SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkrat (Back to overview)

DarkRat


There is no description at this point.

References
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:darkrat:51d2ef8, author = {Albert Zsigovits}, title = {{DarkRat v2.2.0}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md}, language = {English}, urldate = {2020-01-09} } DarkRat v2.2.0
DarkRat
2019-12-23FR3D.HKFred HK
@online{hk:20191223:darkrat:953f204, author = {Fred HK}, title = {{DarkRat - Hacking a malware control panel}}, date = {2019-12-23}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel}, language = {English}, urldate = {2022-04-15} } DarkRat - Hacking a malware control panel
DarkRat
Yara Rules
[TLP:WHITE] win_darkrat_auto (20230125 | Detects win.darkrat.)
rule win_darkrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.darkrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897dd8 895ddc 8b4104 8b743820 }
            // n = 4, score = 200
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   8b743820             | mov                 esi, dword ptr [eax + edi + 0x20]

        $sequence_1 = { 8bcb e8???????? 8b75b8 c645fc01 }
            // n = 4, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1

        $sequence_2 = { 837de810 56 8b10 895510 8b4804 }
            // n = 5, score = 200
            //   837de810             | cmp                 dword ptr [ebp - 0x18], 0x10
            //   56                   | push                esi
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   895510               | mov                 dword ptr [ebp + 0x10], edx
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]

        $sequence_3 = { e8???????? 83cf02 897dd4 c645fc02 8d55b8 837dcc10 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83cf02               | or                  edi, 2
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d55b8               | lea                 edx, [ebp - 0x48]
            //   837dcc10             | cmp                 dword ptr [ebp - 0x34], 0x10

        $sequence_4 = { c60000 be???????? 6a06 894708 }
            // n = 4, score = 200
            //   c60000               | mov                 byte ptr [eax], 0
            //   be????????           |                     
            //   6a06                 | push                6
            //   894708               | mov                 dword ptr [edi + 8], eax

        $sequence_5 = { 897dd4 c645fc02 8d55b8 837dcc10 8b75b8 }
            // n = 5, score = 200
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d55b8               | lea                 edx, [ebp - 0x48]
            //   837dcc10             | cmp                 dword ptr [ebp - 0x34], 0x10
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]

        $sequence_6 = { c645fc01 8b45cc 83f810 7227 8d4801 }
            // n = 5, score = 200
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   83f810               | cmp                 eax, 0x10
            //   7227                 | jb                  0x29
            //   8d4801               | lea                 ecx, [eax + 1]

        $sequence_7 = { 8938 e8???????? b804000000 8b4df4 }
            // n = 4, score = 200
            //   8938                 | mov                 dword ptr [eax], edi
            //   e8????????           |                     
            //   b804000000           | mov                 eax, 4
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_8 = { 8bcb e8???????? 8b75b8 c645fc01 8b45cc 83f810 7227 }
            // n = 7, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   83f810               | cmp                 eax, 0x10
            //   7227                 | jb                  0x29

        $sequence_9 = { 6802000080 ff15???????? 85c0 7470 83f802 756b 6a05 }
            // n = 7, score = 200
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7470                 | je                  0x72
            //   83f802               | cmp                 eax, 2
            //   756b                 | jne                 0x6d
            //   6a05                 | push                5

    condition:
        7 of them and filesize < 884736
}
[TLP:WHITE] win_darkrat_w0   (20191012 | No description)
rule win_darkrat_w0 {
    meta:
        author = "Albert Zsigovits"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat"
        malpedia_version = "20191012"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
            
    strings:
	    $pdb = "C:\\Users\\darkspider" ascii wide
	    $cmd = "cmd.exe /C ping 127.0.0.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" ascii wide

	    $guid1 = "SOFTWARE\\Microsoft\\Cryptography" ascii wide
	    $guid2 = "MachineGuid" ascii wide

	    $persi1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
	    $persi2 = "WinSystem32" ascii wide

	    $bin = "pastebin.com/raw/" ascii wide
	    $import0 = "NtUnmapViewOfSection" ascii wide
	    $import1 = "WriteProcessMemory" ascii wide
	    $import2 = "ResumeThread" ascii wide
	    $import3 = "GetNativeSystemInfo" ascii wide
	    $import4 = "URLOpenBlockingStream" ascii wide
	    $import5 = "VirtualFree" ascii wide
	    $import6 = "VirtualAlloc" ascii wide
	    $import7 = "GetModuleHandle" ascii wide
	    $import8 = "LoadLibrary" ascii wide
	    $import9 = "CreateMutex" ascii wide

	    $vbs0 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")" ascii wide
	    $vbs1 = "Set objWMIService = GetObject(\"winmgmts:\\\\\" & sComputerName & \"\\root\\cimv2\")" ascii wide
	    $vbs2 = "Set objItems = objWMIService.ExecQuery(sQuery)" ascii wide
	    $vbs3 = "sQuery = \"SELECT * FROM Win32_Process\"" ascii wide
	    $vbs4 = "wscript.exe" ascii wide

	    $net0 = "POST" ascii wide
	    $net1 = "&taskid=" ascii wide
	    $net2 = "&taskstatus=" ascii wide
	    $net3 = "&spreadtag=" ascii wide
	    $net4 = "&operingsystem=" ascii wide
	    $net5 = "&arch=" ascii wide
	    $net6 = "&cpuName=" ascii wide
	    $net7 = "&gpuName=" ascii wide
	    $net8 = "&botversion=" ascii wide
	    $net9 = "&antivirus=" ascii wide
	    $net10 = "&netFramework4=" ascii wide
	    $net11 = "&netFramework35=" ascii wide
	    $net12 = "&netFramework3=" ascii wide
	    $net13 = "&netFramework2=" ascii wide
	    $net14 = "&installedRam=" ascii wide
	    $net15 = "&aornot=" ascii wide
	    $net16 = "&computername=" ascii wide
	    $net17 = "hwid=" ascii wide
	    $net18 = "request=" ascii wide

    condition:
	    $pdb or $cmd or ( all of ($guid*) and all of ($persi*) ) or ( 3 of ($vbs*) ) or ( all of ($import*) and $bin ) or ( all of ($net*) )
}
[TLP:WHITE] win_darkrat_w1   (20191012 | Darkrat)
rule win_darkrat_w1 {
    meta:
        description = "Darkrat"
        author = "James_inthe_box"
        reference = "https://github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2"
        date = "2019/08"
        maltype = "RAT"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat"
        malpedia_version = "20191012"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $string1 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")"
        $string2 = "&taskstatus="
        $string3 = "network reset"
        $string4 = "text/plain"
        $string5 = "&antivirus="
        $string6 = "request="
        $string7 = "&arch="
 
    condition:
        all of ($string*)
}
Download all Yara Rules