SYMBOLCOMMON_NAMEaka. SYNONYMS
win.halfrig (Back to overview)

HALFRIG

Actor(s): APT29

A stager used by APT29 to deploy CobaltStrike.

References
2023-04-13GOV.PLMilitary Counterintelligence Service, CERT.PL
@online{service:20230413:halfrig:787dcfb, author = {Military Counterintelligence Service and CERT.PL}, title = {{HALFRIG - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb}, language = {English}, urldate = {2023-06-01} } HALFRIG - Malware Analysis Report
HALFRIG
Yara Rules
[TLP:WHITE] win_halfrig_auto (20230715 | Detects win.halfrig.)
rule win_halfrig_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.halfrig."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.halfrig"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d0de8b50600 e8???????? 40383d???????? 7435 488bd3 4c8bc7 }
            // n = 6, score = 100
            //   488d0de8b50600       | lea                 ecx, [0x46e1b]
            //   e8????????           |                     
            //   40383d????????       |                     
            //   7435                 | jne                 0x13ff
            //   488bd3               | dec                 eax
            //   4c8bc7               | lea                 ecx, [0x48223]

        $sequence_1 = { 4883ea01 75ad 0fb600 4c8d3db3cd0600 8801 418b06 3905???????? }
            // n = 7, score = 100
            //   4883ea01             | mov                 eax, edi
            //   75ad                 | dec                 eax
            //   0fb600               | lea                 ecx, [0x59cb8]
            //   4c8d3db3cd0600       | je                  0x1e56
            //   8801                 | dec                 eax
            //   418b06               | mov                 edx, ebx
            //   3905????????         |                     

        $sequence_2 = { e8???????? 403835???????? 4c8d0deb850400 743d 488bd7 4c8bc6 6666660f1f840000000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   403835????????       |                     
            //   4c8d0deb850400       | dec                 esp
            //   743d                 | lea                 ecx, [0x4a1e0]
            //   488bd7               | je                  0x92
            //   4c8bc6               | dec                 esp
            //   6666660f1f840000000000     | lea    ecx, [0x46e57]

        $sequence_3 = { e8???????? 488d0d28080900 e8???????? 40383d???????? 7435 488bd3 4c8bc7 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d0d28080900       | je                  0x410
            //   e8????????           |                     
            //   40383d????????       |                     
            //   7435                 | dec                 esp
            //   488bd3               | lea                 ecx, [0x46964]
            //   4c8bc7               | je                  0x417

        $sequence_4 = { e8???????? ffd0 2bc3 3de8030000 730a b801000000 e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ffd0                 | mov                 edx, ebx
            //   2bc3                 | dec                 eax
            //   3de8030000           | lea                 ecx, [0x8c598]
            //   730a                 | je                  0x1369
            //   b801000000           | nop                 word ptr [eax + eax]
            //   e9????????           |                     

        $sequence_5 = { c705????????227a62bf 66c705????????6f9f c605????????f7 e8???????? 403835???????? 4c8d0d677b0400 }
            // n = 6, score = 100
            //   c705????????227a62bf     |     
            //   66c705????????6f9f     |     
            //   c605????????f7       |                     
            //   e8????????           |                     
            //   403835????????       |                     
            //   4c8d0d677b0400       | dec                 eax

        $sequence_6 = { 0fb600 4c8d3d83ae0600 8801 418b06 3905???????? 0f8ea3000000 488d0d37920800 }
            // n = 7, score = 100
            //   0fb600               | dec                 eax
            //   4c8d3d83ae0600       | lea                 ecx, [0x44b4d]
            //   8801                 | dec                 eax
            //   418b06               | mov                 dword ptr [ecx + eax], 2
            //   3905????????         |                     
            //   0f8ea3000000         | mov                 eax, 8
            //   488d0d37920800       | dec                 eax

        $sequence_7 = { 0f1149f0 4883ea01 75ad 0fb600 4c8d3de30c0700 8801 65488b042558000000 }
            // n = 7, score = 100
            //   0f1149f0             | jle                 0x1ed6
            //   4883ea01             | dec                 eax
            //   75ad                 | lea                 ecx, [0x8e128]
            //   0fb600               | inc                 ecx
            //   4c8d3de30c0700       | mov                 eax, dword ptr [esi]
            //   8801                 | jle                 0x1ee6
            //   65488b042558000000     | dec    eax

        $sequence_8 = { 4c03e2 418b0424 3905???????? 7e34 488d0d8d660400 e8???????? 833d????????ff }
            // n = 7, score = 100
            //   4c03e2               | jle                 0x69d
            //   418b0424             | dec                 eax
            //   3905????????         |                     
            //   7e34                 | lea                 ecx, [0x49c64]
            //   488d0d8d660400       | dec                 esp
            //   e8????????           |                     
            //   833d????????ff       |                     

        $sequence_9 = { 488d542420 e8???????? 488d0d10830700 e8???????? 40383d???????? 7435 }
            // n = 6, score = 100
            //   488d542420           | mov                 byte ptr [ecx], al
            //   e8????????           |                     
            //   488d0d10830700       | inc                 ecx
            //   e8????????           |                     
            //   40383d????????       |                     
            //   7435                 | mov                 eax, dword ptr [esi]

    condition:
        7 of them and filesize < 1369088
}
Download all Yara Rules