CRAT (Malware Family)

CRAT

VTCollection

According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.

References

2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader

2020-11-12 ⋅ Talos ⋅ Asheer Malhotra
CRAT wants to plunder your endpoints
CRAT

2020-09-16 ⋅ Qianxin ⋅ Red Raindrop Team
Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons
CRAT

2020-04-14 ⋅ ⋅ Qianxin ⋅ Qi'anxin Threat Intelligence
The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country
CRAT

2020-04-09 ⋅ ⋅ suspected.tistory.com ⋅ hmkang92
Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp)
CRAT

Yara Rules

[TLP:WHITE] win_crat_auto (20230808 | Detects win.crat.)

rule win_crat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.crat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488bd0 488d8d90010000 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | nop                 
            //   488d8d90010000       | je                  8
            //   e8????????           |                     
            //   90                   | nop                 

        $sequence_1 = { e8???????? 488bd0 488d8d88000000 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | dec                 eax
            //   488d8d88000000       | mov                 edx, eax
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_2 = { 7406 e8???????? 90 488b542420 4883c2e8 }
            // n = 5, score = 500
            //   7406                 | mov                 eax, esp
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488b542420           | sub                 ecx, eax
            //   4883c2e8             | dec                 eax

        $sequence_3 = { e8???????? 488bc8 4885c0 7433 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   488bc8               | dec                 eax
            //   4885c0               | mov                 edx, dword ptr [esp + 0x20]
            //   7433                 | dec                 eax

        $sequence_4 = { e8???????? 488bd0 488d8da8010000 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | mov                 edx, eax
            //   488d8da8010000       | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 ecx, [ebp + 0x58]

        $sequence_5 = { 48f7c20000ffff 7523 0fb7fa 8bcf e8???????? 4885c0 7427 }
            // n = 7, score = 500
            //   48f7c20000ffff       | lea                 ecx, [ebp + 0x88]
            //   7523                 | nop                 
            //   0fb7fa               | dec                 eax
            //   8bcf                 | test                edx, 0xffff0000
            //   e8????????           |                     
            //   4885c0               | jne                 0x2c
            //   7427                 | movzx               edi, dx

        $sequence_6 = { e8???????? 488bd0 488d4d58 e8???????? 90 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   488bd0               | je                  0x2c
            //   488d4d58             | jmp                 0xffffffd2
            //   e8????????           |                     
            //   90                   | dec                 ecx

        $sequence_7 = { ebd0 498bc4 48833d????????10 480f4305???????? 482bc8 }
            // n = 5, score = 500
            //   ebd0                 | mov                 ecx, edi
            //   498bc4               | dec                 eax
            //   48833d????????10     |                     
            //   480f4305????????     |                     
            //   482bc8               | test                eax, eax

        $sequence_8 = { 33d2 c1e902 f7f1 eb02 }
            // n = 4, score = 300
            //   33d2                 | dec                 eax
            //   c1e902               | mov                 edx, eax
            //   f7f1                 | dec                 eax
            //   eb02                 | lea                 ecx, [ebp + 0x190]

        $sequence_9 = { ffd0 85c0 750f ff15???????? }
            // n = 4, score = 300
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   ff15????????         |                     

        $sequence_10 = { 8bcb e8???????? 8b55d8 8b4b0c }
            // n = 4, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]

        $sequence_11 = { 8bcb e8???????? 8b4b0c 8d4101 }
            // n = 4, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   8d4101               | lea                 eax, [ecx + 1]

        $sequence_12 = { 8b4004 8bca 3bc2 0f47c8 51 8b4d10 e8???????? }
            // n = 7, score = 200
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   8bca                 | mov                 ecx, edx
            //   3bc2                 | cmp                 eax, edx
            //   0f47c8               | cmova               ecx, eax
            //   51                   | push                ecx
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   e8????????           |                     

        $sequence_13 = { 8b4b0c 8d4101 89430c c60100 8b4dd4 41 }
            // n = 6, score = 200
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   8d4101               | lea                 eax, [ecx + 1]
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax
            //   c60100               | mov                 byte ptr [ecx], 0
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   41                   | inc                 ecx

        $sequence_14 = { 8b4324 668948fe c740f800000000 c740f400000000 c740f000000000 5f 5e }
            // n = 7, score = 200
            //   8b4324               | mov                 eax, dword ptr [ebx + 0x24]
            //   668948fe             | mov                 word ptr [eax - 2], cx
            //   c740f800000000       | mov                 dword ptr [eax - 8], 0
            //   c740f400000000       | mov                 dword ptr [eax - 0xc], 0
            //   c740f000000000       | mov                 dword ptr [eax - 0x10], 0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_15 = { 8b5508 0f57c0 56 8b750c b896000000 f30f7f01 }
            // n = 6, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0f57c0               | xorps               xmm0, xmm0
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   b896000000           | mov                 eax, 0x96
            //   f30f7f01             | movdqu              xmmword ptr [ecx], xmm0

        $sequence_16 = { 8b4b0c 8d4101 89430c 8a45d3 8801 8b4dd4 41 }
            // n = 7, score = 200
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   8d4101               | lea                 eax, [ecx + 1]
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax
            //   8a45d3               | mov                 al, byte ptr [ebp - 0x2d]
            //   8801                 | mov                 byte ptr [ecx], al
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   41                   | inc                 ecx

    condition:
        7 of them and filesize < 4161536
}

Download all Yara Rules

CRAT Propose Change

References

Yara Rules

CRAT