NOROBOT (Malware Family)

NOROBOT

aka: BAITSWITCH
VTCollection
There is no description at this point.
References

2025-10-20 ⋅ Google ⋅ Wesley Shields
To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER
MAYBEROBOT NOROBOT YESROBOT
2025-09-24 ⋅ Zscaler ⋅ Sudeep Singh, Yin Hong Chang
COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX
NOROBOT
Yara Rules

[TLP:WHITE] win_norobot_auto (20260504 | Detects win.norobot.)
rule win_norobot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.norobot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.norobot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945d0 7413 8b04ca 488d15298cfdff 4803c2 }
            // n = 5, score = 100
            //   8945d0               | dec                 eax
            //   7413                 | mov                 eax, dword ptr [esp + 0x30]
            //   8b04ca               | dec                 eax
            //   488d15298cfdff       | lea                 ecx, [0x28eaf]
            //   4803c2               | dec                 eax

        $sequence_1 = { 4c8bda 488bf9 f6c304 7424 410fb60a 83e10f 4a0fbe843160b80200 }
            // n = 7, score = 100
            //   4c8bda               | dec                 edx
            //   488bf9               | movsx               eax, byte ptr [ecx + edi + 0x2b860]
            //   f6c304               | inc                 edx
            //   7424                 | mov                 cl, byte ptr [ecx + edi + 0x2b870]
            //   410fb60a             | dec                 eax
            //   83e10f               | sub                 edx, eax
            //   4a0fbe843160b80200     | mov    eax, dword ptr [edx - 4]

        $sequence_2 = { 7706 ff15???????? 488364243000 488d0ddcc60000 8364242800 41b803000000 4533c9 }
            // n = 7, score = 100
            //   7706                 | mov                 eax, dword ptr [esp + 0x30]
            //   ff15????????         |                     
            //   488364243000         | dec                 eax
            //   488d0ddcc60000       | lea                 ecx, [0x28e77]
            //   8364242800           | dec                 eax
            //   41b803000000         | mov                 dword ptr [eax], ecx
            //   4533c9               | dec                 eax

        $sequence_3 = { 488bb424a0000000 4c8d159b6a0100 4533db 488d3d09e60000 4d85c9 488bc2 4c8be2 }
            // n = 7, score = 100
            //   488bb424a0000000     | mov                 edx, esi
            //   4c8d159b6a0100       | dec                 eax
            //   4533db               | lea                 eax, [0xc210]
            //   488d3d09e60000       | cmp                 bx, word ptr [eax]
            //   4d85c9               | jmp                 0x554
            //   488bc2               | mov                 ecx, dword ptr [esp + 0x20]
            //   4c8be2               | dec                 eax

        $sequence_4 = { e8???????? 4889842488000000 488d8c24a8000000 e8???????? 488b8c2488000000 4803c8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   4889842488000000     | dec                 eax
            //   488d8c24a8000000     | mov                 dword ptr [ebx], ecx
            //   e8????????           |                     
            //   488b8c2488000000     | dec                 eax
            //   4803c8               | lea                 edx, [ebx + 8]

        $sequence_5 = { 4883c807 4889442428 488b442460 4839442428 7607 }
            // n = 5, score = 100
            //   4883c807             | cmp                 ecx, eax
            //   4889442428           | jne                 0xad0
            //   488b442460           | dec                 eax
            //   4839442428           | mov                 eax, dword ptr [esp + 0x40]
            //   7607                 | dec                 eax

        $sequence_6 = { 488b4c2458 ff15???????? 4889442450 48837c245000 7536 488d1540150300 }
            // n = 6, score = 100
            //   488b4c2458           | movzx               ecx, byte ptr [ecx]
            //   ff15????????         |                     
            //   4889442450           | inc                 ecx
            //   48837c245000         | inc                 eax
            //   7536                 | and                 ecx, 0xf
            //   488d1540150300       | dec                 edx

        $sequence_7 = { 7502 eb26 baffffffff 488b4c2450 ff15???????? 488b4c2450 }
            // n = 6, score = 100
            //   7502                 | cmp                 dword ptr [esp + 0x80], 0xf
            //   eb26                 | ja                  0x120b
            //   baffffffff           | dec                 eax
            //   488b4c2450           | mov                 eax, dword ptr [esp + 0x28]
            //   ff15????????         |                     
            //   488b4c2450           | dec                 eax

        $sequence_8 = { 4c8d0540effeff 4a0fbe840160b80200 420fb68c0170b80200 482bd0 8b42fc d3e8 898424c0000000 }
            // n = 7, score = 100
            //   4c8d0540effeff       | mov                 dword ptr [esp + 0x80], eax
            //   4a0fbe840160b80200     | dec    eax
            //   420fb68c0170b80200     | lea    ecx, [esp + 0xa8]
            //   482bd0               | dec                 eax
            //   8b42fc               | mov                 ecx, dword ptr [esp + 0xe0]
            //   d3e8                 | dec                 eax
            //   898424c0000000       | add                 ecx, 0x74

        $sequence_9 = { 48896c2418 57 4883ec20 4863d9 488d0d076c0100 488bd3 }
            // n = 6, score = 100
            //   48896c2418           | mov                 dword ptr [esp + 0x28], eax
            //   57                   | jmp                 0xebf
            //   4883ec20             | test                eax, eax
            //   4863d9               | je                  0xead
            //   488d0d076c0100       | dec                 eax
            //   488bd3               | mov                 eax, dword ptr [esp + 0x30]

    condition:
        7 of them and filesize < 545792
}
Download all Yara Rules
NOROBOT Propose Change

References

Yara Rules

NOROBOT
