SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crat (Back to overview)

CRAT

Actor(s): Lazarus Group

According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.

References
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-12TalosAsheer Malhotra
@online{malhotra:20201112:crat:1761f4e, author = {Asheer Malhotra}, title = {{CRAT wants to plunder your endpoints}}, date = {2020-11-12}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/11/crat-and-plugins.html}, language = {English}, urldate = {2020-11-18} } CRAT wants to plunder your endpoints
CRAT
Yara Rules
[TLP:WHITE] win_crat_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_crat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488bd0 488d4d78 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | lea                 ecx, [ebp + 0x150]
            //   488d4d78             | nop                 
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_1 = { e8???????? 488bd0 488d8d50010000 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | dec                 eax
            //   488d8d50010000       | mov                 edx, eax
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_2 = { 498bc4 48833d????????10 480f4305???????? 482bc8 }
            // n = 4, score = 500
            //   498bc4               | mov                 edx, eax
            //   48833d????????10     |                     
            //   480f4305????????     |                     
            //   482bc8               | dec                 eax

        $sequence_3 = { e8???????? 488bd0 488d8db8000000 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | lea                 ecx, [ebp - 0x10]
            //   488d8db8000000       | nop                 
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_4 = { e8???????? 488bd0 488d4df0 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | lea                 ecx, [ebp + 0x78]
            //   488d4df0             | nop                 
            //   e8????????           |                     
            //   90                   | dec                 ecx

        $sequence_5 = { 483bc8 7406 e8???????? 90 488b542420 }
            // n = 5, score = 500
            //   483bc8               | nop                 
            //   7406                 | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 edx, eax
            //   488b542420           | dec                 eax

        $sequence_6 = { e8???????? 488bd0 488d4d18 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | mov                 edx, eax
            //   488d4d18             | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 ecx, [ebp + 0x338]

        $sequence_7 = { 488bd0 488d8d68010000 e8???????? 90 }
            // n = 4, score = 500
            //   488bd0               | mov                 eax, esp
            //   488d8d68010000       | dec                 eax
            //   e8????????           |                     
            //   90                   | sub                 ecx, eax

        $sequence_8 = { 8bca 33d2 c1e902 f7f1 }
            // n = 4, score = 300
            //   8bca                 | dec                 eax
            //   33d2                 | mov                 edx, eax
            //   c1e902               | dec                 eax
            //   f7f1                 | lea                 ecx, [ebp + 0x188]

        $sequence_9 = { c1e902 f7f1 eb02 33d2 }
            // n = 4, score = 200
            //   c1e902               | dec                 eax
            //   f7f1                 | lea                 ecx, [ebp + 0xb8]
            //   eb02                 | nop                 
            //   33d2                 | dec                 eax

        $sequence_10 = { 8bd6 50 e8???????? 83c408 6a00 6a00 56 }
            // n = 7, score = 100
            //   8bd6                 | div                 ecx
            //   50                   | jmp                 9
            //   e8????????           |                     
            //   83c408               | shr                 ecx, 2
            //   6a00                 | div                 ecx
            //   6a00                 | jmp                 6
            //   56                   | xor                 edx, edx

        $sequence_11 = { 8b4508 8d4d10 51 ff750c 6a20 50 }
            // n = 6, score = 100
            //   8b4508               | xor                 edx, edx
            //   8d4d10               | shr                 ecx, 2
            //   51                   | div                 ecx
            //   ff750c               | jmp                 9
            //   6a20                 | xor                 edx, edx
            //   50                   | mov                 ecx, edx

        $sequence_12 = { 66c7000400 c7400406000000 c7400800000000 eb0b }
            // n = 4, score = 100
            //   66c7000400           | div                 ecx
            //   c7400406000000       | jmp                 0xb
            //   c7400800000000       | xor                 edx, edx
            //   eb0b                 | shr                 ecx, 2

        $sequence_13 = { 6a00 8d8548ddfeff c78548ddfeff00000000 50 6a00 6a00 }
            // n = 6, score = 100
            //   6a00                 | xor                 edx, edx
            //   8d8548ddfeff         | shr                 ecx, 2
            //   c78548ddfeff00000000     | div    ecx
            //   50                   | jmp                 0xb
            //   6a00                 | xor                 edx, edx
            //   6a00                 | add                 esp, 4

        $sequence_14 = { 83c404 8d4da0 c645fc01 e8???????? 0fb7470e 6685c0 744c }
            // n = 7, score = 100
            //   83c404               | dec                 eax
            //   8d4da0               | lea                 ecx, [ebp + 0x1b0]
            //   c645fc01             | mov                 ecx, edx
            //   e8????????           |                     
            //   0fb7470e             | xor                 edx, edx
            //   6685c0               | shr                 ecx, 2
            //   744c                 | div                 ecx

        $sequence_15 = { e8???????? 83c404 c745fc02000000 bb03000000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c404               | mov                 ecx, edx
            //   c745fc02000000       | xor                 edx, edx
            //   bb03000000           | shr                 ecx, 2

    condition:
        7 of them and filesize < 4161536
}
Download all Yara Rules