SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkrat (Back to overview)

DarkRat


There is no description at this point.

References
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:darkrat:51d2ef8, author = {Albert Zsigovits}, title = {{DarkRat v2.2.0}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md}, language = {English}, urldate = {2020-01-09} } DarkRat v2.2.0
DarkRat
2019-12-23FR3D.HKFred HK
@online{hk:20191223:darkrat:953f204, author = {Fred HK}, title = {{DarkRat - Hacking a malware control panel}}, date = {2019-12-23}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel}, language = {English}, urldate = {2022-04-15} } DarkRat - Hacking a malware control panel
DarkRat
Yara Rules
[TLP:WHITE] win_darkrat_auto (20220411 | Detects win.darkrat.)
rule win_darkrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.darkrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c408 8945f0 85c0 7446 8bd0 b805000000 2bd6 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85c0                 | test                eax, eax
            //   7446                 | je                  0x48
            //   8bd0                 | mov                 edx, eax
            //   b805000000           | mov                 eax, 5
            //   2bd6                 | sub                 edx, esi

        $sequence_1 = { 6a00 ff15???????? 85c0 7445 8bc6 8b4df4 }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7445                 | je                  0x47
            //   8bc6                 | mov                 eax, esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_2 = { 8bf0 c745fcffffffff 83c404 85f6 743b }
            // n = 5, score = 200
            //   8bf0                 | mov                 esi, eax
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   743b                 | je                  0x3d

        $sequence_3 = { c7431000000000 c743140f000000 c60300 bf01000000 }
            // n = 4, score = 200
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   c743140f000000       | mov                 dword ptr [ebx + 0x14], 0xf
            //   c60300               | mov                 byte ptr [ebx], 0
            //   bf01000000           | mov                 edi, 1

        $sequence_4 = { 5d c3 8d4dd4 e8???????? 68???????? 8d45d4 }
            // n = 6, score = 200
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d4dd4               | lea                 ecx, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   68????????           |                     
            //   8d45d4               | lea                 eax, dword ptr [ebp - 0x2c]

        $sequence_5 = { 8b03 51 03f8 52 57 e8???????? 8b45c8 }
            // n = 7, score = 200
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   51                   | push                ecx
            //   03f8                 | add                 edi, eax
            //   52                   | push                edx
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]

        $sequence_6 = { c745fcffffffff 83c404 85f6 743b 6a00 }
            // n = 5, score = 200
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   743b                 | je                  0x3d
            //   6a00                 | push                0

        $sequence_7 = { 51 52 c645d000 ff75d0 51 8bcb }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   c645d000             | mov                 byte ptr [ebp - 0x30], 0
            //   ff75d0               | push                dword ptr [ebp - 0x30]
            //   51                   | push                ecx
            //   8bcb                 | mov                 ecx, ebx

        $sequence_8 = { ff520c 83f8ff 750a bb04000000 895ddc }
            // n = 5, score = 200
            //   ff520c               | call                dword ptr [edx + 0xc]
            //   83f8ff               | cmp                 eax, -1
            //   750a                 | jne                 0xc
            //   bb04000000           | mov                 ebx, 4
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx

        $sequence_9 = { 53 e8???????? 33ff 837de810 56 8b10 895510 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   837de810             | cmp                 dword ptr [ebp - 0x18], 0x10
            //   56                   | push                esi
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   895510               | mov                 dword ptr [ebp + 0x10], edx

    condition:
        7 of them and filesize < 884736
}
[TLP:WHITE] win_darkrat_w0   (20191012 | No description)
rule win_darkrat_w0 {
    meta:
        author = "Albert Zsigovits"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat"
        malpedia_version = "20191012"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
            
    strings:
	    $pdb = "C:\\Users\\darkspider" ascii wide
	    $cmd = "cmd.exe /C ping 127.0.0.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" ascii wide

	    $guid1 = "SOFTWARE\\Microsoft\\Cryptography" ascii wide
	    $guid2 = "MachineGuid" ascii wide

	    $persi1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
	    $persi2 = "WinSystem32" ascii wide

	    $bin = "pastebin.com/raw/" ascii wide
	    $import0 = "NtUnmapViewOfSection" ascii wide
	    $import1 = "WriteProcessMemory" ascii wide
	    $import2 = "ResumeThread" ascii wide
	    $import3 = "GetNativeSystemInfo" ascii wide
	    $import4 = "URLOpenBlockingStream" ascii wide
	    $import5 = "VirtualFree" ascii wide
	    $import6 = "VirtualAlloc" ascii wide
	    $import7 = "GetModuleHandle" ascii wide
	    $import8 = "LoadLibrary" ascii wide
	    $import9 = "CreateMutex" ascii wide

	    $vbs0 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")" ascii wide
	    $vbs1 = "Set objWMIService = GetObject(\"winmgmts:\\\\\" & sComputerName & \"\\root\\cimv2\")" ascii wide
	    $vbs2 = "Set objItems = objWMIService.ExecQuery(sQuery)" ascii wide
	    $vbs3 = "sQuery = \"SELECT * FROM Win32_Process\"" ascii wide
	    $vbs4 = "wscript.exe" ascii wide

	    $net0 = "POST" ascii wide
	    $net1 = "&taskid=" ascii wide
	    $net2 = "&taskstatus=" ascii wide
	    $net3 = "&spreadtag=" ascii wide
	    $net4 = "&operingsystem=" ascii wide
	    $net5 = "&arch=" ascii wide
	    $net6 = "&cpuName=" ascii wide
	    $net7 = "&gpuName=" ascii wide
	    $net8 = "&botversion=" ascii wide
	    $net9 = "&antivirus=" ascii wide
	    $net10 = "&netFramework4=" ascii wide
	    $net11 = "&netFramework35=" ascii wide
	    $net12 = "&netFramework3=" ascii wide
	    $net13 = "&netFramework2=" ascii wide
	    $net14 = "&installedRam=" ascii wide
	    $net15 = "&aornot=" ascii wide
	    $net16 = "&computername=" ascii wide
	    $net17 = "hwid=" ascii wide
	    $net18 = "request=" ascii wide

    condition:
	    $pdb or $cmd or ( all of ($guid*) and all of ($persi*) ) or ( 3 of ($vbs*) ) or ( all of ($import*) and $bin ) or ( all of ($net*) )
}
[TLP:WHITE] win_darkrat_w1   (20191012 | Darkrat)
rule win_darkrat_w1 {
    meta:
        description = "Darkrat"
        author = "James_inthe_box"
        reference = "https://github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2"
        date = "2019/08"
        maltype = "RAT"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat"
        malpedia_version = "20191012"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $string1 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")"
        $string2 = "&taskstatus="
        $string3 = "network reset"
        $string4 = "text/plain"
        $string5 = "&antivirus="
        $string6 = "request="
        $string7 = "&arch="
 
    condition:
        all of ($string*)
}
Download all Yara Rules