
Download all Yara Rules