SYMBOLCOMMON_NAMEaka. SYNONYMS
win.quiterat (Back to overview)

QuiteRAT

aka: Acres

Actor(s): Silent Chollima

VTCollection    

QuiteRAT is a simple remote access trojan written with the help of Qt libraries.

After sending preliminary system information to its C&C server, it expects a response containing either a supported command code or an actual Windows command (like systeminfo or ipconfig with parameters) to execute.

It was deployed in a campaign exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966).

References
2023-08-24Cisco TalosAsheer Malhotra, Jungsoo An, Vitor Ventura
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
QuiteRAT
2023-08-22AhnLabASEC Analysis Team
Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer
2023-02-23BitdefenderBitdefender Team, Martin Zugec
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel
2023-02-02WithSecureSami Ruohonen, Stephen Robinson
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Dtrack GREASE QuiteRAT
Yara Rules
[TLP:WHITE] win_quiterat_auto (20260504 | Detects win.quiterat.)
rule win_quiterat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.quiterat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quiterat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b730c 8974241c 85c0 0f8c8f010000 8b6c243c 7f08 85ed }
            // n = 7, score = 100
            //   8b730c               | mov                 esi, dword ptr [ebx + 0xc]
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   85c0                 | test                eax, eax
            //   0f8c8f010000         | jl                  0x195
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   7f08                 | jg                  0xa
            //   85ed                 | test                ebp, ebp

        $sequence_1 = { bb02000000 c7442410b4f25800 8d4c2410 8b7c241c 83cdff 8b01 c701???????? }
            // n = 7, score = 100
            //   bb02000000           | mov                 ebx, 2
            //   c7442410b4f25800     | mov                 dword ptr [esp + 0x10], 0x58f2b4
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   83cdff               | or                  ebp, 0xffffffff
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   c701????????         |                     

        $sequence_2 = { e8???????? 83c40c 6aff 68???????? 8d4c241c e8???????? 8b33 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6aff                 | push                -1
            //   68????????           |                     
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   e8????????           |                     
            //   8b33                 | mov                 esi, dword ptr [ebx]

        $sequence_3 = { c7442428ec695500 e8???????? 83c408 eb4d ff742434 8d4c2410 e8???????? }
            // n = 7, score = 100
            //   c7442428ec695500     | mov                 dword ptr [esp + 0x28], 0x5569ec
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   eb4d                 | jmp                 0x4f
            //   ff742434             | push                dword ptr [esp + 0x34]
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   e8????????           |                     

        $sequence_4 = { e8???????? 807e5000 8d44241c 6a00 0f84aa000000 68???????? 56 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   807e5000             | cmp                 byte ptr [esi + 0x50], 0
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   6a00                 | push                0
            //   0f84aa000000         | je                  0xb0
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_5 = { e8???????? 83c40c 85f6 7523 68???????? e8???????? 83c404 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   7523                 | jne                 0x25
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_6 = { e8???????? 83ce01 8974240c 8b74241c 8d4f10 8b5c2418 53 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83ce01               | or                  esi, 1
            //   8974240c             | mov                 dword ptr [esp + 0xc], esi
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]
            //   8d4f10               | lea                 ecx, [edi + 0x10]
            //   8b5c2418             | mov                 ebx, dword ptr [esp + 0x18]
            //   53                   | push                ebx

        $sequence_7 = { c1fa06 83c40c 8bc2 896c241c c1e81f 03c2 89442410 }
            // n = 7, score = 100
            //   c1fa06               | sar                 edx, 6
            //   83c40c               | add                 esp, 0xc
            //   8bc2                 | mov                 eax, edx
            //   896c241c             | mov                 dword ptr [esp + 0x1c], ebp
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_8 = { 89410c 8bc1 c70100000000 c7410400000000 c7410800000000 c20400 56 }
            // n = 7, score = 100
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8bc1                 | mov                 eax, ecx
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   c7410400000000       | mov                 dword ptr [ecx + 4], 0
            //   c7410800000000       | mov                 dword ptr [ecx + 8], 0
            //   c20400               | ret                 4
            //   56                   | push                esi

        $sequence_9 = { e8???????? 8d4c2428 e8???????? 8b442438 85c0 744c 8b742430 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4c2428             | lea                 ecx, [esp + 0x28]
            //   e8????????           |                     
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   85c0                 | test                eax, eax
            //   744c                 | je                  0x4e
            //   8b742430             | mov                 esi, dword ptr [esp + 0x30]

    condition:
        7 of them and filesize < 5892096
}
Download all Yara Rules