Vyveva RAT (Malware Family)

Vyveva RAT

VTCollection

Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.

It uses a simple XOR for encryption of its configuration and network traffic.

It sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.

It supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.

It has MPRD.dll as the internal DLL name, and a single export SamIInitialize.

Vyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.

References

2021-04-08 ⋅ ESET Research ⋅ Filip Jurčacko
(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
Vyveva RAT

Yara Rules

[TLP:WHITE] win_vyveva_auto (20260504 | Detects win.vyveva.)

rule win_vyveva_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.vyveva."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89742418 88460c e8???????? 50 8f00 394004 7408 }
            // n = 7, score = 100
            //   89742418             | mov                 dword ptr [esp + 0x18], esi
            //   88460c               | mov                 byte ptr [esi + 0xc], al
            //   e8????????           |                     
            //   50                   | push                eax
            //   8f00                 | pop                 dword ptr [eax]
            //   394004               | cmp                 dword ptr [eax + 4], eax
            //   7408                 | je                  0xa

        $sequence_1 = { c644242097 c644242159 aa e8???????? 8d942488000000 52 68???????? }
            // n = 7, score = 100
            //   c644242097           | mov                 byte ptr [esp + 0x20], 0x97
            //   c644242159           | mov                 byte ptr [esp + 0x21], 0x59
            //   aa                   | stosb               byte ptr es:[edi], al
            //   e8????????           |                     
            //   8d942488000000       | lea                 edx, [esp + 0x88]
            //   52                   | push                edx
            //   68????????           |                     

        $sequence_2 = { 83ec04 5a 83c50a 50 8f02 668b442438 51 }
            // n = 7, score = 100
            //   83ec04               | sub                 esp, 4
            //   5a                   | pop                 edx
            //   83c50a               | add                 ebp, 0xa
            //   50                   | push                eax
            //   8f02                 | pop                 dword ptr [edx]
            //   668b442438           | mov                 ax, word ptr [esp + 0x38]
            //   51                   | push                ecx

        $sequence_3 = { 8b8e90000000 6a00 41 6a10 898e90000000 51 51 }
            // n = 7, score = 100
            //   8b8e90000000         | mov                 ecx, dword ptr [esi + 0x90]
            //   6a00                 | push                0
            //   41                   | inc                 ecx
            //   6a10                 | push                0x10
            //   898e90000000         | mov                 dword ptr [esi + 0x90], ecx
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_4 = { c74424fc00000000 014424fc 83ec04 2bc1 58 722c 8d4c246c }
            // n = 7, score = 100
            //   c74424fc00000000     | mov                 dword ptr [esp - 4], 0
            //   014424fc             | add                 dword ptr [esp - 4], eax
            //   83ec04               | sub                 esp, 4
            //   2bc1                 | sub                 eax, ecx
            //   58                   | pop                 eax
            //   722c                 | jb                  0x2e
            //   8d4c246c             | lea                 ecx, [esp + 0x6c]

        $sequence_5 = { 58 ff7004 59 897914 ff7604 5a 8b7204 }
            // n = 7, score = 100
            //   58                   | pop                 eax
            //   ff7004               | push                dword ptr [eax + 4]
            //   59                   | pop                 ecx
            //   897914               | mov                 dword ptr [ecx + 0x14], edi
            //   ff7604               | push                dword ptr [esi + 4]
            //   5a                   | pop                 edx
            //   8b7204               | mov                 esi, dword ptr [edx + 4]

        $sequence_6 = { 56 8f4034 e8???????? ff7534 59 33c0 8d440644 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8f4034               | pop                 dword ptr [eax + 0x34]
            //   e8????????           |                     
            //   ff7534               | push                dword ptr [ebp + 0x34]
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   8d440644             | lea                 eax, [esi + eax + 0x44]

        $sequence_7 = { 1bc0 2480 0500010000 50 5b 53 6a1d }
            // n = 7, score = 100
            //   1bc0                 | sbb                 eax, eax
            //   2480                 | and                 al, 0x80
            //   0500010000           | add                 eax, 0x100
            //   50                   | push                eax
            //   5b                   | pop                 ebx
            //   53                   | push                ebx
            //   6a1d                 | push                0x1d

        $sequence_8 = { fec9 5f 8848ff 895e04 895e08 53 8f460c }
            // n = 7, score = 100
            //   fec9                 | dec                 cl
            //   5f                   | pop                 edi
            //   8848ff               | mov                 byte ptr [eax - 1], cl
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   53                   | push                ebx
            //   8f460c               | pop                 dword ptr [esi + 0xc]

        $sequence_9 = { 57 8b460c 85c0 0f8402010000 33c0 034604 3b08 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   85c0                 | test                eax, eax
            //   0f8402010000         | je                  0x108
            //   33c0                 | xor                 eax, eax
            //   034604               | add                 eax, dword ptr [esi + 4]
            //   3b08                 | cmp                 ecx, dword ptr [eax]

    condition:
        7 of them and filesize < 360448
}

Download all Yara Rules

Vyveva RAT Propose Change

References

Yara Rules

Vyveva RAT