SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hi_zor_rat (Back to overview)

Hi-Zor RAT

There is no description at this point.

References
2016-01-27Fidelis CybersecurityThreat Research Team
@online{team:20160127:introducing:20c8f54, author = {Threat Research Team}, title = {{Introducing Hi-Zor RAT}}, date = {2016-01-27}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat}, language = {English}, urldate = {2020-01-08} } Introducing Hi-Zor RAT
Hi-Zor RAT
Yara Rules
[TLP:WHITE] win_hi_zor_rat_auto (20230715 | Detects win.hi_zor_rat.)
rule win_hi_zor_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.hi_zor_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5508 51 52 8bc7 e8???????? 5f }
            // n = 6, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   8bc7                 | mov                 eax, edi
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_1 = { 53 895dec e8???????? 8b450c 83c40c 57 }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83c40c               | add                 esp, 0xc
            //   57                   | push                edi

        $sequence_2 = { 895dec 891e ff15???????? 85c0 }
            // n = 4, score = 200
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   891e                 | mov                 dword ptr [esi], ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 89581c 23df 0bde 03585c 8975fc 8b7018 }
            // n = 6, score = 200
            //   89581c               | mov                 dword ptr [eax + 0x1c], ebx
            //   23df                 | and                 ebx, edi
            //   0bde                 | or                  ebx, esi
            //   03585c               | add                 ebx, dword ptr [eax + 0x5c]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8b7018               | mov                 esi, dword ptr [eax + 0x18]

        $sequence_4 = { 83feff 0f8475010000 b9???????? 8d85c0fbffff 90 668b10 663b11 }
            // n = 7, score = 200
            //   83feff               | cmp                 esi, -1
            //   0f8475010000         | je                  0x17b
            //   b9????????           |                     
            //   8d85c0fbffff         | lea                 eax, [ebp - 0x440]
            //   90                   | nop                 
            //   668b10               | mov                 dx, word ptr [eax]
            //   663b11               | cmp                 dx, word ptr [ecx]

        $sequence_5 = { 6a00 ff15???????? 68c8000000 8d85c8feffff 6a00 50 e8???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   68c8000000           | push                0xc8
            //   8d85c8feffff         | lea                 eax, [ebp - 0x138]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 23f7 8bdf 8b7814 f7d3 235814 0bde 035848 }
            // n = 7, score = 200
            //   23f7                 | and                 esi, edi
            //   8bdf                 | mov                 ebx, edi
            //   8b7814               | mov                 edi, dword ptr [eax + 0x14]
            //   f7d3                 | not                 ebx
            //   235814               | and                 ebx, dword ptr [eax + 0x14]
            //   0bde                 | or                  ebx, esi
            //   035848               | add                 ebx, dword ptr [eax + 0x48]

        $sequence_7 = { ff15???????? 83c404 8d85a0fbffff 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8d85a0fbffff         | lea                 eax, [ebp - 0x460]
            //   50                   | push                eax

        $sequence_8 = { 89853cffffff e8???????? 33c0 680e040000 50 8d8dcaf6ffff }
            // n = 6, score = 200
            //   89853cffffff         | mov                 dword ptr [ebp - 0xc4], eax
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   680e040000           | push                0x40e
            //   50                   | push                eax
            //   8d8dcaf6ffff         | lea                 ecx, [ebp - 0x936]

        $sequence_9 = { c78564ffffff25003900 c78568ffffff30002200 c7856cffffff0a000100 c78570ffffff3f003800 c78574ffffff32003900 c78578ffffff21002500 }
            // n = 6, score = 200
            //   c78564ffffff25003900     | mov    dword ptr [ebp - 0x9c], 0x390025
            //   c78568ffffff30002200     | mov    dword ptr [ebp - 0x98], 0x220030
            //   c7856cffffff0a000100     | mov    dword ptr [ebp - 0x94], 0x1000a
            //   c78570ffffff3f003800     | mov    dword ptr [ebp - 0x90], 0x38003f
            //   c78574ffffff32003900     | mov    dword ptr [ebp - 0x8c], 0x390032
            //   c78578ffffff21002500     | mov    dword ptr [ebp - 0x88], 0x250021

    condition:
        7 of them and filesize < 73728
}
Download all Yara Rules