Indicator (IOC)
Essential information
- Value / Name
636e35705ca1637fa3419e7728592b581be4e5dc- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 20/05/2022 10:48
- Valid until
- 23/08/2023 10:48
- Pattern type
- yara
- Published
- 20/12/2025 19:32
- Modified
- 20/12/2025 19:47
- Author / Source
- AlienVault
Description
Detect an older variant of SPINNER payload used by TwistedPanda
Pattern
rule apt_CN_TwistedPanda_SPINNER_2 {
meta:
author = "Check Point Research"
description = "Detect an older variant of SPINNER payload used by TwistedPanda"
date = "2022-04-14"
hash = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10 }
$c2_cmd_2 = { 02 00 01 10 }
$c2_cmd_3 = { 01 00 01 10 }
$c2_cmd_4 = { 01 00 00 10 }
$c2_cmd_5 = { 02 00 00 10 }
// 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h
// 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]
// 8B 56 14 mov edx, [esi+14h]
// 8B C2 mov eax, edx
// 8B 4E 10 mov ecx, [esi+10h]
// 2B C1 sub eax, ecx
// 83 F8 01 cmp eax, 1
$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}Labels / Tags
Marking (TLP)
TLP:CLEAR