Unidentified 121 (Malware Family)

Unidentified 121

VTCollection

unidentified_121 acts as a downloader and reflective PE loader, employing a dual-mode execution strategy based on its privilege level. When executed without administrative rights, it uniquely attempts to bypass User Account Control (UAC) by first patching its own Process Environment Block (PEB) in memory to masquerade as explorer.exe, and then leveraging a specific COM object ({3E5FC7F9-9A51-4367-9063-A120244FBEC7} with the Elevation:Administrator!new: moniker) to relaunch itself with elevated privileges. This initial stage focuses purely on achieving elevation and does not perform C2 communication or direct payload execution itself in the non-elevated state.

Once running with administrative privileges (either initially or after successful elevation), the malware establishes persistence by creating a Scheduled Task named "BlaBlaAgu" using COM, configuring it to run with the highest privileges and repeat every five minutes indefinitely. It actively evades defenses by using PowerShell commands (Add-MpPreference) to add Windows Defender exclusions for its own process and the user's profile directory, reinforcing these exclusions every 60 seconds via a separate thread. Its primary function in this elevated state is to act as a downloader, connecting to its Command and Control (C2) server over TCP port 33334 using a custom protocol encrypted with an RC4-like cipher and the hardcoded key "ALB9SxZBzCqwPFnD"; after a distinct 20-byte client handshake (RC4 Key + integer 444, followed by a 16-byte server response (RC4 Key) for validation), it downloads further encrypted PE payloads and executes them reflectively in its own memory space.

References

2025-04-16 ⋅ VirusTotal ⋅ VirusTotal
b804ab085f7cf9ee546d586b36ebbeb73f874205b8fae048760dee78375ddf40
Unidentified 121

Yara Rules

[TLP:WHITE] win_unidentified_121_auto (20260504 | Detects win.unidentified_121.)

rule win_unidentified_121_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_121."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_121"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7466 498d4002 48894318 410fb64001 }
            // n = 4, score = 100
            //   7466                 | inc                 ebp
            //   498d4002             | xor                 ebp, ebp
            //   48894318             | dec                 eax
            //   410fb64001           | lea                 edi, [0x133fc]

        $sequence_1 = { 8b55fc 8b4510 894248 8d4db4 }
            // n = 4, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   894248               | mov                 dword ptr [edx + 0x48], eax
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]

        $sequence_2 = { 8b55fc 8b4510 8b4814 894a1c }
            // n = 4, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   894a1c               | mov                 dword ptr [edx + 0x1c], ecx

        $sequence_3 = { 8b55fc 8b4510 8b4a08 3b481c }
            // n = 4, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]
            //   3b481c               | cmp                 ecx, dword ptr [eax + 0x1c]

        $sequence_4 = { c70700000000 4889d8 4883c440 5b 5e 5f }
            // n = 6, score = 100
            //   c70700000000         | mov                 ebx, eax
            //   4889d8               | mov                 eax, ebx
            //   4883c440             | mov                 dword ptr [edi], 0
            //   5b                   | dec                 eax
            //   5e                   | mov                 eax, ebx
            //   5f                   | dec                 eax

        $sequence_5 = { 4889d9 e8???????? 488b8300010000 483dff000000 0f848a000000 }
            // n = 5, score = 100
            //   4889d9               | lea                 eax, [eax + 2]
            //   e8????????           |                     
            //   488b8300010000       | dec                 eax
            //   483dff000000         | mov                 dword ptr [ebx + 0x18], eax
            //   0f848a000000         | inc                 ecx

        $sequence_6 = { 4885c0 4989c1 44897b4c 7418 488b4318 803845 }
            // n = 6, score = 100
            //   4885c0               | movzx               eax, byte ptr [eax + 1]
            //   4989c1               | dec                 eax
            //   44897b4c             | sub                 esp, 0x38
            //   7418                 | inc                 esp
            //   488b4318             | mov                 ebp, dword ptr [edx + 0x90]
            //   803845               | dec                 eax

        $sequence_7 = { 31d2 4889d9 e8???????? 488d0d4c440000 89c3 e8???????? 89d8 }
            // n = 7, score = 100
            //   31d2                 | xor                 edx, edx
            //   4889d9               | dec                 eax
            //   e8????????           |                     
            //   488d0d4c440000       | mov                 ecx, ebx
            //   89c3                 | dec                 eax
            //   e8????????           |                     
            //   89d8                 | lea                 ecx, [0x444c]

        $sequence_8 = { 8b55fc 8b4510 8b4c9004 51 }
            // n = 4, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4c9004             | mov                 ecx, dword ptr [eax + edx*4 + 4]
            //   51                   | push                ecx

        $sequence_9 = { 3c6d 0f84bb000000 4531ed 488d3dfc330100 b903000000 4c89e6 }
            // n = 6, score = 100
            //   3c6d                 | add                 esp, 0x40
            //   0f84bb000000         | pop                 ebx
            //   4531ed               | pop                 esi
            //   488d3dfc330100       | pop                 edi
            //   b903000000           | cmp                 al, 0x6d
            //   4c89e6               | je                  0xc3

        $sequence_10 = { 4883ec38 448baa90000000 4889cf 4901cd b975ee4070 e8???????? }
            // n = 6, score = 100
            //   4883ec38             | mov                 ecx, 3
            //   448baa90000000       | dec                 esp
            //   4889cf               | mov                 esi, esp
            //   4901cd               | je                  0x68
            //   b975ee4070           | dec                 ecx
            //   e8????????           |                     

        $sequence_11 = { 8b55fc 8b4510 8902 33c9 }
            // n = 4, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8902                 | mov                 dword ptr [edx], eax
            //   33c9                 | xor                 ecx, ecx

        $sequence_12 = { 8b55fc 8b4510 8b0c90 51 8d5588 }
            // n = 5, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b0c90               | mov                 ecx, dword ptr [eax + edx*4]
            //   51                   | push                ecx
            //   8d5588               | lea                 edx, [ebp - 0x78]

        $sequence_13 = { 8b55fc 8b4510 894204 8b4dfc 51 }
            // n = 5, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   894204               | mov                 dword ptr [edx + 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx

        $sequence_14 = { 4883ec20 488d0524590000 4889cb 488901 e8???????? }
            // n = 5, score = 100
            //   4883ec20             | mov                 edi, ecx
            //   488d0524590000       | dec                 ecx
            //   4889cb               | add                 ebp, ecx
            //   488901               | mov                 ecx, 0x7040ee75
            //   e8????????           |                     

        $sequence_15 = { 8b55fc 8b4510 894220 8b4dfc }
            // n = 4, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   894220               | mov                 dword ptr [edx + 0x20], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 2419712
}

Download all Yara Rules

Unidentified 121 Propose Change

References

Yara Rules

Unidentified 121