Unidentified 112 (Rust-based Stealer) (Malware Family)

Unidentified 112 (Rust-based Stealer)

VTCollection
A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups.
References

2023-12-21 ⋅ Seqrite ⋅ Sathwik Ram Prakki
Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration
Ares Unidentified 112 (Rust-based Stealer)
Yara Rules

[TLP:WHITE] win_unidentified_112_auto (20260504 | Detects win.unidentified_112.)
rule win_unidentified_112_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_112."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? c6452701 488d0dc0661200 4c8d0501671200 ba46000000 e8???????? eb5c }
            // n = 7, score = 100
            //   e9????????           |                     
            //   c6452701             | dec                 eax
            //   488d0dc0661200       | lea                 ecx, [ebp + 0x78]
            //   4c8d0501671200       | dec                 eax
            //   ba46000000           | lea                 ecx, [ebp + 0x50]
            //   e8????????           |                     
            //   eb5c                 | mov                 byte ptr [esp + 0x20], al

        $sequence_1 = { f048ff08 7505 e8???????? 4c8936 0f288540100000 0f288d50100000 660f6f9560100000 }
            // n = 7, score = 100
            //   f048ff08             | jne                 0x23
            //   7505                 |                     
            //   e8????????           |                     
            //   4c8936               | jne                 7
            //   0f288540100000       | dec                 esp
            //   0f288d50100000       | mov                 dword ptr [esi], esi
            //   660f6f9560100000     | movaps              xmm0, xmmword ptr [ebp + 0x1040]

        $sequence_2 = { e8???????? eb18 488d0d62501500 4c8d0583511500 ba22000000 e8???????? 0f0b }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb18                 | lea                 eax, [0x11fdd5]
            //   488d0d62501500       | mov                 edx, 0x30
            //   4c8d0583511500       | mov                 byte ptr [ebp + 0x1ef], 1
            //   ba22000000           | dec                 eax
            //   e8????????           |                     
            //   0f0b                 | lea                 ecx, [0x11f3c9]

        $sequence_3 = { e9???????? 488d15ee980d00 41b809000000 488b742460 4889f1 e8???????? 40b501 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d15ee980d00       | dec                 eax
            //   41b809000000         | lea                 edi, [ebp + 0xb0]
            //   488b742460           | inc                 ecx
            //   4889f1               | mov                 eax, 0x108
            //   e8????????           |                     
            //   40b501               | dec                 eax

        $sequence_4 = { e8???????? 0f0b 488d05619e0d00 4889442420 4c89e1 4889fa 4531c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0f0b                 | dec                 eax
            //   488d05619e0d00       | lea                 ecx, [0x1011e1]
            //   4889442420           | dec                 esp
            //   4c89e1               | lea                 ecx, [0x10120a]
            //   4889fa               | ud2                 
            //   4531c0               | dec                 eax

        $sequence_5 = { e8???????? 0f0b 488b4de0 488b45e8 ff10 488b45e8 488b5008 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0f0b                 | lea                 eax, [0xb45bb]
            //   488b4de0             | ud2                 
            //   488b45e8             | dec                 eax
            //   ff10                 | test                ecx, ecx
            //   488b45e8             | je                  0x9f
            //   488b5008             | dec                 eax

        $sequence_6 = { e9???????? 0f1005???????? 0f298510010000 0f1005???????? 0f298500010000 488dbd30010000 488d9d00010000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   0f1005????????       |                     
            //   0f298510010000       | test                eax, eax
            //   0f1005????????       |                     
            //   0f298500010000       | je                  0x81
            //   488dbd30010000       | dec                 eax
            //   488d9d00010000       | imul                edx, eax, 0x58

        $sequence_7 = { e8???????? 0fb645a8 83f805 0f84a8000000 83f806 0f85af010000 488b85e0000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb645a8             | nop                 word ptr cs:[eax + eax]
            //   83f805               | dec                 eax
            //   0f84a8000000         | mov                 dword ptr [esp + 0x10], edx
            //   83f806               | push                ebp
            //   0f85af010000         | dec                 eax
            //   488b85e0000000       | sub                 esp, 0x30

        $sequence_8 = { be01000000 f0480fc130 4989f5 4983e5e0 4c8b37 4c89e8 492b8600230000 }
            // n = 7, score = 100
            //   be01000000           | mov                 eax, 8
            //   f0480fc130           | dec                 eax
            //   4989f5               | mov                 ecx, esi
            //   4983e5e0             | dec                 eax
            //   4c8b37               | add                 esp, 0x38
            //   4c89e8               | pop                 esi
            //   492b8600230000       | pop                 ebp

        $sequence_9 = { c685e502000000 0f28742420 4883c438 5b 5f 5e 415c }
            // n = 7, score = 100
            //   c685e502000000       | mov                 byte ptr [ebp + 0xedc], 0
            //   0f28742420           | dec                 eax
            //   4883c438             | add                 esp, 0x28
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   415c                 | inc                 ecx

    condition:
        7 of them and filesize < 7317504
}
Download all Yara Rules
Unidentified 112 (Rust-based Stealer) Propose Change

References

Yara Rules

Unidentified 112 (Rust-based Stealer)
