SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ati_agent (Back to overview)

ATI-Agent

Actor(s): APT 29

There is no description at this point.

References
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28
Yara Rules
[TLP:WHITE] win_ati_agent_auto (20230125 | Detects win.ati_agent.)
rule win_ati_agent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.ati_agent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d05f5410000 33c0 498bd0 3b0a 740e ffc0 }
            // n = 6, score = 100
            //   4c8d05f5410000       | jae                 0x779
            //   33c0                 | dec                 eax
            //   498bd0               | mov                 edi, ebx
            //   3b0a                 | dec                 eax
            //   740e                 | mov                 esi, ebx
            //   ffc0                 | dec                 eax

        $sequence_1 = { 488d051ec30000 49c1fc05 4183e71f 4a8b0ce0 4c89642450 4d6bff58 418a740f38 }
            // n = 7, score = 100
            //   488d051ec30000       | dec                 eax
            //   49c1fc05             | and                 dword ptr [esp + 0x20], 0
            //   4183e71f             | dec                 eax
            //   4a8b0ce0             | lea                 eax, [0xc151]
            //   4c89642450           | dec                 eax
            //   4d6bff58             | mov                 ecx, dword ptr [eax + ecx*8]
            //   418a740f38           | dec                 esp

        $sequence_2 = { 4c8d052885ffff 89542420 83fa05 7d15 4863ca 0fb7444b10 }
            // n = 6, score = 100
            //   4c8d052885ffff       | dec                 eax
            //   89542420             | lea                 edx, [esp + 0x20]
            //   83fa05               | cmp                 dword ptr [eax], ebx
            //   7d15                 | cmovl               ebx, dword ptr [eax]
            //   4863ca               | cmp                 ecx, ebx
            //   0fb7444b10           | jge                 0x75f

        $sequence_3 = { 4883ec20 4863d9 488d3d88a00000 4803db 48833cdf00 }
            // n = 5, score = 100
            //   4883ec20             | inc                 cx
            //   4863d9               | mov                 dword ptr [eax + ecx*2 + 0xf9d0], eax
            //   488d3d88a00000       | jge                 0x9b3
            //   4803db               | dec                 eax
            //   48833cdf00           | arpl                di, cx

        $sequence_4 = { 7509 488d0553ab0000 eb04 4883c014 8918 e8???????? 4c8d153bab0000 }
            // n = 7, score = 100
            //   7509                 | mov                 dword ptr [esp + 8], ebx
            //   488d0553ab0000       | dec                 eax
            //   eb04                 | mov                 dword ptr [esp + 0x10], esi
            //   4883c014             | dec                 eax
            //   8918                 | mov                 dword ptr [esp + 0x18], edi
            //   e8????????           |                     
            //   4c8d153bab0000       | inc                 ecx

        $sequence_5 = { 488bce e8???????? e9???????? 4c8d2d6dc10000 8bcb }
            // n = 5, score = 100
            //   488bce               | mov                 ecx, dword ptr [esp + 0x60]
            //   e8????????           |                     
            //   e9????????           |                     
            //   4c8d2d6dc10000       | jmp                 0x10a0
            //   8bcb                 | dec                 esp

        $sequence_6 = { 8bc6 eb1f 488b4c2468 ff15???????? 488b4c2460 ff15???????? 33c0 }
            // n = 7, score = 100
            //   8bc6                 | cmp                 dword ptr [edi - 0x10], eax
            //   eb1f                 | je                  0x10c
            //   488b4c2468           | dec                 eax
            //   ff15????????         |                     
            //   488b4c2460           | mov                 ecx, dword ptr [edi]
            //   ff15????????         |                     
            //   33c0                 | dec                 eax

        $sequence_7 = { 488bd9 488d0da07b0000 483bd9 723e }
            // n = 4, score = 100
            //   488bd9               | lea                 ecx, [0x3751]
            //   488d0da07b0000       | dec                 eax
            //   483bd9               | sub                 esp, 0x20
            //   723e                 | mov                 edi, 0x24

        $sequence_8 = { 85c0 0f844e010000 488b4c2450 488364242000 488d0551c10000 }
            // n = 5, score = 100
            //   85c0                 | dec                 eax
            //   0f844e010000         | sub                 esp, 0x20
            //   488b4c2450           | dec                 eax
            //   488364242000         | mov                 edi, edx
            //   488d0551c10000       | dec                 eax

        $sequence_9 = { 664123c0 6689444c4e 4883f90e 72e3 6644894c246c 488d442450 }
            // n = 6, score = 100
            //   664123c0             | nop                 word ptr [eax + eax]
            //   6689444c4e           | movzx               eax, byte ptr [edx + ecx]
            //   4883f90e             | xor                 al, 0x2e
            //   72e3                 | xor                 ax, cx
            //   6644894c246c         | dec                 eax
            //   488d442450           | inc                 ecx

    condition:
        7 of them and filesize < 172032
}
Download all Yara Rules