SYMBOLCOMMON_NAMEaka. SYNONYMS
win.breach_rat (Back to overview)

BreachRAT

Actor(s): Operation C-Major


This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\Work\Breach Remote Administration Tool\Release\Client.pdb

References
2016-06-03FireEyeYin Hong Chang, Sudeep Singh
@online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major
Yara Rules
[TLP:WHITE] win_breach_rat_auto (20220808 | Detects win.breach_rat.)
rule win_breach_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.breach_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 68???????? 8d8dbcf2ffff e8???????? 68???????? 8d85bcf2ffff c745fc84000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   68????????           |                     
            //   8d8dbcf2ffff         | lea                 ecx, [ebp - 0xd44]
            //   e8????????           |                     
            //   68????????           |                     
            //   8d85bcf2ffff         | lea                 eax, [ebp - 0xd44]
            //   c745fc84000000       | mov                 dword ptr [ebp - 4], 0x84

        $sequence_1 = { 83c1fd 662b465c 80ea03 8b5e6c 6648 0fb7f8 03d9 }
            // n = 7, score = 200
            //   83c1fd               | add                 ecx, -3
            //   662b465c             | sub                 ax, word ptr [esi + 0x5c]
            //   80ea03               | sub                 dl, 3
            //   8b5e6c               | mov                 ebx, dword ptr [esi + 0x6c]
            //   6648                 | dec                 ax
            //   0fb7f8               | movzx               edi, ax
            //   03d9                 | add                 ebx, ecx

        $sequence_2 = { ff750c c7411000000000 668901 e8???????? 837e1410 7202 8b36 }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   668901               | mov                 word ptr [ecx], ax
            //   e8????????           |                     
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b36                 | mov                 esi, dword ptr [esi]

        $sequence_3 = { 83e00f eb02 33c0 8bbdc8fdffff 6bc009 0fb6bc38c0974300 8bc7 }
            // n = 7, score = 200
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8bbdc8fdffff         | mov                 edi, dword ptr [ebp - 0x238]
            //   6bc009               | imul                eax, eax, 9
            //   0fb6bc38c0974300     | movzx               edi, byte ptr [eax + edi + 0x4397c0]
            //   8bc7                 | mov                 eax, edi

        $sequence_4 = { 83c408 8b0e 894654 e8???????? 8b06 83781000 7512 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   894654               | mov                 dword ptr [esi + 0x54], eax
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83781000             | cmp                 dword ptr [eax + 0x10], 0
            //   7512                 | jne                 0x14

        $sequence_5 = { c747280f000000 c7472400800000 c7472cff7f0000 c747480f000000 c7474400800000 c7474cff7f0000 c7475005000000 }
            // n = 7, score = 200
            //   c747280f000000       | mov                 dword ptr [edi + 0x28], 0xf
            //   c7472400800000       | mov                 dword ptr [edi + 0x24], 0x8000
            //   c7472cff7f0000       | mov                 dword ptr [edi + 0x2c], 0x7fff
            //   c747480f000000       | mov                 dword ptr [edi + 0x48], 0xf
            //   c7474400800000       | mov                 dword ptr [edi + 0x44], 0x8000
            //   c7474cff7f0000       | mov                 dword ptr [edi + 0x4c], 0x7fff
            //   c7475005000000       | mov                 dword ptr [edi + 0x50], 5

        $sequence_6 = { 83f804 0f8589020000 c745d40f000000 c745d000000000 c645c000 8b5db8 8d043e }
            // n = 7, score = 200
            //   83f804               | cmp                 eax, 4
            //   0f8589020000         | jne                 0x28f
            //   c745d40f000000       | mov                 dword ptr [ebp - 0x2c], 0xf
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c645c000             | mov                 byte ptr [ebp - 0x40], 0
            //   8b5db8               | mov                 ebx, dword ptr [ebp - 0x48]
            //   8d043e               | lea                 eax, [esi + edi]

        $sequence_7 = { 741f 56 8bc8 e8???????? 8b4510 83c618 3bf3 }
            // n = 7, score = 200
            //   741f                 | je                  0x21
            //   56                   | push                esi
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   83c618               | add                 esi, 0x18
            //   3bf3                 | cmp                 esi, ebx

        $sequence_8 = { 8bce e8???????? 8bc8 e8???????? 8d8d1cf9ffff }
            // n = 5, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d8d1cf9ffff         | lea                 ecx, [ebp - 0x6e4]

        $sequence_9 = { 57 33ff c745e80f000000 8975e4 c645d400 53 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   c745e80f000000       | mov                 dword ptr [ebp - 0x18], 0xf
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   c645d400             | mov                 byte ptr [ebp - 0x2c], 0
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 645120
}
Download all Yara Rules