SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alma_communicator (Back to overview)

Alma Communicator

Actor(s): OilRig

VTCollection    

There is no description at this point.

References
2019-04-16Robert Falcone
DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent
2017-11-08Palo Alto Networks Unit 42Robert Falcone
OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
Alma Communicator
Yara Rules
[TLP:WHITE] win_alma_communicator_auto (20230808 | Detects win.alma_communicator.)
rule win_alma_communicator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.alma_communicator."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a4a1c 884807 a1???????? c6400800 e8???????? 59 }
            // n = 6, score = 100
            //   8a4a1c               | mov                 cl, byte ptr [edx + 0x1c]
            //   884807               | mov                 byte ptr [eax + 7], cl
            //   a1????????           |                     
            //   c6400800             | mov                 byte ptr [eax + 8], 0
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_1 = { 8945f0 8b450c 8945f4 8b4514 40 c745ec93f84000 894df8 }
            // n = 7, score = 100
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   40                   | inc                 eax
            //   c745ec93f84000       | mov                 dword ptr [ebp - 0x14], 0x40f893
            //   894df8               | mov                 dword ptr [ebp - 8], ecx

        $sequence_2 = { 8bcb 898554f7ffff e8???????? 8bcb 898550f7ffff 6a02 5f }
            // n = 7, score = 100
            //   8bcb                 | mov                 ecx, ebx
            //   898554f7ffff         | mov                 dword ptr [ebp - 0x8ac], eax
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   898550f7ffff         | mov                 dword ptr [ebp - 0x8b0], eax
            //   6a02                 | push                2
            //   5f                   | pop                 edi

        $sequence_3 = { e8???????? 83c40c 8d8d58ffffff 8d5102 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8d58ffffff         | lea                 ecx, [ebp - 0xa8]
            //   8d5102               | lea                 edx, [ecx + 2]

        $sequence_4 = { 8974241c 68d0070000 832600 897c2424 }
            // n = 4, score = 100
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   68d0070000           | push                0x7d0
            //   832600               | and                 dword ptr [esi], 0
            //   897c2424             | mov                 dword ptr [esp + 0x24], edi

        $sequence_5 = { 668b4f02 03fe 663bca 75f5 ffb53cf7ffff 8907 6bc328 }
            // n = 7, score = 100
            //   668b4f02             | mov                 cx, word ptr [edi + 2]
            //   03fe                 | add                 edi, esi
            //   663bca               | cmp                 cx, dx
            //   75f5                 | jne                 0xfffffff7
            //   ffb53cf7ffff         | push                dword ptr [ebp - 0x8c4]
            //   8907                 | mov                 dword ptr [edi], eax
            //   6bc328               | imul                eax, ebx, 0x28

        $sequence_6 = { 0f85aa010000 33c0 40 8985ccebffff }
            // n = 4, score = 100
            //   0f85aa010000         | jne                 0x1b0
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   8985ccebffff         | mov                 dword ptr [ebp - 0x1434], eax

        $sequence_7 = { 7204 3c7a 7608 3c2b 7404 3c2f }
            // n = 6, score = 100
            //   7204                 | jb                  6
            //   3c7a                 | cmp                 al, 0x7a
            //   7608                 | jbe                 0xa
            //   3c2b                 | cmp                 al, 0x2b
            //   7404                 | je                  6
            //   3c2f                 | cmp                 al, 0x2f

        $sequence_8 = { 88840d20f6ffff 41 84c0 75ed 8d8d20f6ffff 49 8a4101 }
            // n = 7, score = 100
            //   88840d20f6ffff       | mov                 byte ptr [ebp + ecx - 0x9e0], al
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75ed                 | jne                 0xffffffef
            //   8d8d20f6ffff         | lea                 ecx, [ebp - 0x9e0]
            //   49                   | dec                 ecx
            //   8a4101               | mov                 al, byte ptr [ecx + 1]

        $sequence_9 = { 8a01 41 84c0 75f9 8a442454 2bca 83f901 }
            // n = 7, score = 100
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   8a442454             | mov                 al, byte ptr [esp + 0x54]
            //   2bca                 | sub                 ecx, edx
            //   83f901               | cmp                 ecx, 1

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules