ioc[.]one - OSINT Cyber Threat Intelligence Database

APT44: Unearthing Sandworm

Show in Graph

Common Information

Type	Value
UUID	6b576fe9-968e-46ac-b619-848c395714ea
Fingerprint	efa07dc1a453623b70ec432b55bd7e2a61e23331a1d0cd95c7e8c20706166863
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 17, 2024, 4:02 p.m.
Added to db	April 18, 2024, 11:44 a.m.
Last updated	Aug. 31, 2024, 1:19 a.m.
Headline	APT44: Unearthing Sandworm
Title	APT44: Unearthing Sandworm
Detected Hints/Tags/Attributes	284/3/235

Source URLs

	Redirection	Url
Details	Source	https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf

URL Provider

Details	Provider	Source level domain
Details	google.com	services.google.com

Attributes

Details	Type	#Events	Value
Details	Mandiant Security Validation Actions	2	A106-440
Details	Mandiant Security Validation Actions	1	A107-008
Details	Mandiant Security Validation Actions	1	A102-576
Details	Mandiant Security Validation Actions	1	A102-796
Details	Mandiant Security Validation Actions	1	A102-797
Details	Mandiant Security Validation Actions	1	A102-798
Details	Mandiant Security Validation Actions	1	A102-788
Details	Mandiant Security Validation Actions	1	A102-789
Details	Mandiant Security Validation Actions	1	A102-790
Details	Mandiant Security Validation Actions	1	A102-791
Details	Mandiant Security Validation Actions	1	A102-792
Details	Mandiant Security Validation Actions	1	A102-793
Details	Mandiant Security Validation Actions	1	A102-794
Details	Mandiant Security Validation Actions	1	A102-795
Details	Mandiant Security Validation Actions	1	A105-313
Details	Mandiant Security Validation Actions	1	A103-624
Details	Mandiant Security Validation Actions	1	A103-613
Details	Mandiant Security Validation Actions	1	A101-388
Details	Mandiant Security Validation Actions	1	A101-389
Details	Mandiant Security Validation Actions	1	A106-990
Details	Mandiant Security Validation Actions	1	A107-018
Details	Mandiant Security Validation Actions	1	A107-029
Details	Mandiant Security Validation Actions	1	A107-043
Details	Mandiant Security Validation Actions	1	A103-166
Details	Mandiant Security Validation Actions	1	A103-167
Details	Mandiant Security Validation Actions	1	A103-168
Details	Mandiant Security Validation Actions	1	A103-169
Details	Mandiant Security Validation Actions	2	A106-442
Details	Mandiant Security Validation Actions	1	A107-009
Details	Mandiant Security Validation Actions	1	A102-993
Details	Mandiant Security Validation Actions	1	A107-012
Details	Mandiant Security Validation Actions	1	A107-011
Details	Mandiant Security Validation Actions	1	A101-887
Details	Mandiant Security Validation Actions	1	A101-390
Details	Mandiant Security Validation Actions	1	A102-573
Details	Mandiant Security Validation Actions	1	A102-574
Details	Mandiant Security Validation Actions	1	A102-662
Details	Mandiant Security Validation Actions	1	A106-995
Details	Mandiant Security Validation Actions	1	A105-426
Details	Mandiant Security Validation Actions	1	A105-427
Details	Mandiant Security Validation Actions	1	A105-428
Details	Mandiant Security Validation Actions	1	A105-429
Details	Mandiant Security Validation Actions	1	A102-663
Details	Mandiant Security Validation Actions	1	A103-614
Details	Mandiant Security Validation Actions	1	A107-023
Details	Mandiant Security Validation Actions	1	A107-019
Details	Mandiant Security Validation Actions	1	A106-009
Details	Mandiant Security Validation Actions	1	A106-546
Details	Mandiant Security Validation Actions	1	A106-547
Details	Mandiant Security Validation Actions	1	A107-030
Details	Mandiant Security Validation Actions	1	A102-579
Details	Mandiant Security Validation Actions	1	A102-580
Details	Mandiant Security Validation Actions	1	A102-581
Details	Mandiant Security Validation Actions	1	A101-287
Details	Mandiant Security Validation Actions	1	A106-997
Details	Mandiant Security Validation Actions	1	A106-988
Details	Mandiant Security Validation Actions	1	A107-035
Details	Mandiant Security Validation Actions	1	A107-034
Details	Mandiant Security Validation Actions	1	A107-039
Details	Mandiant Security Validation Actions	1	A107-022
Details	Mandiant Security Validation Actions	1	A107-032
Details	Mandiant Security Validation Actions	1	A107-044
Details	Mandiant Security Validation Actions	1	A107-014
Details	Mandiant Security Validation Actions	1	A107-042
Details	Mandiant Security Validation Actions	1	A107-036
Details	Mandiant Security Validation Actions	1	A101-158
Details	Mandiant Security Validation Actions	1	A103-626
Details	Mandiant Security Validation Actions	1	A107-041
Details	Mandiant Security Validation Actions	1	A107-007
Details	Mandiant Security Validation Actions	1	A107-020
Details	Mandiant Security Validation Actions	1	A105-030
Details	Mandiant Security Validation Actions	2	A106-437
Details	Mandiant Security Validation Actions	1	A107-002
Details	Mandiant Security Validation Actions	1	A106-989
Details	Mandiant Security Validation Actions	1	A107-004
Details	Mandiant Security Validation Actions	1	A106-107
Details	Mandiant Security Validation Actions	1	A107-005
Details	Mandiant Security Validation Actions	1	A105-346
Details	Mandiant Security Validation Actions	1	A105-143
Details	Mandiant Security Validation Actions	1	A105-349
Details	Mandiant Security Validation Actions	1	A105-350
Details	Mandiant Security Validation Actions	1	A107-028
Details	Mandiant Security Validation Actions	1	A107-021
Details	Mandiant Security Validation Actions	1	A107-003
Details	Mandiant Security Validation Actions	1	A107-040
Details	Mandiant Security Validation Actions	1	A107-015
Details	Mandiant Security Validation Actions	1	A107-025
Details	Mandiant Security Validation Actions	1	A106-104
Details	Mandiant Security Validation Actions	1	A107-017
Details	Mandiant Security Validation Actions	1	A107-037
Details	Mandiant Security Validation Actions	1	A104-979
Details	Mandiant Security Validation Actions	1	A106-987
Details	Mandiant Security Validation Actions	1	A105-015
Details	Mandiant Security Validation Actions	1	A106-105
Details	Mandiant Security Validation Actions	1	A106-010
Details	Mandiant Security Validation Actions	1	A107-006
Details	Mandiant Security Validation Actions	1	A106-992
Details	Mandiant Security Validation Actions	1	A106-991
Details	Mandiant Security Validation Actions	1	A106-371
Details	Mandiant Security Validation Actions	1	A106-372
Details	Mandiant Uncategorized Groups	1	UNC1908
Details	Mandiant Uncategorized Groups	1	UNC4209
Details	Pdb	1	c:\\users\\user\\desktop\\imageagent\\imageagent\\preagent\\src\\builder\\agent.pdb
Details	Threat Actor Identifier - APT	20	APT44
Details	Threat Actor Identifier - APT	783	APT28
Details	Url	4	https://twitter.com/esetresearch/status/1496581903205511181
Details	Url	1	https://artikrh.github.io/posts/weevely-backdoor-analysis
Details	Url	1	https://github.com/epinna/weevely3/tree/master/core
Details	Yara rule	1	rule M_APT_Downloader_BACKORDER_1 { meta: author = "Mandiant" description = "This rule is designed to detect on events related to BACKORDER. BACKORDER is a downloader written in GoLang which download and executes a second stage payload from a remote server. BACKORDER is usually delivered within trojanized installer files and is hard coded to execute the original setup executable." strings: $go = "Go build ID:" ascii wide $a1 = "main.proc1esar" $a2 = "main.obt_zip" $a3 = "main.un1_zip" $a4 = "main.primer1_paso" condition: uint16(0) == 0x5a4d and filesize < 10MB and all of them }
Details	Yara rule	1	rule M_APT_Downloader_BACKORDER_2 { meta: author = "Mandiant" description = "Detects strings and sleep timer in the BACKORDER downloader" strings: $ = "data/setup.exe" $ = "http://" $ = { C7 04 ?? 00 CA 9A 3B C7 44 ?? 04 00 00 00 00 E8 } condition: uint16(0) == 0x5a4d and filesize < 10MB and all of them }
Details	Yara rule	1	rule M_APT_Disrupt_NIKOWIPER_1 { meta: author = "Mandiant" description = "Detects code in NIKOWIPER" strings: $ = "SDelete" $ = "-accepteula -r -s -q " wide $ = { 68 ?? ?? 02 00 68 } condition: uint16(0) == 0x5a4d and filesize < 2MB and all of them }
Details	Yara rule	1	rule M_APT_Disrupt_NIKOWIPER_2 { meta: author = "Mandiant" description = "NikoWiper unique strings" strings: $sdelete = "SDelete is set for %d pass" ascii wide $dlihost = { 77 00 73 00 [3] 5C 00 53 00 [3] 79 00 73 00 [3] 74 00 65 00 [3] 6D 00 33 00 [3] 32 00 5C 00 [3] 63 00 6D 00 [3] 64 00 2E 00 [3] 65 00 78 00 [3] 65 00 00 00 [3] 43 00 3A 00 [3] 5C 00 57 00 [3] 69 00 6E 00 [3] 64 00 6F 00 [3] 77 00 73 00 [3] 5C 00 64 00 [3] 6C 00 49 00 [3] 68 00 6F 00 [3] 73 00 74 00 [3] 2E 00 65 00 [3] 78 00 65 00 } condition: uint16(0) == 0x5a4d and filesize < 2MB and all of them }
Details	Yara rule	1	rule M_APT_Disrupt_NIKOWIPER_MBR_1 { meta: author = "Mandiant" description = "Detects code in NIKOWIPER.MBR" strings: $ = { FF 37 FF 15 [4] 8B 4D F8 } $ = { 69 C0 60 EA 00 00 50 FF 15 } $ = { 8D 85 90 FB FF FF 68 00 02 00 00 50 E8 } $ = { 68 ?? ?? 02 00 68 [4] 56 FF 15 } $ = { 68 00 00 07 00 57 FF D0 } $ = { 8B B5 9C FB FF FF C1 E6 04 } condition: uint16(0) == 0x5a4d and filesize < 2MB and all of them }
Details	Yara rule	1	rule M_Hunting_Windows_Powershell_HTTPHeaderParsing_1 { meta: author = "Mandiant" description = "Finds powershell 1-liners typically used in webshells to decode an HTTP header variable and use it as a command" strings: $httpParser1 = /getstring\(convert\.frombase64string\(([\w\d_]+)?\(request\.headers\.get\(['"][\w\d_]+['"]/ ascii wide nocase condition: filesize < 2MB and all of them }
Details	Yara rule	1	rule M_Hunting_REGEORG_Tunneller_Generic_1 { meta: author = "Mandiant" strings: $s1 = "System.Net.IPEndPoint" $s2 = "Response.AddHeader" $s3 = "Request.InputStream.Read" $s4 = "Request.Headers.Get" $s5 = "Response.Write" $s6 = "System.Buffer.BlockCopy" $s7 = "Response.BinaryWrite" $s8 = "SocketException soex" condition: filesize < 1MB and 7 of them }
Details	Yara rule	1	rule M_APT_Webshell_BRUSHPASS_1 { meta: author = "Mandiant" description = "Detects the string in the BRUSHPASS webshell" strings: $ = ".DataSource = " $ = "<%@ Page Language=" $ = "RedirectStandardOutput = true;" $ = "UseShellExecute = false;" $ = ".WindowStyle = ProcessWindowStyle.Hidden;" $ = " -Direction inbound -Profile Any -Action Allow -LocalPort" condition: filesize < 5MB and all of them }
Details	Yara rule	1	rule M_APT_Dropper_NEWRETURN_2 { meta: author = "Mandiant" description = "Detects strings in the NEWRETURN payloads" strings: $a1 = "GetLists" $a2 = "GetBuffer" $a3 = "Delays" $a4 = "InvokeMember" $a5 = "Array" $o1 = { 1F 8B 08 00 00 00 00 00 04 00 } $o2 = "http://" $a6 = "Form1" $a7 = "mscoree.dll" condition: all of ($a*) and ($o1 or $o2) }
Details	Yara rule	1	rule M_APT_Backdoor_SPAREPART_Strings { meta: author = "Mandiant" description = "Detects the PDB and a struct used in SPAREPART" strings: $pdb = "c:\\Users\\user\\Desktop\\ImageAgent\\ImageAgent\\PreAgent\\src\\builder\\agent.pdb" ascii nocase $struct = { 44 89 AC ?? ?? ?? ?? ?? 4? 8B AC ?? ?? ?? ?? ?? 4? 83 C5 28 89 84 ?? ?? ?? ?? ?? 89 8C ?? ?? ?? ?? ?? 89 54 ?? ?? 44 89 44 ?? ?? 44 89 4C ?? ?? 44 89 54 ?? ?? 44 89 5C ?? ?? 89 5C ?? ?? 89 7C ?? ?? 89 74 ?? ?? 89 6C ?? ?? 44 89 74 ?? ?? 44 89 7C ?? ?? 44 89 64 ?? ?? 8B 84 ?? ?? ?? ?? ?? 44 8B C8 8B 84 ?? ?? ?? ?? ?? 44 8B C0 4? 8D 15 ?? ?? ?? ?? 4? 8B CD FF 15 ?? ?? ?? ?? } condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pdb and $struct and filesize < 20KB }
Details	Yara rule	1	rule M_APT_Backdoor_SPAREPART_SleepGenerator { meta: author = "Mandiant" description = "Detects the algorithm used to determine the next sleep timer" strings: $ = { C1 E8 06 89 [5] C1 E8 02 8B } $ = { C1 E9 03 33 C1 [3] C1 E9 05 33 C1 83 E0 01 } $ = { 8B 80 FC 00 00 00 } $ = { D1 E8 [4] C1 E1 0F 0B C1 } condition: all of them }
Details	Yara rule	1	rule M_APT_Backdoor_QUICKTOW_1 { meta: author = "Mandiant" description = "Hunting rule looking for QUICKTOW by strings." strings: $useragent = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 4F 57 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 31 30 31 2E 30 2E 34 39 35 31 2E 35 34 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 } $s1 = "NewErgoClientSessions" ascii nocase $s2 = "SetDisconnected" ascii nocase $s3 = "IsDisconnected" ascii nocase $s4 = "getDelay" ascii nocase $s5 = "setDelay" ascii nocase $s6 = "getMessagesFromServer" ascii nocase $s7 = "getOneMessageFromServer" ascii nocase $s8 = "getMessagesFromServer" ascii nocase condition: ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or uint16(0) == 0x457f) and filesize < 20MB and $useragent and (6 of ($s*)) }
Details	Yara rule	1	rule M_APT_Backdoor_QUICKTOW_2 { meta: author = "Mandiant" description = "Function names matching QUICKTOW" strings: $go = "Go build" ascii wide $str1 = "main.(Client).Auth" ascii wide $str2 = "main.(Client).Disconnect" ascii wide $str3 = "main.(Client).Disconnect.func1" ascii wide $str4 = "main.(Client).IsDisconnected" ascii wide $str5 = "main.(Client).MakeMessage" ascii wide $str6 = "main.(Client).NewErgoClientSessions" ascii wide $str7 = "main.(Client).NewHTTPHandler" ascii wide $str8 = "main.(Client).NewSession" ascii wide $str9 = "main.(Client).ProcessingMessages" ascii wide $str10 = "main.(Client).RandomSleep" ascii wide $str11 = "main.(Client).SetDisconnected" ascii wide $str12 = "main.(Client).getDelay" ascii wide $str13 = "main.(Client).getMessagesFromServer" ascii wide $str14 = "main.(Client).getOneMessageFromServer" ascii wide $str15 = "main.(Client).setDelay" ascii wide $str16 = "main.(ErgoHTTPHandler).Lock" ascii wide $str17 = "main.(ErgoHTTPHandler).Unlock" ascii wide $str18 = "main.(ErgoHTTPHandler).doRequest" ascii wide $str19 = "main.(Session).IsAlive" ascii wide $str20 = "main.(Session).Lock" ascii wide $str21 = "main.(Session).MakeMessage" ascii wide $str22 = "main.(Session).ResetAlive" ascii wide $str23 = "main.(Session).SetAlive" ascii wide $str24 = "main.(Session).Unlock" ascii wide $str25 = "main.(Session).getDelay" ascii wide $str26 = "main.(Session).getMessagesForSession" ascii wide $str27 = "main.(Session).getOneMessageForSession" ascii wide $str28 = "main.(Session).handle" ascii wide $str29 = "main.(Session).handle.func1" ascii wide $str30 = "main.(Session).processingMessage" ascii wide $str31 = "main.(Session).setDelay" ascii wide $str32 = "main.(Sessions).Add" ascii wide $str33 = "main.(Sessions).Range" ascii wide $str34 = "main.GetHash" ascii wide $str35 = "main.NewAddress" ascii wide $str36 = "main.NewClient" ascii wide condition: (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and filesize < 20MB and $go and 30 of ($str) }
Details	Yara rule	1	rule M_APT_Backdoor_EARLYBLOOM_1 { meta: author = "Mandiant" description = "Code blocks indicative of EARLYBLOOM." strings: $code1 = { 8B 4D ?? 3B 4D ?? 73 24 8B 55 ?? 8B 45 ?? 8B 0A 33 48 ?? 8B 55 ?? 89 0A 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 83 C1 ?? 89 4D ?? EB CB } $code2 = { 83 7D ?? 00 7C 20 8B 45 ?? 83 E0 ?? 83 E8 ?? F7 D0 89 45 ?? 8B 4D ?? D1 E9 8B 55 ?? 23 55 ?? 33 CA 89 4D ?? EB D1 } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them }
Details	Yara rule	1	rule M_APT_Backdoor_EARLYBLOOM_2 { meta: author = "Mandiant" description = "Hunting rule looking for EARLYBLOOM, a backdoor written in C++ that communicates over HTTPS." strings: $a1 = "bsd.bst" xor $a2 = "bat.bdt" xor $a3 = "chkdsk.exe" xor $a4 = "Windows check disk" xor $a5 = "https://" xor condition: uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 300KB and 3 of ($a*) }
Details	Yara rule	1	rule M_Hunting_TANKTRAP_XML_1 { meta: author = "Mandiant" description = "Strings associated TANKTRAP XML GPO policy" strings: $r1 = /ImmediateTask clsid=\"\{9F030D12-DDA3-4C26-8548-B7CE9151166A\}\" name=\"[a-zA-Z]{5}\"/ condition: filesize < 5MB and all of them }
Details	Yara rule	1	rule M_Hunting_TANKTRAP_PS1_1 { meta: author = "Mandiant" description = "Strings associated TANKTRAP PowerShell" strings: $s1 = "ImmediateTaskV2 clsid = \"{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}\"" $s2 = "SharpGPOAbuse" $s3 = "GuidExtension \"AADCED64-746C-4633-A97C-D61349046527\"" $s4 = "ImmediateTaskV2 clsid = \"\"{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}\"" condition: filesize < 5MB and 3 of them }
Details	Yara rule	1	rule M_APT_Launcher_ARGUEPATCH_1 { meta: author = "Mandiant" description = "Identifies the code used by the sleep functionality in ARGUEPATCH" strings: $ = { 2B ?? 81 F? 00 2E 93 02 } $ = { 83 C0 18 6B C0 3C [5-12] 69 C0 60 EA 00 00 } $ = { 68 00 DD 6D 00 } condition: filesize < 5MB and all of them }
Details	Yara rule	1	rule M_APT_Launcher_ARGUEPATCH_2 { meta: description = "To detect executable with patched function used to load encrypted shellcode" author = "Mandiant" strings: $xor_loop = { 8A 01 33 D2 8B 7D ?? 32 04 57 42 88 01 83 FA 10 72 F2 FF 4D ?? 41 39 5D ?? 75 E5 } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $xor_loop }
Details	Yara rule	1	rule M_APT_Launcher_ARGUEPATCH_3 { meta: description = "arguepatch malware family" strings: $p00_0 = { 85 FF 74 ?? 83 FF ?? 75 ?? 33 DB 8B FB EB ?? A1 [4] 6A } $p00_1 = { 8A 06 46 84 C0 75 ?? 2B F2 3B F3 5E 73 ?? 51 } $p01_0 = { 2B C1 83 E0 ?? 3D [4] 72 ?? 8B 51 ?? 83 C0 ?? 2B CA 83 C1 ?? 83 F9 } $p01_1 = { 75 ?? EB ?? 80 3D [5] 74 ?? CC 68 [4] E8 [4] 80 3D [5] 74 } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (92000 .. 99000) and $p00_1 in (640 .. 8300)) or ($p01_0 in (170000 .. 190000) and $p01_1 in (140000 .. 160000))) }
Details	Yara rule	1	rule M_APT_Dropper_FREETOW_1 { meta: author = "Mandiant" strings: $hex49_add_arg_check = { 83 C1 49 88 08 FF D0 } $shell32_stack_string = { C7 ( 41 \| 42 \| 43 \| 45 \| 46 \| 47 ) ?? 73 68 65 6C C7 ( 41 \| 42 \| 43 \| 45 \| 46 \| 47 ) ?? 6C 33 32 2E C7 ( 41 \| 42 \| 43 \| 45 \| 46 \| 47 ) ?? 64 6C 6C 00 } condition: filesize < 5MB and all of them }
Details	Yara rule	1	rule M_APT_Dropper_FREETOW_2 { meta: author = "Mandiant" strings: $push_ror13_api_hash_getcommandlinew = { 68 55 CE E0 2E } $push_ror13_api_hash_loadlibrary = { 68 4C 77 26 07 } $push_ror13_api_hash_virtualalloc = { 68 58 A4 53 E5 } $ror13_api_hash_commandlinetoargw = { 11 4B AF 1C } condition: filesize < 5MB and all of them }
Details	Yara rule	1	rule M_APT_Dropper_FREETOW_3 { meta: author = "Mandiant" strings: $func_args1 = { 6A 40 68 00 10 00 00 6A 10 6A 00 } $func_args2 = { 6A 40 68 00 10 00 00 68 00 00 40 00 6A 00 } condition: all of them }
Details	Yara rule	1	rule M_APT_Dropper_FREETOW_4 { meta: author = "Mandiant" description = "Patched ftp with shellcode, run with z option to launch." strings: $h1 = { 0F B7 09 83 C1 49 88 08 FF D0 } $h2 = { 80 CA FF 2A 11 88 11 41 3B C8 76 F4 } $s1 = "local-file:" $s2 = "xpsp2res.dll" $s3 = "anonymous" condition: uint16(0) == 0x5A4D and filesize < 50KB and all of them }
Details	Yara rule	1	rule M_APT_Worm_Win32_ITCHYSPARK_1 { meta: author = "Mandiant" description = "Looking for ITCHYSPARK samples based on opcode patterns observed on relevant functions." strings: $b1 = { 5? 5? 8B ?? 8B [2] 2B ?? C1 ?? 02 8D [2] 8D [2] 8D [2] 85 ?? 7? ?? 8B ?? 8D [2] 8B ?? 33 ?? 8B ?? 4? 89 ?? 8D ?? 85 ?? 7? ?? 8B ?? 81 ?? A3 B1 29 4A 5? 5? 5? C3 } $b2 = { 6A 01 5? 6A 00 FF ?? 83 F8 ?? 0F 8? [4] 8B [2] E8 [4] 8B ?? 85 ?? 0F 8? [4] 6A 01 8D [2] 5? 5? FF ?? 85 C0 0F 8? [4] 33 ?? 89 [2] 39 ?? 0F 8? [4] 8D [2] 89 [2] 83 [2] 02 0F 8? [4] 83 [2] 04 0F 8? } $b3 = { 5? 5? 5? 68 AE 00 00 00 6A 02 89 [2] 89 [2] FF ?? 83 ?? 6F 0F 8? [4] 8B [2] E8 [4] 8B ?? 89 [2] 85 ?? 0F 8? [4] 8D [2] 5? 5? 6A 00 68 AE 00 00 00 6A 02 FF ?? 85 ?? 0F 8? } $b4 = { 5? 6A 65 5? 89 [2] FF 15 [4] 85 C0 0F 8? [4] 8B [2] 85 C0 0F 8? [4] [4-12] 85 ?? 0F 8? [4] 81 ?? F4 01 00 00 7? } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them }
Details	Yara rule	1	rule M_APT_Worm_Win32_ITCHYSPARK_3 { meta: author = "Mandiant" description = "Looking for SMB spreader component of ITCHYSPARK (ITCHYSPARK.SMB) samples based on op code patterns observed on relevant functions." strings: $b1 = { E8 [4] 5? 84 C0 7? ?? 8D ?? 24 ?? 5? 68 02 02 00 00 FF 15 [4] 85 C0 7? ?? 8D ?? 24 ?? 8D ?? 24 ?? 4? FF 15 [4] 5? FF 15 } $b2 = { 80 ?? 01 7? ?? 80 ?? 02 7? ?? 33 ?? B? [4] 80 ?? 01 6A 04 5? 0F 45 ?? 0F B7 ?? 33 C0 80 F? 01 0F 45 ?? 80 F? 02 7? ?? 6A 02 5? B? [4] 33 ?? 33 ?? 66 3B ?? 7? ?? 8B [2] 0F B7 ?? 8B [2] 89 [2] E8 [4] 8B ?? 83 F? 12 7? ?? 4? 66 3B ?? 7? } $b3 = { ( 68 \| FF ) [2-4] FF 7? ?? 68 [4] 5? E8 [4] A1 60 F0 04 10 8B ?? 89 45 ?? 66 A1 [4] 66 89 45 ?? [4-12] E8 [4] 6A 12 5? } $b4 = { 33 ?? 89 [2] 8B ?? 85 [4] 89 46 ?? 33 C0 89 [2] 66 39 45 ?? 7? ?? 8B [2] EB ?? 0F B7 ?? 4? 89 [2] 8B ?? 85 [4] 8B [2] [8-16] 85 ?? 7? ?? 6A 00 33 C0 4? 5? 6A 02 5? 5? FF } $b5 = { E8 [4] 3B ?? 7? ?? 8B [2] B? 06 02 FC 23 3B ?? 7? ?? 7? ?? 3? 05 01 28 0A 7? ?? 3? 05 02 CE 0E 7? ?? 3? 06 00 72 17 7? ?? 3? 06 01 B0 1D 7? ?? 3? 06 01 B1 1D 7? ?? 3? 06 02 F0 23 7? ?? [0-32] 3? 06 03 80 25 7? ?? 3? 0A 00 00 28 7? ?? 3? 0A 00 5A 29 7? ?? 3? 0A 00 39 38 7? ?? 3? 0A 00 D7 3A 7? ?? B? 9A 08 00 00 EB ?? } condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and 3 of them }
Details	Yara rule	1	rule M_APT_Tunneler_GOGETTER_1 { meta: author = "Mandiant" description = "Hunting for GOGETTER ELF files." strings: $g1 = "go.buildid" $g2 = "Go build ID:" $g3 = "Go buildinf:" $proxy1 = "proxy/pkg/client.(Client)" $proxy2 = "proxy/pkg/" $yamux = "hashicorp/yamux" condition: filesize < 25MB and uint32(0) == 0x464c457f and any of ($g) and all of ($proxy*) and $yamux }
Details	Yara rule	1	rule M_APT_Tunneler_GOGETTER_2 { meta: author = "Mandiant" strings: $s1 = "\x00github.com/hashicorp/yamux.Client\x00" $s2 = "\x00github.com/hashicorp/yamux.(*Session).AcceptStream\x00" $sb1 = { 8D ?? 24 [1-5] 89 04 24 E8 [4-5] 8B 44 24 [1-2] 8B 4C 24 [4-32] 83 ?? 03 75 0D 66 81 3? 65 6E 75 06 80 7? 02 64 7? [1-2] C7 04 24 00 00 00 00 E8 } condition: (uint32(0) == 0x464c457f) and all of them }
Details	Yara rule	1	rule M_APT_Tunneler_GOGETTER_3 { meta: author = "Mandiant" strings: $sb1 = { 48 C7 ?? 24 [4] 00 10 00 00 48 C7 ?? 24 [4] 00 10 00 00 48 8D 15 [4] 48 89 ?? 24 [4] 48 8B ?? 24 ?? 48 89 ?? 24 [4] 48 C7 ?? 24 [4] FF FF FF FF 48 C7 ?? 24 [4] FF FF FF FF [32-150] 48 8D ?? 24 [4] 0F 1F 40 00 E8 [4] 48 8? ?? 0F 85 [4] 48 89 ?? 24 ?? 48 89 ?? 24 ?? 48 89 D9 48 89 C3 48 8D 44 24 ?? E8 [4] 48 89 ?? 24 ?? 48 89 ?? 24 ?? E8 [4] 48 8B 4C 24 ?? 0F 1F 40 00 48 3? ?? 7? ?? 48 8? ?? 48 8B 44 24 ?? E8 [4] 84 C0 } condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them }
Details	Yara rule	1	rule M_APT_Wiper_CADDYWIPER_1 { meta: author = "Mandiant" description = "Searches for the Physical Device call within CADDYWIPER" strings: $ = { 00 00 A0 00 } $ = { 43 3A 5C 55 C7 ?? ?? 73 65 72 73 } $ = { C7 45 FC 44 3A 5C 00 } condition: all of them }
Details	Yara rule	1	rule M_APT_Disrupt_NEARTWIST_1 { meta: author = "Mandiant" strings: $mersenne_alg = { D1 EA 83 E1 01 69 C9 DF B0 08 99 33 CA } $s1 = "PhysicalDrive" wide fullword $wipe_drive = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 [0-32] FF 15 [4-64] 5? 6A 00 6A 00 6A 00 6A 00 68 18 00 09 00 5? FF 15 [4-256] 68 00 00 01 00 [0-32] FF 15 } $wipe_file = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 [0-32] FF 15 [4-64] 5? 5? FF 15 [4-32] 6A 00 68 00 00 01 00 5? 5? E8 } condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them }
Details	Yara rule	1	rule M_APT_Wiper_Win32_NEARTWIST_1 { meta: author = "Mandiant" description = "Looking for NEARTWIST samples based on opcode patterns observed on relevant functions." strings: $b1 = { 68 05 01 00 00 8D [4-6] 5? FF 15 [4] 85 C0 0F 8? [4] 3? 05 01 00 00 0F 8? [4] 8B 85 [4-5] 85 C0 0F 8? } $b2 = { FF 15 [4] 89 8? [4-6] B? 01 00 00 00 [4-32] C1 ?? 1E 33 ?? 69 ?? 65 89 07 6C 03 ?? 89 [6] 4? ( 3D \| 81 FA ) 70 02 00 00 7? ?? B? 70 02 00 00 } $b3 = { 6A 00 5? 68 00 00 01 00 8D ?? 24 [4] 5? 5? FF 15 [4] 85 C0 7? ?? 8B 44 24 ?? 3D 00 00 01 00 7? ?? 2B ?? 83 ?? 00 E9 } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them }
Details	Yara rule	1	rule M_APT_Wiper_Win_NEARTWIST_1 { meta: author = "Mandiant" description = "Looking for NEARTWIST samples based on strings, imports, and constants for Mersenne Twister / ISAAC PRNG." strings: $b1 = { 65 89 07 6C } $b2 = { AD 58 3A FF } $b3 = { 8C DF FF FF } $i1 = "GetTickCount" $i2 = "DeviceIoControl" $i3 = "GetLogicalDrives" $i4 = "FindFirstFile" $i5 = "FindNextFile" $i6 = "WriteFile" $i7 = "GetDiskFreeSpaceEx" $i8 = "CreateThread" $i9 = "GetWindowsDirectory" $i10 = "GetTempFileName" $n1 = "Cleaner.exe" ascii wide fullword $n2 = "Cleaner.dll" ascii wide fullword $s1 = "PhysicalDrive" ascii wide fullword $s2 = "\\\\.\\" ascii wide fullword $s3 = "." ascii wide fullword $s4 = "Tmf" ascii wide fullword $s5 = "Tmd" ascii wide fullword condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of ($n) and all of ($s) and all of ($i) and all of ($b) }
Details	Yara rule	1	rule M_APT_Disrupt_PARTYTICKET_1 { meta: author = "Mandiant" description = "Looking for PARTYTICKET samples via strings." strings: $s1 = "/403forBiden/" ascii wide $s2 = "/wHiteHousE/" ascii wide $s3 = "partyTicket." ascii wide $s4 = "vote_result." ascii wide $s5 = ".encryptedJB" ascii wide $f1 = "/wHiteHousE.baggageGatherings" ascii wide $f2 = "/wHiteHousE.primaryElectionProcess" ascii wide $f3 = "/wHiteHousE.GoodOffice1" ascii wide $f4 = "/wHiteHousE.lookUp" ascii wide $f5 = "/wHiteHousE.init" ascii wide $m1 = "<p>Thank you for your vote! All your files, documents, photoes, videos, databases etc. have been successfully encrypted!</p>" ascii wide fullword $m2 = "<p>Now your computer has a special ID:<b> </b></p>" ascii wide fullword $m3 = "<p>NOTE: <i>Do not send file with sensitive content. In the email write us your computer's special ID (mentioned above).</i>" ascii wide fullword condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (3 of ($s) or 3 of ($f) or 2 of ($m*)) }
Details	Yara rule	1	rule M_APT_Disrupt_PARTYTICKET_2 { meta: author = "Mandiant" description = "Looking for PARTYTICKET samples via opcode patterns observed on relevant functions." strings: $b1 = { 48 83 F8 1B 0F 8D [4] 48 89 [3] 48 89 [3] 48 89 [3] 48 8D 35 [4] 0F B6 3C 06 81 FF 80 00 00 00 0F 8? [4] 48 FF C0 [16-32] E8 [16-64] E8 [8-32] E8 [4] 48 8B 44 24 ?? 48 85 C0 7? ?? [8-24] E9 } $b2 = { 48 83 F8 37 0F 8D [24-32] E8 [16-32] E8 [16-32] 48 C1 E? 04 [8-16] 7? ?? 0F B6 44 24 ?? EB ?? [8-16] E8 [4] 0F B6 44 24 ?? 84 C0 7? ?? [4-8] B8 01 00 00 00 E9 } $b3 = { 3D 77 69 6E 64 0F 85 [4-12] 66 3D 6F 77 0F 85 [4-12] 3C 73 0F 85 [4] E8 [4] [8-24] 31 ?? EB } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them }
Details	Yara rule	1	rule M_APT_Distupt_NEARMISS_1 { meta: author = "Mandiant" strings: $code_fat_corruption = { 8B ?? 56 8B ?? 52 [1-64] 0F B? ?? 16 [1-32] 8B ?? 24 [0-32] 0F B? ?? 0D [1-32] 0F B? ?? 10 [1-32] 0F B? ?? 0E } $code_ntfs_corruption = { 0F B? ?? 0B 0F B? ?? 0D [1-64] FF ?? 34 FF ?? 30 [1-64] 0F B? ?? 0B [1-64] FF ?? 3C FF ?? 38 } $s1 = "\\\\.\\PhysicalDrive%u" wide fullword $s2 = "\\\\.\\EPMNTDRV\\%u" wide fullword $s3 = "DRV_X64" wide fullword $s4 = "DRV_X86" wide fullword $s5 = "DRV_XP_X64" wide fullword $s6 = "DRV_XP_X86" wide fullword $s7 = "$ATTRIBUTE_LIST" wide fullword $s8 = "$EA_INFORMATION" wide fullword $s9 = "$SECURITY_DESCRIPTOR" wide fullword $s10 = "$INDEX_ROOT" wide fullword $s11 = "$INDEX_ALLOCATION" wide fullword $s12 = "$LOGGED_UTILITY_STREAM" wide fullword condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (8 of ($s) or all of ($code)) }
Details	Yara rule	1	rule M_Hunting_Win32_NEARMISS_1 { meta: author = "Mandiant" description = "Rule looks for code present in NEARMISS samples. Based on a rule generated by symhunt for symfunc/ cef8160083d485a3676d55b3fc5e1c42." strings: $c = { 55 8B EC 81 EC AC 08 ?? ?? 53 56 57 33 DB 89 4D E0 68 ?? ?? ?? ?? 8D 85 78 FC FF FF C7 45 DC ?? ?? ?? ?? 53 50 C7 45 E4 ?? ?? ?? ?? 89 5D F8 89 5D A4 E8 ?? ?? ?? ?? 83 C4 0C 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B F8 8D 85 78 FC FF FF 68 ?? ?? ?? ?? 50 FF ?? ?? ?? ?? ?? 83 C4 0C 89 45 F0 85 FF 74 ?? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 8B D8 FF D6 68 ?? ?? ?? ?? 57 FF D6 8B F0 85 F6 74 ?? 8D 45 F8 50 FF } condition: filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and any of them }
Details	Yara rule	1	rule M_Hunting_Win32_NEARMISS_2 { meta: author = "Mandiant" description = "Rule looks for a specific stackstring - mangled SeShutdownPrivilege - found in NEARMISS samples." strings: $s1 = { 53 00 65 00 [4] 53 00 68 00 [4] 75 00 74 00 [4] 64 00 6F 00 [4] 9A 02 00 00 [4] 00 00 00 00 } $s2 = { 77 00 6E 00 [7] 50 00 72 00 } condition: filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and all of them }
Details	Yara rule	1	rule M_Hunting_Win_WiperPaths_1 { meta: author = "Mandiant" description = "Detects notable wiper strings" reference = "https://twitter.com/ESETresearch/status/1496581903205511181" strings: $w1 = "\\\\.\\EPMNTDRV" wide fullword $w2 = "\\\\.\\PhysicalDrive" wide fullword $w3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" wide fullword $w4 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword $w5 = "\\\\?\\C:\\Documents and Settings" wide fullword $w6 = "<<Obsolete>>" wide fullword condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of them) }
Details	Yara rule	1	rule M_Webshell_PHP_WEEVELY_1 { meta: author = "Mandiant" description = "Weevely3 open source webshell detection from https://artikrh.github.io/posts/weevely-backdoor-analysis -- Webshell source code: https://github.com/epinna/weevely3/tree/master/core" strings: $php = "<?php" $rf1 = "$k" $rf2 = "$kh" $rf3 = "$kf" $rf4 = "$p" $rf5 = "$o" $rf6 = /\$\w{1,4}=str_replace\('\w{1,}','','/ condition: $php at 0 and all of ($rf*) and filesize > 500 and filesize < 1000 }
Details	Yara rule	1	import "pe" rule M_Backdoor_DARKCRYSTALRAT_1 { meta: author = "Mandiant" description = "Detection for DARKCRYSTAL RAT's C2 checkin and CSharp compiling code" strings: $c1 = { 72 ?? ?? ?? ?? A2 25 19 07 A2 25 1A 72 ?? ?? ?? ?? A2 25 1B 11 ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? A2 25 1D 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1E 72 ?? ?? ?? ?? A2 25 1F ?? 11 ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 07 A2 28 ?? ?? ?? ?? } $c2 = { 02 28 ?? ?? ?? ?? 00 00 00 04 28 ?? ?? ?? ?? 0A 04 28 ?? ?? ?? ?? 0B 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2B ?? 17 0C 08 39 ?? ?? ?? ?? 00 14 0D 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 73 ?? ?? ?? ?? 0D 2B ?? 73 ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 16 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 6F ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 17 8D ?? ?? ?? ?? 25 16 1F ?? 9D 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 17 8D ?? ?? ?? ?? 25 16 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 6F ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 39 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 13 ?? 1E 8D ?? ?? ?? ?? 25 16 11 ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 11 ?? 6F ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 11 ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 11 ?? 6F ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 75 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 02 11 ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? DD ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 11 ?? 11 ?? 14 6F ?? ?? ?? ?? 26 2B ?? 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 38 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 39 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A5 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 17 6F ?? ?? ?? ?? 00 25 11 ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 2B ?? 00 73 ?? ?? ?? ?? 25 16 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 00 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 00 38 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 39 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 00 38 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 02 16 7D ?? ?? ?? ?? 00 DE ?? 13 ?? 00 02 11 ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 00 DE ?? 2A } $c3 = { 73 ?? ?? ?? ?? 0D 2B ?? 73 ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 16 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 6F ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 17 8D ?? ?? ?? ?? 25 16 1F ?? 9D 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 17 8D ?? ?? ?? ?? 25 16 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 6F ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 39 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 13 ?? 1E 8D ?? ?? ?? ?? 25 16 11 ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 11 ?? 6F ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 11 ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 11 ?? 6F ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 75 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 02 11 ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? DD ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 11 ?? 11 ?? 14 6F ?? ?? ?? ?? 26 2B ?? 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 38 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 39 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A5 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 17 6F ?? ?? ?? ?? 00 25 11 ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 2B ?? 00 73 ?? ?? ?? ?? 25 16 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 00 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 00 38 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 39 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 00 38 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 25 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 2B ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 72 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 02 16 7D ?? ?? ?? ?? 00 DE ?? 13 ?? 00 02 11 ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 00 DE ?? 2A } $c4 = { 00 73 ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 06 73 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 16 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 0C 07 08 17 8D ?? ?? ?? ?? 25 16 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 6F ?? ?? ?? ?? 0D 09 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 1F ?? 8D ?? ?? ?? ?? 25 16 7E ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 7E ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 25 1E 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2B ?? 1F ?? 8D ?? ?? ?? ?? 25 16 7E ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 7E ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 25 1E 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 09 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 14 6F ?? ?? ?? ?? 26 DE ?? 26 1F ?? 8D ?? ?? ?? ?? 25 16 7E ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 7E ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 25 1E 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 DE ?? 2A } condition: uint16(0) == 0x5a4d and pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].virtual_address != 0 and 1 of ($c*) }
Details	Yara rule	1	rule M_Backdoor_Win_DARKCRYSTALRAT_Config_1 { meta: author = "Mandiant" description = "This rule looks for PE files containing part of DARKCRYSTALRAT configuration string. Configuration JSON is stored as base64 encoded, reversed, gzip compressed and again bas64 encoded string." strings: $s = { 48 00 34 00 73 00 49 00 41 00 41 00 41 00 41 00 41 00 41 00 41 00 45 00 41 00 46 00 32 00 54 00 58 00 58 00 75 00 69 00 4D 00 42 00 43 00 46 00 66 00 39 00 } condition: filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and $s }
Details	Yara rule	1	rule M_Downloader_SHARPCOFFEE_1 { meta: author = "Mandiant" strings: $str1 = "ActiveXObject(\"WScript.Shell\").Run(\"powershell.exe" nocase $str2 = "new-object net.webclient;" nocase $str3 = ".downloaddata('http" nocase $str4 = ".uploaddata('http" nocase $str5 = "[System.Net.Dns]" nocase condition: all of them }
Details	Yara rule	1	rule M_APT_Downloader_SHARPCOFFEEVBS_2 { meta: author = "Mandiant" description = "Detects SHARPCOFFE.VBS variant, a VBS script used to download and run a secondary payload, and upload the output of the secondary payload during the same script execution." strings: $vbs = "dim" ascii wide nocase $a1 = /\$\w{1,20}\.uploaddata$'http:\/\/.{1,20}\/page\d{1,3}',\$\w{1,10}$;/ $a2 = /=\$\w{1,20}\.downloaddata$'http:\/\/.{1,50}\/page\d{1,3}\/upgrade\.txt'$;if\(/ condition: filesize < 1MB and $vbs at 0 and any of ($a*) }
Details	Yara rule	1	rule M_Dropper_COLDWELL_Permission_Arch_Check_1 { meta: author = "Mandiant" strings: $ = { C7 45 F? 00 05 50 C7 45 F? } $ = { C7 45 F? 00 00 00 00 C7 45 F? } $ = { 0F 95 C3 6A 04 83 C3 [7] F7 D8 6A 0A } condition: all of them }
Details	Yara rule	1	rule M_Disrupt_ROARBAT_1 { meta: author = "Mandiant" strings: $ = "takeown /a /f \"%%" $ = "in (C:\\Users," $ = "a -df %" $ = "\" & del %" condition: all of them }
Details	Yara rule	1	rule M_Hunting_Backdoor_PowerShell_WILDDIME_Strings_1 { meta: author = "Mandiant" description = "Searching for PowerShell scripts with strings associated with WILDDIME." strings: $s1 = "GetEnviron" ascii wide nocase $s2 = "R64Encoder" ascii wide nocase $s3 = "R64Decoder" ascii wide nocase $s4 = "Send-HttpRequest" ascii wide nocase $s5 = "JVBERi0xLjcNCiW1tb" ascii wide nocase condition: filesize < 200KB and all of them }
Details	Yara rule	1	rule M_Hunting_Downloader_SHARPENTRY_1 { meta: author = "Mandiant" description = "Detects code fragments connected to the payload decoding and mining routines found within SHARPENTRY." strings: $decode_routine = { 0F B6 ?? ?? 0F B6 ?? ?? 33 C2 88 ?? ?? 0F B6 ?? ?? 83 ?? 4D } $payload_mine = { 8B ?? ?? 03 ?? ?? 81 ?? 89 C3 81 C3 } condition: uint16(0) == 0x5A4D and $decode_routine and $payload_mine }
Details	Yara rule	1	rule M_Hunting_Dropper_SHARPIVORY_Strings_1 { meta: author = "Mandiant" description = "Searching for executables containing strings references to the SHARPIVORY code family." strings: $s1 = "WriteAllBytes" $s2 = "FromBase64String" $w1 = "schtasks.exe" wide $w2 = "kernel32.dll" wide $w3 = "/create /tn" wide $w4 = "/sc minute /mo 20 /f" wide condition: filesize < 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them }
Details	CERT Ukraine	6	UAC-0099
Details	CVE	60	cve-2021-4034
Details	CVE	23	cve-2019-10149
Details	CVE	172	cve-2022-30190
Details	Domain	339	system.net
Details	Domain	3	request.inputstream.read
Details	Domain	1	x00github.com
Details	Domain	1373	twitter.com
Details	Domain	1	artikrh.github.io
Details	Domain	4127	github.com
Details	Domain	372	wscript.shell
Details	Domain	50	cloud.google.com
Details	File	1	sharpcoffee.vbs
Details	File	2	meterpreter.py
Details	File	208	setup.exe
Details	File	2	response.bin
Details	File	68	mscoree.dll
Details	File	14	chkdsk.exe
Details	File	4	xpsp2res.dll
Details	File	8	cleaner.exe
Details	File	7	cleaner.dll
Details	File	1	whitehouse.ini
Details	File	1	managers.dcr
Details	File	8	pe.dat
Details	File	1208	powershell.exe
Details	File	1	sharpcoffe.vbs
Details	File	249	schtasks.exe
Details	File	748	kernel32.dll
Details	Github username	5	hashicorp
Details	Github username	2	epinna
Details	md5	1	cef8160083d485a3676d55b3fc5e1c42
Details	md5	1	0c245b2700e9417c0e1cbfd0f8d1aa70
Details	Mandiant Security Validation Actions	1	A101-165
Details	Mandiant Security Validation Actions	1	A101-166
Details	Mandiant Security Validation Actions	1	A102-517
Details	Mandiant Security Validation Actions	1	A107-038
Details	Mandiant Security Validation Actions	1	A106-188
Details	Mandiant Security Validation Actions	1	A107-010
Details	Mandiant Security Validation Actions	1	A105-312
Details	Mandiant Security Validation Actions	1	A105-407
Details	Mandiant Security Validation Actions	1	A105-408
Details	Mandiant Security Validation Actions	1	A107-026
Details	Mandiant Security Validation Actions	1	A106-106
Details	Mandiant Security Validation Actions	1	A107-024
Details	Mandiant Security Validation Actions	1	A107-027
Details	Mandiant Security Validation Actions	1	A107-033
Details	Mandiant Security Validation Actions	1	A107-013
Details	Mandiant Security Validation Actions	1	A107-016
Details	Mandiant Security Validation Actions	1	A107-031
Details	Mandiant Security Validation Actions	1	A106-103
Details	Mandiant Security Validation Actions	1	A106-102
Details	Mandiant Security Validation Actions	1	A106-008
Details	Mandiant Security Validation Actions	1	A107-001
Details	Mandiant Security Validation Actions	1	A106-994
Details	Mandiant Security Validation Actions	1	A106-996
Details	Mandiant Security Validation Actions	1	A106-998
Details	Mandiant Security Validation Actions	1	A106-999
Details	Mandiant Security Validation Actions	1	A104-850
Details	Mandiant Security Validation Actions	1	A106-193
Details	Mandiant Security Validation Actions	2	A106-439
Details	Mandiant Security Validation Actions	2	A106-446
Details	Mandiant Security Validation Actions	2	A106-438
Details	Mandiant Security Validation Actions	1	A104-623
Details	Mandiant Security Validation Actions	1	A106-993
Details	Mandiant Security Validation Actions	1	A103-029
Details	Mandiant Security Validation Actions	1	A103-873
Details	Mandiant Security Validation Actions	1	A102-519
Details	Mandiant Security Validation Actions	1	A102-518
Details	Mandiant Security Validation Actions	1	A107-000
Details	Mandiant Security Validation Actions	1	A102-582
Details	Mandiant Security Validation Actions	1	A102-583
Details	Mandiant Security Validation Actions	1	A102-584
Details	Mandiant Security Validation Actions	1	A102-585
Details	Mandiant Security Validation Actions	1	A106-190
Details	Mandiant Security Validation Actions	1	A106-189
Details	Mandiant Security Validation Actions	1	A103-030
Details	Mandiant Security Validation Actions	1	A102-784
Details	Mandiant Security Validation Actions	1	A103-615