SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alma_communicator (Back to overview)

Alma Communicator

Actor(s): OilRig


There is no description at this point.

References
2019-04-16Robert Falcone
@online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent
2017-11-08Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
Alma Communicator
Yara Rules
[TLP:WHITE] win_alma_communicator_auto (20230407 | Detects win.alma_communicator.)
rule win_alma_communicator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.alma_communicator."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 59 33c0 e9???????? e8???????? cc }
            // n = 6, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   e8????????           |                     
            //   cc                   | int3                

        $sequence_1 = { eb71 68f4010000 e8???????? 59 8b0e }
            // n = 5, score = 100
            //   eb71                 | jmp                 0x73
            //   68f4010000           | push                0x1f4
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_2 = { 7307 83c8ff 0bd0 eb3e }
            // n = 4, score = 100
            //   7307                 | jae                 9
            //   83c8ff               | or                  eax, 0xffffffff
            //   0bd0                 | or                  edx, eax
            //   eb3e                 | jmp                 0x40

        $sequence_3 = { 8d8dd0ebffff e8???????? 59 8b8dd0ebffff 33d2 e8???????? 6a01 }
            // n = 7, score = 100
            //   8d8dd0ebffff         | lea                 ecx, [ebp - 0x1430]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b8dd0ebffff         | mov                 ecx, dword ptr [ebp - 0x1430]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   6a01                 | push                1

        $sequence_4 = { 83b8a800000000 7512 8b04bdf08f4100 807c302900 7504 32c0 eb1a }
            // n = 7, score = 100
            //   83b8a800000000       | cmp                 dword ptr [eax + 0xa8], 0
            //   7512                 | jne                 0x14
            //   8b04bdf08f4100       | mov                 eax, dword ptr [edi*4 + 0x418ff0]
            //   807c302900           | cmp                 byte ptr [eax + esi + 0x29], 0
            //   7504                 | jne                 6
            //   32c0                 | xor                 al, al
            //   eb1a                 | jmp                 0x1c

        $sequence_5 = { 0fb7840d6cffffff 8d4902 6689840d6afbffff 6685c0 75e8 8d8d6cfbffff }
            // n = 6, score = 100
            //   0fb7840d6cffffff     | movzx               eax, word ptr [ebp + ecx - 0x94]
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   6689840d6afbffff     | mov                 word ptr [ebp + ecx - 0x496], ax
            //   6685c0               | test                ax, ax
            //   75e8                 | jne                 0xffffffea
            //   8d8d6cfbffff         | lea                 ecx, [ebp - 0x494]

        $sequence_6 = { 50 e8???????? 8bbd54f7ffff 59 8bcf }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bbd54f7ffff         | mov                 edi, dword ptr [ebp - 0x8ac]
            //   59                   | pop                 ecx
            //   8bcf                 | mov                 ecx, edi

        $sequence_7 = { 6a01 8bf0 e8???????? 59 83feff 750b 56 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83feff               | cmp                 esi, -1
            //   750b                 | jne                 0xd
            //   56                   | push                esi

        $sequence_8 = { 33f6 57 8bf9 85db 740e }
            // n = 5, score = 100
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   85db                 | test                ebx, ebx
            //   740e                 | je                  0x10

        $sequence_9 = { 0fb64102 84c0 750a 6a03 5b }
            // n = 5, score = 100
            //   0fb64102             | movzx               eax, byte ptr [ecx + 2]
            //   84c0                 | test                al, al
            //   750a                 | jne                 0xc
            //   6a03                 | push                3
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules