ExplosiveRAT (Malware Family)

ExplosiveRAT

There is no description at this point.
References

2022-10-03 ⋅ Kaspersky Labs ⋅ GReAT
DeftTorero: tactics, techniques and procedures of intrusions revealed
Nightrunner Tunna ASPXSpy LaZagne ExplosiveRAT reGeorg Volatile Cedar
Yara Rules

[TLP:WHITE] win_explosive_rat_auto (20230715 | Detects win.explosive_rat.)
rule win_explosive_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.explosive_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e0ef 83c802 66a90c01 89460c 895e04 895d0c 7525 }
            // n = 7, score = 100
            //   83e0ef               | and                 eax, 0xffffffef
            //   83c802               | or                  eax, 2
            //   66a90c01             | test                ax, 0x10c
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   895d0c               | mov                 dword ptr [ebp + 0xc], ebx
            //   7525                 | jne                 0x27

        $sequence_1 = { 8d8dd4feffff e8???????? 8d8d10feffff e8???????? 8d4dd0 e8???????? 8d8d9cfeffff }
            // n = 7, score = 100
            //   8d8dd4feffff         | lea                 ecx, [ebp - 0x12c]
            //   e8????????           |                     
            //   8d8d10feffff         | lea                 ecx, [ebp - 0x1f0]
            //   e8????????           |                     
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   8d8d9cfeffff         | lea                 ecx, [ebp - 0x164]

        $sequence_2 = { 68???????? 52 e8???????? 0fb74c2420 0fb754241e 51 0fb74c2420 }
            // n = 7, score = 100
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   0fb74c2420           | movzx               ecx, word ptr [esp + 0x20]
            //   0fb754241e           | movzx               edx, word ptr [esp + 0x1e]
            //   51                   | push                ecx
            //   0fb74c2420           | movzx               ecx, word ptr [esp + 0x20]

        $sequence_3 = { 50 b9???????? e8???????? 8bce e8???????? bb10000000 391d???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   b9????????           |                     
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   bb10000000           | mov                 ebx, 0x10
            //   391d????????         |                     

        $sequence_4 = { 55 8b6c2410 8bd9 7431 837b1808 722b 85ed }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8b6c2410             | mov                 ebp, dword ptr [esp + 0x10]
            //   8bd9                 | mov                 ebx, ecx
            //   7431                 | je                  0x33
            //   837b1808             | cmp                 dword ptr [ebx + 0x18], 8
            //   722b                 | jb                  0x2d
            //   85ed                 | test                ebp, ebp

        $sequence_5 = { 8bef 7702 8be9 85ed 7506 5d 5f }
            // n = 7, score = 100
            //   8bef                 | mov                 ebp, edi
            //   7702                 | ja                  4
            //   8be9                 | mov                 ebp, ecx
            //   85ed                 | test                ebp, ebp
            //   7506                 | jne                 8
            //   5d                   | pop                 ebp
            //   5f                   | pop                 edi

        $sequence_6 = { 68???????? e8???????? 56 e8???????? 83c404 8bcc 68???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     

        $sequence_7 = { 8bf1 89442428 8b4614 6a20 33db 50 8d4c2414 }
            // n = 7, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   6a20                 | push                0x20
            //   33db                 | xor                 ebx, ebx
            //   50                   | push                eax
            //   8d4c2414             | lea                 ecx, [esp + 0x14]

        $sequence_8 = { 894510 8b7d24 833e00 0f857b020000 807d1000 7508 8d4d0c }
            // n = 7, score = 100
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   8b7d24               | mov                 edi, dword ptr [ebp + 0x24]
            //   833e00               | cmp                 dword ptr [esi], 0
            //   0f857b020000         | jne                 0x281
            //   807d1000             | cmp                 byte ptr [ebp + 0x10], 0
            //   7508                 | jne                 0xa
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]

        $sequence_9 = { 894e08 895604 8b10 6aff 8d4e10 89560c 6a00 }
            // n = 7, score = 100
            //   894e08               | mov                 dword ptr [esi + 8], ecx
            //   895604               | mov                 dword ptr [esi + 4], edx
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   6aff                 | push                -1
            //   8d4e10               | lea                 ecx, [esi + 0x10]
            //   89560c               | mov                 dword ptr [esi + 0xc], edx
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 855040
}
Download all Yara Rules
ExplosiveRAT Propose Change

References

Yara Rules

ExplosiveRAT
