SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bbsrat (Back to overview)

BBSRAT


There is no description at this point.

References
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2016-03-14Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone, Bryan Lee
@online{grunzweig:20160314:digital:b6ddc60, author = {Josh Grunzweig and Robert Falcone and Bryan Lee}, title = {{Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government}}, date = {2016-03-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/}, language = {English}, urldate = {2019-12-20} } Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government
BBSRAT CMSTAR
Yara Rules
[TLP:WHITE] win_bbsrat_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_bbsrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 ffd6 68???????? 8d942458160000 52 ffd6 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d942458160000       | lea                 edx, [esp + 0x1658]
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_1 = { 51 8d94243a010000 52 66898c243c010000 e8???????? 83c428 6804010000 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8d94243a010000       | lea                 edx, [esp + 0x13a]
            //   52                   | push                edx
            //   66898c243c010000     | mov                 word ptr [esp + 0x13c], cx
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28
            //   6804010000           | push                0x104

        $sequence_2 = { 7411 8d4c240c 51 6a01 53 e8???????? }
            // n = 6, score = 100
            //   7411                 | je                  0x13
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_3 = { 50 e8???????? 85c0 751f 8b0f 8b3d???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x21
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b3d????????         |                     

        $sequence_4 = { 50 e8???????? 8bf0 eb02 33f6 c744243cffffffff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   eb02                 | jmp                 4
            //   33f6                 | xor                 esi, esi
            //   c744243cffffffff     | mov                 dword ptr [esp + 0x3c], 0xffffffff

        $sequence_5 = { 896e48 8b464c 3bc5 7409 50 e8???????? 896e4c }
            // n = 7, score = 100
            //   896e48               | mov                 dword ptr [esi + 0x48], ebp
            //   8b464c               | mov                 eax, dword ptr [esi + 0x4c]
            //   3bc5                 | cmp                 eax, ebp
            //   7409                 | je                  0xb
            //   50                   | push                eax
            //   e8????????           |                     
            //   896e4c               | mov                 dword ptr [esi + 0x4c], ebp

        $sequence_6 = { 50 6802000080 ffd7 8b4c240c 68???????? 51 ffd3 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   ffd7                 | call                edi
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ffd3                 | call                ebx

        $sequence_7 = { 85c0 7502 8806 8b4c2418 33cc 33c0 e8???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4
            //   8806                 | mov                 byte ptr [esi], al
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   33cc                 | xor                 ecx, esp
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     

        $sequence_8 = { 895c2420 895c2418 ff15???????? 6808020000 8d942440010000 53 }
            // n = 6, score = 100
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   ff15????????         |                     
            //   6808020000           | push                0x208
            //   8d942440010000       | lea                 edx, [esp + 0x140]
            //   53                   | push                ebx

        $sequence_9 = { 50 ffd6 8b4c241c 51 ffd6 8b542418 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]

    condition:
        7 of them and filesize < 434176
}
Download all Yara Rules