216.73.216.6

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 08:35 · Modified 21/12/2025 08:36

Essential information

Value / Name
Trojan_ANELLDR_type1
Confidence
100/100
Revoked
Yes
Valid from
27/11/2024 19:34
Valid until
14/09/2025 07:44
Pattern type
yara
Published
21/12/2025 08:35
Modified
21/12/2025 08:36
Author / Source
AlienVault

Description

Trojan_ANELLDR_type1

Pattern

import "pe"

rule Trojan_ANELLDR_type1
{
    meta:
        Author = "Trend Micro"
        Created_Time = "2024-08-23"
        Malware_Name = "Trojan.Win32.ANEL"
        Description = "ANEL loader"
        Attack_Intrusion_Set = "Earth Kasha"
    strings:
        $chunk_1 = {
            8B 55 ??
            8A 54 0A 10
            8B 45 ??
            30 14 08
            41
            83 F9 10
            7C ??
        }
    
    condition:
        uint16(0) == 0x5A4D and
        pe.is_dll() and
        all of them
}

rule Trojan_ANELLDR_type2
{
    meta:
        Author = "Trend Micro"
        Created_Time = "2024-08-23"
        Malware_Name = "Trojan.Win32.ANEL"
        Description = "ANEL loader"
        Attack_Intrusion_Set = "Earth Kasha"
    strings:
        $chunk_1 = {
            8A 14 0E
            88 D4
            F6 D4
            20 C4
            F6 D0
            20 D0
            08 E0
            88 04 0E
        }
    condition:
        uint16(0) == 0x5A4D and
        pe.is_dll() and
        all of them
}


rule Trojan_ANELLDR_type3
{
    meta:
        Author = "Trend Micro"
        Created_Time = "2024-08-23"
        Malware_Name = "Trojan.Win32.ANEL"
        Description = "ANEL loader"
        Attack_Intrusion_Set = "Earth Kasha"

    strings:
        $chunk_1 = {
            8A 14 0F
            88 D4
            80 E2 ??
            F6 D4
            80 E4 ??
            08 E2
            88 C4
            24 ??
            F6 D4
            80 E4 ??
            08 E0
            30 D0
            88 04 0F
        }
    
    condition:
        uint16(0) == 0x5A4D and
        pe.is_dll() and
        all of them
}

rule Backdoor_ANEL_commands
{
    meta:
        Author = "Trend Micro"
        Created_Time = "2024-08-23"
        Detection_Type = "Memory"
        Malware_Name = "Backdoor.Win32.ANEL"
        Description = "debug message strings in memory"
        Attack_Intrusion_Set = "Earth Kasha"
    strings:
        // xxhash of get screenshot
        $h1 = {27 A7 F0 CF}

        // xxhash of get timezone
        $h2 = {E3 1C FB 85}

        // xxhash of dowload/exec
        $h3 = {78 52 B5 74}

        // xxhash of upload
        $h4 = {D5 68 CC 6C}

        // xxhash of download
        $h5 = {DD 40 7D 69}

        // xxhash of load pe
        $h6 = {00 0A 1C FF}
    condition:
        all of them
}

rule Backdoor_ANEL_debug_messages
{
    meta:
        Author = "Trend Micro"
        Created_Time = "2024-08-23"
        Detection_Type = "Memory"
        Malware_Name = "Backdoor.Win32.ANEL"
        Description = "debug message strings in memory"
        Attack_Intrusion_Set = "Earth Kasha"
    strings:
        $s1 = "dll_size %Iu bytes, compress_size %Iu bytes, dllhash 0x%08x"
        $s2 = "Inject failed with error %u"
        $s3 = "Failed to execute in memory!"
        $s4 = "Failed. The file checksum does not match!"
        $s5 = "WARNING: loading PE file without .reloc section!"
        $s6 = "x86 version supports x86 shellcode only!"
    condition:
        all of them
}

Labels / Tags

Labels: anel anelldr apt10 backdoor japan noopdoor roamingmouse spear-phishing uac bypass uppercut

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • Earth Kasha
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·