SYMBOLCOMMON_NAMEaka. SYNONYMS
win.magic_rat (Back to overview)

MagicRAT

Actor(s): Lazarus Group, Silent Chollima

VTCollection    

According to Talos, MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none. Talos thinks that the objective was to increase the complexity of the code, thus making human analysis harder. On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable. The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

MagicRAT provides the operator with a remote shell on the victim's system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.

References
2023-05-25YouTube (BSidesCharm)Asheer Malhotra
it’s all Magic(RAT) – A look into recent North Korean nation-state attacks
MagicRAT VSingle YamaBot
2023-02-09CISA, DSA, FBI, HHS, NSA, ROK
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot
2023-01-05AttackIQFrancis Guibernau, Ken Towne
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
MagicRAT Tiger RAT
2022-09-08Cisco TalosAsheer Malhotra, Jung soo An, Vitor Ventura
Lazarus and the tale of three RATs
MagicRAT MimiKatz VSingle YamaBot
2022-09-07Cisco TalosAsheer Malhotra, Jung soo An, Vitor Ventura
MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT
Yara Rules
[TLP:WHITE] win_magic_rat_auto (20260504 | Detects win.magic_rat.)
rule win_magic_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.magic_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f2440f5ddd 66440f2edc 7373 488d8c2400010000 488d9424c0000000 e8???????? f20f10542470 }
            // n = 7, score = 100
            //   f2440f5ddd           | mov                 ecx, dword ptr [esp + 0x28]
            //   66440f2edc           | je                  0x604
            //   7373                 | mov                 eax, esi
            //   488d8c2400010000     | dec                 eax
            //   488d9424c0000000     | add                 esp, 0x30
            //   e8????????           |                     
            //   f20f10542470         | pop                 ebx

        $sequence_1 = { e9???????? 41b808000000 ba02000000 e8???????? e9???????? 498b4d20 660f1f440000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   41b808000000         | dec                 eax
            //   ba02000000           | mov                 dword ptr [ebx + 0x70], 0
            //   e8????????           |                     
            //   e9????????           |                     
            //   498b4d20             | mov                 byte ptr [ebx + 0x79], 0
            //   660f1f440000         | dec                 eax

        $sequence_2 = { f2440f59d7 f2450f585870 f2450f58e2 f2440f105270 f2450f586078 0f8a45010000 0f853f010000 }
            // n = 7, score = 100
            //   f2440f59d7           | lock sub            dword ptr [ecx], 1
            //   f2450f585870         | dec                 eax
            //   f2450f58e2           | mov                 ecx, dword ptr [esp + 0x28]
            //   f2440f105270         | je                  0x642
            //   f2450f586078         | dec                 eax
            //   0f8a45010000         | mov                 ecx, dword ptr [ebx]
            //   0f853f010000         | cmp                 byte ptr [ecx + 0x20], 0

        $sequence_3 = { f30f2acf f3440f59e9 f3410f108a9c000000 f30f59cb 450f28fd f30f59d1 f30f2acb }
            // n = 7, score = 100
            //   f30f2acf             | je                  0xfe0
            //   f3440f59e9           | dec                 eax
            //   f3410f108a9c000000     | mov    eax, dword ptr [ebx + 8]
            //   f30f59cb             | dec                 eax
            //   450f28fd             | mov                 edx, dword ptr [esp + 0x48]
            //   f30f59d1             | dec                 eax
            //   f30f2acb             | mov                 dword ptr [esp + 0x48], eax

        $sequence_4 = { f3440f11513c f3410f58f8 440f28c6 f3410f5cc9 f3440f59cb f30f59fa f30f59cd }
            // n = 7, score = 100
            //   f3440f11513c         | mov                 eax, dword ptr [ebp]
            //   f3410f58f8           | test                eax, eax
            //   440f28c6             | je                  0xb22
            //   f3410f5cc9           | cmp                 eax, -1
            //   f3440f59cb           | lock sub            dword ptr [ecx], 1
            //   f30f59fa             | je                  0xb16
            //   f30f59cd             | mov                 eax, dword ptr [ebx]

        $sequence_5 = { f2410f59c0 f2440f58eb 660fefe4 f2440f5935???????? f2410f59d8 4921db 4909cb }
            // n = 7, score = 100
            //   f2410f59c0           | mov                 esi, dword ptr [eax]
            //   f2440f58eb           | lock add            dword ptr [edx], 1
            //   660fefe4             | dec                 eax
            //   f2440f5935????????     |     
            //   f2410f59d8           | mov                 edx, dword ptr [ecx]
            //   4921db               | lock sub            dword ptr [edx], 1
            //   4909cb               | je                  0xde

        $sequence_6 = { f3a4 4889fa e9???????? 8a4e01 80f901 0f86ec000000 488b4b10 }
            // n = 7, score = 100
            //   f3a4                 | je                  0x1374
            //   4889fa               | dec                 esp
            //   e9????????           |                     
            //   8a4e01               | mov                 dword ptr [esp + 0x78], edi
            //   80f901               | dec                 esp
            //   0f86ec000000         | mov                 ebx, ebp
            //   488b4b10             | inc                 ecx

        $sequence_7 = { f680b801000010 742b 488b4070 31c9 4885c0 740f 488b4008 }
            // n = 7, score = 100
            //   f680b801000010       | cvttsd2si           ecx, xmm1
            //   742b                 | inc                 ebp
            //   488b4070             | mov                 edx, dword ptr [ecx]
            //   31c9                 | inc                 ecx
            //   4885c0               | mov                 eax, dword ptr [ecx + 8]
            //   740f                 | inc                 ecx
            //   488b4008             | cmp                 edx, ecx

        $sequence_8 = { f20f103d???????? f2440f58c7 f2410f2cc0 01d0 660f2ecc 66894104 0f8350ffffff }
            // n = 7, score = 100
            //   f20f103d????????     |                     
            //   f2440f58c7           | add                 byte ptr [eax], al
            //   f2410f2cc0           | add                 byte ptr [eax - 0x75], cl
            //   01d0                 | inc                 esp
            //   660f2ecc             | and                 al, 0x40
            //   66894104             | jmp                 0x951
            //   0f8350ffffff         | dec                 eax

        $sequence_9 = { f2440f2cc8 4101c9 e9???????? 66440f28c2 f2440f5c05???????? f2410f2cd0 66450fefc0 }
            // n = 7, score = 100
            //   f2440f2cc8           | dec                 eax
            //   4101c9               | mov                 ecx, dword ptr [ebx + 0x58]
            //   e9????????           |                     
            //   66440f28c2           | lock sub            dword ptr [ecx], 1
            //   f2440f5c05????????     |     
            //   f2410f2cd0           | je                  0x1584
            //   66450fefc0           | dec                 eax

    condition:
        7 of them and filesize < 38710272
}
Download all Yara Rules