BreachRAT (Malware Family)

BreachRAT

VTCollection
This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\Work\Breach Remote Administration Tool\Release\Client.pdb
References

2016-06-03 ⋅ FireEye ⋅ Sudeep Singh, Yin Hong Chang
APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major
Yara Rules

[TLP:WHITE] win_breach_rat_auto (20260504 | Detects win.breach_rat.)
rule win_breach_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.breach_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745fc50000000 50 8bce e8???????? 8bc8 e8???????? 8d8d2cf5ffff }
            // n = 7, score = 200
            //   c745fc50000000       | mov                 dword ptr [ebp - 4], 0x50
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d8d2cf5ffff         | lea                 ecx, [ebp - 0xad4]

        $sequence_1 = { 8bc8 e8???????? 8d8decf5ffff c745fcffffffff e8???????? 68???????? }
            // n = 6, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d8decf5ffff         | lea                 ecx, [ebp - 0xa14]
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_2 = { 8be5 5d c3 837c242c10 8d742418 0f43742418 2bf0 }
            // n = 7, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   837c242c10           | cmp                 dword ptr [esp + 0x2c], 0x10
            //   8d742418             | lea                 esi, [esp + 0x18]
            //   0f43742418           | cmovae              esi, dword ptr [esp + 0x18]
            //   2bf0                 | sub                 esi, eax

        $sequence_3 = { c7461898fc4300 eb3b 83fffb 7509 c74618b8fc4300 eb28 83fffc }
            // n = 7, score = 200
            //   c7461898fc4300       | mov                 dword ptr [esi + 0x18], 0x43fc98
            //   eb3b                 | jmp                 0x3d
            //   83fffb               | cmp                 edi, -5
            //   7509                 | jne                 0xb
            //   c74618b8fc4300       | mov                 dword ptr [esi + 0x18], 0x43fcb8
            //   eb28                 | jmp                 0x2a
            //   83fffc               | cmp                 edi, -4

        $sequence_4 = { 8be5 5d c3 837f1410 7204 8b37 eb05 }
            // n = 7, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   7204                 | jb                  6
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   eb05                 | jmp                 7

        $sequence_5 = { 64892500000000 83ec6c 56 8bf1 8d4dd4 e8???????? }
            // n = 6, score = 200
            //   64892500000000       | mov                 dword ptr fs:[0], esp
            //   83ec6c               | sub                 esp, 0x6c
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     

        $sequence_6 = { ba???????? 8d4dc0 e8???????? 84c0 745c c745e400000000 c745e800100000 }
            // n = 7, score = 200
            //   ba????????           |                     
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   745c                 | je                  0x5e
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e800100000       | mov                 dword ptr [ebp - 0x18], 0x1000

        $sequence_7 = { 668945d8 e8???????? 837dd408 720b ff75c0 e8???????? }
            // n = 6, score = 200
            //   668945d8             | mov                 word ptr [ebp - 0x28], ax
            //   e8????????           |                     
            //   837dd408             | cmp                 dword ptr [ebp - 0x2c], 8
            //   720b                 | jb                  0xd
            //   ff75c0               | push                dword ptr [ebp - 0x40]
            //   e8????????           |                     

        $sequence_8 = { 8d4dc0 e8???????? 84c0 745c c745e400000000 c745e800100000 c745ec00100000 }
            // n = 7, score = 200
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   745c                 | je                  0x5e
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e800100000       | mov                 dword ptr [ebp - 0x18], 0x1000
            //   c745ec00100000       | mov                 dword ptr [ebp - 0x14], 0x1000

        $sequence_9 = { 6a03 68???????? 8d4ddc e8???????? 68???????? 8d55c4 8d4dac }
            // n = 7, score = 200
            //   6a03                 | push                3
            //   68????????           |                     
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e8????????           |                     
            //   68????????           |                     
            //   8d55c4               | lea                 edx, [ebp - 0x3c]
            //   8d4dac               | lea                 ecx, [ebp - 0x54]

    condition:
        7 of them and filesize < 645120
}
Download all Yara Rules
BreachRAT Propose Change

References

Yara Rules

BreachRAT
