SYMBOLCOMMON_NAMEaka. SYNONYMS
win.innaput_rat (Back to overview)

InnaputRAT


InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.

References
2014-08-07NetScoutASERT Team
@online{team:20140807:innaput:a2516ed, author = {ASERT Team}, title = {{Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files}}, date = {2014-08-07}, organization = {NetScout}, url = {https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/}, language = {English}, urldate = {2019-10-23} } Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files
InnaputRAT
Yara Rules
[TLP:WHITE] win_innaput_rat_auto (20221125 | Detects win.innaput_rat.)
rule win_innaput_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.innaput_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb1a 68c8000000 6a00 ff7510 }
            // n = 4, score = 500
            //   eb1a                 | jmp                 0x1c
            //   68c8000000           | push                0xc8
            //   6a00                 | push                0
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_1 = { ff5708 56 ff5708 59 59 3b5d08 }
            // n = 6, score = 500
            //   ff5708               | call                dword ptr [edi + 8]
            //   56                   | push                esi
            //   ff5708               | call                dword ptr [edi + 8]
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   3b5d08               | cmp                 ebx, dword ptr [ebp + 8]

        $sequence_2 = { 394608 7721 8b06 894710 }
            // n = 4, score = 500
            //   394608               | cmp                 dword ptr [esi + 8], eax
            //   7721                 | ja                  0x23
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   894710               | mov                 dword ptr [edi + 0x10], eax

        $sequence_3 = { 85c0 7427 ffb720060000 8d8f1c060000 51 ffb718060000 }
            // n = 6, score = 500
            //   85c0                 | test                eax, eax
            //   7427                 | je                  0x29
            //   ffb720060000         | push                dword ptr [edi + 0x620]
            //   8d8f1c060000         | lea                 ecx, [edi + 0x61c]
            //   51                   | push                ecx
            //   ffb718060000         | push                dword ptr [edi + 0x618]

        $sequence_4 = { 53 53 53 6a06 6a01 6a02 ff15???????? }
            // n = 7, score = 500
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a06                 | push                6
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   ff15????????         |                     

        $sequence_5 = { 50 ffd7 8b4510 898618060000 8b4514 8b00 89861c060000 }
            // n = 7, score = 500
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   898618060000         | mov                 dword ptr [esi + 0x618], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   89861c060000         | mov                 dword ptr [esi + 0x61c], eax

        $sequence_6 = { 750c ffb71c060000 ff15???????? 57 e8???????? }
            // n = 5, score = 500
            //   750c                 | jne                 0xe
            //   ffb71c060000         | push                dword ptr [edi + 0x61c]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_7 = { e8???????? ff750c e9???????? 83f803 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e9????????           |                     
            //   83f803               | cmp                 eax, 3

        $sequence_8 = { 8b4510 898618060000 8b4514 8b00 89861c060000 8b4518 898620060000 }
            // n = 7, score = 500
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   898618060000         | mov                 dword ptr [esi + 0x618], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   89861c060000         | mov                 dword ptr [esi + 0x61c], eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   898620060000         | mov                 dword ptr [esi + 0x620], eax

        $sequence_9 = { ff15???????? 85c0 750c ffb71c060000 ff15???????? 57 e8???????? }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   ffb71c060000         | push                dword ptr [edi + 0x61c]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 73728
}
Download all Yara Rules