Bitter RAT (Malware Family)

Bitter RAT

URLhaus
There is no description at this point.
References

2020-06-19 ⋅ Bitdefender ⋅ Oana Asoltanei, Denis Cosmin Nutiu, Alin Mihai Barbatei
BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool
AndroRAT Artra Downloader Bitter RAT
2018-11-29 ⋅ 360 Threat Intelligence ⋅ Threat Intelligence Center
Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups
BioData Bitter RAT WSCSPL
2016-10-21 ⋅ Forcepoint ⋅ Rolanda Dela Paz
BITTER: a targeted attack against Pakistan
Bitter RAT
Yara Rules

[TLP:WHITE] win_bitter_rat_auto (20211008 | Detects win.bitter_rat.)
rule win_bitter_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.bitter_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a00 ff15???????? 3bf4 e8???????? 8985bcfaffff }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   3bf4                 | cmp                 esi, esp
            //   e8????????           |                     
            //   8985bcfaffff         | mov                 dword ptr [ebp - 0x544], eax

        $sequence_1 = { c78514feffff00000000 c78518feffff01000000 c7851cfeffff06000000 c785ecfdffff00000000 8bf4 8d8544feffff }
            // n = 6, score = 200
            //   c78514feffff00000000     | mov    dword ptr [ebp - 0x1ec], 0
            //   c78518feffff01000000     | mov    dword ptr [ebp - 0x1e8], 1
            //   c7851cfeffff06000000     | mov    dword ptr [ebp - 0x1e4], 6
            //   c785ecfdffff00000000     | mov    dword ptr [ebp - 0x214], 0
            //   8bf4                 | mov                 esi, esp
            //   8d8544feffff         | lea                 eax, dword ptr [ebp - 0x1bc]

        $sequence_2 = { 83f804 7709 8b048554ef4400 5d c3 }
            // n = 5, score = 200
            //   83f804               | cmp                 eax, 4
            //   7709                 | ja                  0xb
            //   8b048554ef4400       | mov                 eax, dword ptr [eax*4 + 0x44ef54]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_3 = { 50 e8???????? 83c404 8945e0 8b45f8 50 e8???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { eb1d 83bd40dcffff00 7502 eb12 eb0b 83bd28dcffff00 }
            // n = 6, score = 200
            //   eb1d                 | jmp                 0x1f
            //   83bd40dcffff00       | cmp                 dword ptr [ebp - 0x23c0], 0
            //   7502                 | jne                 4
            //   eb12                 | jmp                 0x14
            //   eb0b                 | jmp                 0xd
            //   83bd28dcffff00       | cmp                 dword ptr [ebp - 0x23d8], 0

        $sequence_5 = { e8???????? 50 ff15???????? 3bf4 e8???????? 8945f4 6a00 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3bf4                 | cmp                 esi, esp
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   6a00                 | push                0

        $sequence_6 = { 7418 8d8564f0ffff 50 8d8d6cf8ffff }
            // n = 4, score = 200
            //   7418                 | je                  0x1a
            //   8d8564f0ffff         | lea                 eax, dword ptr [ebp - 0xf9c]
            //   50                   | push                eax
            //   8d8d6cf8ffff         | lea                 ecx, dword ptr [ebp - 0x794]

        $sequence_7 = { 8b4dd4 81c1???????? 51 68???????? e8???????? 83c40c }
            // n = 6, score = 200
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   81c1????????         |                     
            //   51                   | push                ecx
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_8 = { 8b4de4 83e11f c1e106 8b048500124700 8d440804 8020fe ff75e4 }
            // n = 7, score = 200
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83e11f               | and                 ecx, 0x1f
            //   c1e106               | shl                 ecx, 6
            //   8b048500124700       | mov                 eax, dword ptr [eax*4 + 0x471200]
            //   8d440804             | lea                 eax, dword ptr [eax + ecx + 4]
            //   8020fe               | and                 byte ptr [eax], 0xfe
            //   ff75e4               | push                dword ptr [ebp - 0x1c]

        $sequence_9 = { 83f938 0f8f70020000 0fbe40ff ff3485600e4500 8b4d08 e8???????? }
            // n = 6, score = 200
            //   83f938               | cmp                 ecx, 0x38
            //   0f8f70020000         | jg                  0x276
            //   0fbe40ff             | movsx               eax, byte ptr [eax - 1]
            //   ff3485600e4500       | push                dword ptr [eax*4 + 0x450e60]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1130496
}
Download all Yara Rules
Bitter RAT Propose Change

References

Yara Rules

Bitter RAT
