SYMBOLCOMMON_NAMEaka. SYNONYMS
win.proto8_rat (Back to overview)

Proto8RAT

There is no description at this point.

References
2022-03-21AvastAvast
@online{avast:20220321:ioc:b4bb870, author = {Avast}, title = {{IoC from Operation Dragon Castling}}, date = {2022-03-21}, organization = {Avast}, url = {https://github.com/avast/ioc/tree/master/OperationDragonCastling}, language = {English}, urldate = {2022-08-26} } IoC from Operation Dragon Castling
Proto8RAT TianWu
Yara Rules
[TLP:WHITE] win_proto8_rat_auto (20230125 | Detects win.proto8_rat.)
rule win_proto8_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.proto8_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8b94000000 4533c0 8b8390000000 3bc1 410f95c0 488b5c2430 4d85c0 }
            // n = 7, score = 100
            //   8b8b94000000         | dec                 ecx
            //   4533c0               | lea                 esi, [esi + 0x20]
            //   8b8390000000         | mov                 eax, dword ptr [edi + 0x18]
            //   3bc1                 | add                 eax, dword ptr [esi]
            //   410f95c0             | inc                 esp
            //   488b5c2430           | cmp                 edi, eax
            //   4d85c0               | jb                  0x309

        $sequence_1 = { 741a 48c70000000000 8b07 41894008 418b06 4189400c eb07 }
            // n = 7, score = 100
            //   741a                 | mov                 ebx, dword ptr [esp + 0x30]
            //   48c70000000000       | dec                 eax
            //   8b07                 | add                 esp, 0x20
            //   41894008             | pop                 edi
            //   418b06               | ret                 
            //   4189400c             | dec                 eax
            //   eb07                 | mov                 edx, ecx

        $sequence_2 = { ff15???????? 413bc5 7505 488bcb ebe3 48895d00 488b8dd8000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   413bc5               | jmp                 0x2d
            //   7505                 | movzx               eax, byte ptr [ecx]
            //   488bcb               | inc                 esp
            //   ebe3                 | cmp                 byte ptr [esp + eax + 0x20], bh
            //   48895d00             | jne                 0x56
            //   488b8dd8000000       | jne                 0x16

        $sequence_3 = { e8???????? 498bc5 488b9c24880a0000 4881c4400a0000 415f 415e 415d }
            // n = 7, score = 100
            //   e8????????           |                     
            //   498bc5               | dec                 eax
            //   488b9c24880a0000     | add                 eax, -8
            //   4881c4400a0000       | dec                 eax
            //   415f                 | cmp                 eax, 0x1f
            //   415e                 | ja                  0xf1e
            //   415d                 | jb                  0x21c

        $sequence_4 = { 7406 488bd3 ff5318 488b8ff0010000 4885c9 7406 488bd3 }
            // n = 7, score = 100
            //   7406                 | mov                 eax, dword ptr [esp + 0x40]
            //   488bd3               | dec                 eax
            //   ff5318               | mov                 ecx, edi
            //   488b8ff0010000       | dec                 eax
            //   4885c9               | lea                 ecx, [esp + 0x50]
            //   7406                 | dec                 eax
            //   488bd3               | lea                 edx, [esp + 0x50]

        $sequence_5 = { e8???????? 4889842420010000 4885c0 742a 488918 488d7808 488d05dddbffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889842420010000     | dec                 eax
            //   4885c0               | inc                 edx
            //   742a                 | psrldq              xmm2, 8
            //   488918               | dec                 ax
            //   488d7808             | movd                edx, mm2
            //   488d05dddbffff       | dec                 eax

        $sequence_6 = { 741c 4c8d0509b20300 baf7ffffff 488bcb e8???????? 448bf0 e9???????? }
            // n = 7, score = 100
            //   741c                 | lea                 edx, [esp + 0x30]
            //   4c8d0509b20300       | dec                 eax
            //   baf7ffffff           | cmp                 dword ptr [esp + 0x48], 0x10
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   448bf0               | cmovae              edx, dword ptr [esp + 0x30]
            //   e9????????           |                     

        $sequence_7 = { e8???????? 33c0 4883c420 5b c3 ff25???????? ff25???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33c0                 | dec                 eax
            //   4883c420             | inc                 ecx
            //   5b                   | mov                 eax, eax
            //   c3                   | pop                 ebp
            //   ff25????????         |                     
            //   ff25????????         |                     

        $sequence_8 = { ff5018 84c0 7406 48893b 488bfb 488bde 4885f6 }
            // n = 7, score = 100
            //   ff5018               | test                ebx, ebx
            //   84c0                 | inc                 ecx
            //   7406                 | mov                 eax, 1
            //   48893b               | dec                 eax
            //   488bfb               | lea                 edx, [0x11db94]
            //   488bde               | mov                 ecx, eax
            //   4885f6               | shr                 ecx, 0x1e

        $sequence_9 = { 7578 40f6c701 742e 4c8bc3 498bd7 488bce e8???????? }
            // n = 7, score = 100
            //   7578                 | dec                 eax
            //   40f6c701             | cmp                 edx, ebp
            //   742e                 | jb                  0x468
            //   4c8bc3               | dec                 eax
            //   498bd7               | add                 edx, 0x27
            //   488bce               | dec                 esp
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2537472
}
Download all Yara Rules