SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cardinal_rat (Back to overview)

Cardinal RAT

VTCollection    

Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.

References
2022-07-30cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
2021-09-06cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-09-04cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2020-05-21PICUS SecuritySüleyman Özarslan
T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2019-08-01ClearSkyClearSky Cyber Security
2019 H1 Cyber Events Summary Report
EVILNUM Cardinal RAT SappyCache
2019-03-19Palo Alto Networks Unit 42Josh Grunzweig, Tom Lancaster
Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms
EVILNUM Cardinal RAT EVILNUM
2017-04-20Palo Alto Networks Unit 42Josh Grunzweig
Cardinal RAT Active for Over Two Years
Cardinal RAT
Yara Rules
[TLP:WHITE] win_cardinal_rat_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_cardinal_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 22056a00f100 28056a00f900 2e05fb00f900 3b05fb00f900 }
            // n = 4, score = 1000
            //   22056a00f100         | and                 al, byte ptr [0xf1006a]
            //   28056a00f900         | sub                 byte ptr [0xf9006a], al
            //   2e05fb00f900         | add                 eax, 0xf900fb
            //   3b05fb00f900         | cmp                 eax, dword ptr [0xf900fb]

        $sequence_1 = { 53 05fb001901 d6 001f }
            // n = 4, score = 1000
            //   53                   | push                ebx
            //   05fb001901           | add                 eax, 0x11900fb
            //   d6                   | salc                
            //   001f                 | add                 byte ptr [edi], bl

        $sequence_2 = { 01c6 0407 01e9 00d3 }
            // n = 4, score = 1000
            //   01c6                 | add                 esi, eax
            //   0407                 | add                 al, 7
            //   01e9                 | add                 ecx, ebp
            //   00d3                 | add                 bl, dl

        $sequence_3 = { 046a 009900f80412 01e1 0006 }
            // n = 4, score = 1000
            //   046a                 | add                 al, 0x6a
            //   009900f80412         | add                 byte ptr [ecx + 0x1204f800], bl
            //   01e1                 | add                 ecx, esp
            //   0006                 | add                 byte ptr [esi], al

        $sequence_4 = { 00d9 00e0 03c6 00a900ed03cb }
            // n = 4, score = 1000
            //   00d9                 | add                 cl, bl
            //   00e0                 | add                 al, ah
            //   03c6                 | add                 eax, esi
            //   00a900ed03cb         | add                 byte ptr [ecx - 0x34fc1300], ch

        $sequence_5 = { 2504dd0069 0038 04e3 0099004804c2 }
            // n = 4, score = 1000
            //   2504dd0069           | and                 eax, 0x6900dd04
            //   0038                 | add                 byte ptr [eax], bh
            //   04e3                 | add                 al, 0xe3
            //   0099004804c2         | add                 byte ptr [ecx - 0x3dfbb800], bl

        $sequence_6 = { 0010 04d8 00e9 00bc036a00e900 }
            // n = 4, score = 1000
            //   0010                 | add                 byte ptr [eax], dl
            //   04d8                 | add                 al, 0xd8
            //   00e9                 | add                 cl, ch
            //   00bc036a00e900       | add                 byte ptr [ebx + eax + 0xe9006a], bh

        $sequence_7 = { 00bc036a009900 c6036a 00d9 00e0 }
            // n = 4, score = 1000
            //   00bc036a009900       | add                 byte ptr [ebx + eax + 0x99006a], bh
            //   c6036a               | mov                 byte ptr [ebx], 0x6a
            //   00d9                 | add                 cl, bl
            //   00e0                 | add                 al, ah

        $sequence_8 = { 051801e100 1205d800f100 22056a00f100 28056a00f900 }
            // n = 4, score = 1000
            //   051801e100           | add                 eax, 0xe10118
            //   1205d800f100         | adc                 al, byte ptr [0xf100d8]
            //   22056a00f100         | and                 al, byte ptr [0xf1006a]
            //   28056a00f900         | sub                 byte ptr [0xf9006a], al

        $sequence_9 = { c6036a 00d9 00e0 03c6 }
            // n = 4, score = 1000
            //   c6036a               | mov                 byte ptr [ebx], 0x6a
            //   00d9                 | add                 cl, bl
            //   00e0                 | add                 al, ah
            //   03c6                 | add                 eax, esi

    condition:
        7 of them
}
Download all Yara Rules