SYMBOLCOMMON_NAMEaka. SYNONYMS
win.innaput_rat (Back to overview)

InnaputRAT

InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.

References
2014-08-07NetScoutASERT Team
@online{team:20140807:innaput:a2516ed, author = {ASERT Team}, title = {{Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files}}, date = {2014-08-07}, organization = {NetScout}, url = {https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/}, language = {English}, urldate = {2019-10-23} } Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files
InnaputRAT
Yara Rules
[TLP:WHITE] win_innaput_rat_auto (20230407 | Detects win.innaput_rat.)
rule win_innaput_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.innaput_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894710 ff7604 035e08 ff5708 56 ff5708 59 }
            // n = 7, score = 500
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   ff7604               | push                dword ptr [esi + 4]
            //   035e08               | add                 ebx, dword ptr [esi + 8]
            //   ff5708               | call                dword ptr [edi + 8]
            //   56                   | push                esi
            //   ff5708               | call                dword ptr [edi + 8]
            //   59                   | pop                 ecx

        $sequence_1 = { 391e 75fa 6a0c ff5704 }
            // n = 4, score = 500
            //   391e                 | cmp                 dword ptr [esi], ebx
            //   75fa                 | jne                 0xfffffffc
            //   6a0c                 | push                0xc
            //   ff5704               | call                dword ptr [edi + 4]

        $sequence_2 = { 8d7710 eb02 8b36 391e 75fa 6a0c }
            // n = 6, score = 500
            //   8d7710               | lea                 esi, [edi + 0x10]
            //   eb02                 | jmp                 4
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   391e                 | cmp                 dword ptr [esi], ebx
            //   75fa                 | jne                 0xfffffffc
            //   6a0c                 | push                0xc

        $sequence_3 = { 7514 33db 53 53 }
            // n = 4, score = 500
            //   7514                 | jne                 0x16
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_4 = { 7412 53 ff7604 ff15???????? 85c0 }
            // n = 5, score = 500
            //   7412                 | je                  0x14
            //   53                   | push                ebx
            //   ff7604               | push                dword ptr [esi + 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { ff15???????? ffb718060000 ff15???????? 85c0 750c }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   ffb718060000         | push                dword ptr [edi + 0x618]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe

        $sequence_6 = { 53 6a06 6a01 6a02 ff15???????? 89460c 83f8ff }
            // n = 7, score = 500
            //   53                   | push                ebx
            //   6a06                 | push                6
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   83f8ff               | cmp                 eax, -1

        $sequence_7 = { ff15???????? 85c0 7413 3bc6 740f 8b4d08 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   3bc6                 | cmp                 eax, esi
            //   740f                 | je                  0x11
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_8 = { 8945fc ff15???????? 8d7710 eb02 8b36 391e }
            // n = 6, score = 500
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   8d7710               | lea                 esi, [edi + 0x10]
            //   eb02                 | jmp                 4
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   391e                 | cmp                 dword ptr [esi], ebx

        $sequence_9 = { 8bc8 2bf1 8a08 884c0616 40 }
            // n = 5, score = 500
            //   8bc8                 | mov                 ecx, eax
            //   2bf1                 | sub                 esi, ecx
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   884c0616             | mov                 byte ptr [esi + eax + 0x16], cl
            //   40                   | inc                 eax

    condition:
        7 of them and filesize < 73728
}
Download all Yara Rules