SYMBOLCOMMON_NAMEaka. SYNONYMS
win.veletrix (Back to overview)

VELETRIX

VTCollection    

According to Seqrite, VELETRIX as been observed as a loader for VShell.

References
2025-08-180x0d4y0x0d4y
Veletrix Loader Infection: A Look from a Digital Forensic Perspective
VELETRIX
2025-07-020x0d4y0x0d4y
VELETRIX Loader Dissection: Kill Chain Analysis of China-Nexus Telecommunications Infrastructure Targeting
VELETRIX
2025-06-06SeqriteSathwik Ram Prakki, Subhajeet Singha
Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware.
VELETRIX VShell
Yara Rules
[TLP:WHITE] win_veletrix_auto (20260504 | Detects win.veletrix.)
rule win_veletrix_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.veletrix."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.veletrix"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7408 488bc2 e9???????? 4d3bc4 0f84d9000000 8b7500 498b9cf6c0920100 }
            // n = 7, score = 100
            //   7408                 | dec                 eax
            //   488bc2               | lea                 eax, [0x13197]
            //   e9????????           |                     
            //   4d3bc4               | jmp                 0xc48
            //   0f84d9000000         | dec                 eax
            //   8b7500               | add                 eax, 0x24
            //   498b9cf6c0920100     | dec                 eax

        $sequence_1 = { f20f59ee f20f5ce9 f2410f1004c1 488d1576860000 f20f1014c2 }
            // n = 5, score = 100
            //   f20f59ee             | lea                 edx, [0x902d]
            //   f20f5ce9             | dec                 eax
            //   f2410f1004c1         | mov                 ebx, edx
            //   488d1576860000       | dec                 esp
            //   f20f1014c2           | lea                 ecx, [0xaf7c]

        $sequence_2 = { 85c0 742a 488bc5 4c8d05f5250100 488bcd 48c1f906 83e03f }
            // n = 7, score = 100
            //   85c0                 | je                  0x5b8
            //   742a                 | dec                 eax
            //   488bc5               | lea                 eax, [0xf56d]
            //   4c8d05f5250100       | dec                 edx
            //   488bcd               | mov                 ecx, dword ptr [eax + ebp*8]
            //   48c1f906             | dec                 eax
            //   83e03f               | lea                 edx, [ebp - 0x10]

        $sequence_3 = { e8???????? 33db 8bf8 85c0 0f8453020000 4c8d2d461a0100 448bf3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33db                 | dec                 esp
            //   8bf8                 | lea                 ecx, [0x9729]
            //   85c0                 | pop                 edi
            //   0f8453020000         | ret                 
            //   4c8d2d461a0100       | dec                 eax
            //   448bf3               | mov                 dword ptr [esp + 8], edi

        $sequence_4 = { 4c8d0d057c0000 c5f359c1 c5fb101d???????? c5fb102d???????? c4e2f1a91d???????? c4e2f1a92d???????? f20f10e0 }
            // n = 7, score = 100
            //   4c8d0d057c0000       | dec                 esp
            //   c5f359c1             | lea                 esi, [0x101ee]
            //   c5fb101d????????     |                     
            //   c5fb102d????????     |                     
            //   c4e2f1a91d????????     |     
            //   c4e2f1a92d????????     |     
            //   f20f10e0             | dec                 eax

        $sequence_5 = { c7459856697274 488bcb c7459c75616c50 4c8be0 c745a0726f7465 }
            // n = 5, score = 100
            //   c7459856697274       | dec                 eax
            //   488bcb               | mov                 eax, dword ptr [ecx + 0xf8]
            //   c7459c75616c50       | dec                 eax
            //   4c8be0               | mov                 ebx, ecx
            //   c745a0726f7465       | dec                 eax

        $sequence_6 = { e8???????? 488b8f90000000 483b0d???????? 7417 488d05243d0100 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488b8f90000000       | test                eax, eax
            //   483b0d????????       |                     
            //   7417                 | dec                 eax
            //   488d05243d0100       | mov                 ecx, eax

        $sequence_7 = { 4c8d4c2448 488b4f10 41b840000000 ff542430 8b4f04 ba00080000 }
            // n = 6, score = 100
            //   4c8d4c2448           | inc                 esp
            //   488b4f10             | mov                 edi, ecx
            //   41b840000000         | dec                 esp
            //   ff542430             | lea                 esi, [0xffffb0ee]
            //   8b4f04               | dec                 ebp
            //   ba00080000           | mov                 esp, ecx

        $sequence_8 = { 48894df7 488945ef 488d0d8668ffff 83e03f 458be9 4d03e8 4c8945df }
            // n = 7, score = 100
            //   48894df7             | mov                 eax, 0x800
            //   488945ef             | dec                 eax
            //   488d0d8668ffff       | mov                 ebx, eax
            //   83e03f               | dec                 ebp
            //   458be9               | mov                 esp, ecx
            //   4d03e8               | dec                 ecx
            //   4c8945df             | mov                 ebp, eax

        $sequence_9 = { 4c896daf 49c1fc06 4c8d34c0 4a8b84e100970100 4a8b44f028 }
            // n = 5, score = 100
            //   4c896daf             | inc                 ecx
            //   49c1fc06             | mov                 eax, dword ptr [edi + esi*8 + 0x11288]
            //   4c8d34c0             | test                eax, eax
            //   4a8b84e100970100     | js                  0x7d
            //   4a8b44f028           | cmp                 eax, 0xe4

    condition:
        7 of them and filesize < 234496
}
Download all Yara Rules