SYMBOLCOMMON_NAMEaka. SYNONYMS
win.r77 (Back to overview)

r77

aka: r77 Rootkit
VTCollection    

According to the author, r77 is a ring 3 rootkit that hides everything:
* Files, directories
* Processes & CPU usage
* Registry keys & values
* Services
* TCP & UDP connections
* Junctions, named pipes, scheduled tasks

References
2025-03-13SecuronixDen Iyzvyk, Tim Peck
Analyzing OBSCURE#BAT Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits
Quasar RAT r77
2024-09-04HarfangLabAlice Climent-Pommeret
Unpacking the unpleasant FIN7 gift: PackXOR
r77 xmrig
2022-05-08Twitter (@malmoeb)Stephan Berger
Twitter Thread on popularity and detection of r77
r77
2017-12-17Github (bytecode77)Martin Fischer
r77 Rootkit
r77
Yara Rules
[TLP:WHITE] win_r77_auto (20260504 | Detects win.r77.)
rule win_r77_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.r77."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.r77"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740c 8b4f0c e8???????? 85c0 }
            // n = 4, score = 200
            //   740c                 | je                  0xe
            //   8b4f0c               | mov                 ecx, dword ptr [edi + 0xc]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_1 = { 740b 8b0f e8???????? 85c0 }
            // n = 4, score = 200
            //   740b                 | je                  0xd
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { 83f866 0f85a9000000 b901000000 6bd103 8b4508 0fb60c10 }
            // n = 6, score = 100
            //   83f866               | cmp                 eax, 0x66
            //   0f85a9000000         | jne                 0xaf
            //   b901000000           | mov                 ecx, 1
            //   6bd103               | imul                edx, ecx, 3
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fb60c10             | movzx               ecx, byte ptr [eax + edx]

        $sequence_3 = { 488d050a440100 483bc8 7406 e8???????? 90 8b0b e8???????? }
            // n = 7, score = 100
            //   488d050a440100       | jne                 0xaf
            //   483bc8               | dec                 eax
            //   7406                 | test                esi, esi
            //   e8????????           |                     
            //   90                   | je                  0xa9
            //   8b0b                 | mov                 eax, dword ptr [edi + 4]
            //   e8????????           |                     

        $sequence_4 = { 8bd3 b9???????? e8???????? a3???????? 5f }
            // n = 5, score = 100
            //   8bd3                 | mov                 edx, ebx
            //   b9????????           |                     
            //   e8????????           |                     
            //   a3????????           |                     
            //   5f                   | pop                 edi

        $sequence_5 = { 8b4d10 0fb61401 83e21f 8855ff }
            // n = 4, score = 100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   0fb61401             | movzx               edx, byte ptr [ecx + eax]
            //   83e21f               | and                 edx, 0x1f
            //   8855ff               | mov                 byte ptr [ebp - 1], dl

        $sequence_6 = { ff752c ff7528 56 ff7520 53 }
            // n = 5, score = 100
            //   ff752c               | push                dword ptr [ebp + 0x2c]
            //   ff7528               | push                dword ptr [ebp + 0x28]
            //   56                   | push                esi
            //   ff7520               | push                dword ptr [ebp + 0x20]
            //   53                   | push                ebx

        $sequence_7 = { c1cf0d 803b61 8d42e0 0f4cc2 03f8 43 6685f6 }
            // n = 7, score = 100
            //   c1cf0d               | ror                 edi, 0xd
            //   803b61               | cmp                 byte ptr [ebx], 0x61
            //   8d42e0               | lea                 eax, [edx - 0x20]
            //   0f4cc2               | cmovl               eax, edx
            //   03f8                 | add                 edi, eax
            //   43                   | inc                 ebx
            //   6685f6               | test                si, si

        $sequence_8 = { 4883ec20 488d05df750000 488bd9 483bc8 7417 8b815c010000 }
            // n = 6, score = 100
            //   4883ec20             | dec                 eax
            //   488d05df750000       | sub                 esp, 0x20
            //   488bd9               | dec                 eax
            //   483bc8               | lea                 eax, [0x75df]
            //   7417                 | dec                 eax
            //   8b815c010000         | mov                 ebx, ecx

        $sequence_9 = { 488d3d6cb6feff 488bcf e8???????? 85c0 }
            // n = 4, score = 100
            //   488d3d6cb6feff       | dec                 eax
            //   488bcf               | lea                 eax, [0x1440a]
            //   e8????????           |                     
            //   85c0                 | dec                 eax

        $sequence_10 = { e8???????? e9???????? 493bff 7508 41bc06000080 eb21 83eb01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   493bff               | cmp                 ecx, eax
            //   7508                 | je                  0xb
            //   41bc06000080         | nop                 
            //   eb21                 | mov                 ecx, dword ptr [ebx]
            //   83eb01               | dec                 eax

        $sequence_11 = { c745e806000000 e9???????? 8b4df4 034dec 8b55fc }
            // n = 5, score = 100
            //   c745e806000000       | mov                 dword ptr [ebp - 0x18], 6
            //   e9????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   034dec               | add                 ecx, dword ptr [ebp - 0x14]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_12 = { 0f85a9000000 4885f6 0f84a0000000 8b4704 }
            // n = 4, score = 100
            //   0f85a9000000         | dec                 eax
            //   4885f6               | cmp                 ecx, eax
            //   0f84a0000000         | je                  0x19
            //   8b4704               | mov                 eax, dword ptr [ecx + 0x15c]

        $sequence_13 = { 48894328 e8???????? 48894330 e8???????? 48894338 488d153fc30100 }
            // n = 6, score = 100
            //   48894328             | lea                 edi, [0xfffeb66c]
            //   e8????????           |                     
            //   48894330             | dec                 eax
            //   e8????????           |                     
            //   48894338             | mov                 ecx, edi
            //   488d153fc30100       | test                eax, eax

    condition:
        7 of them and filesize < 350208
}
Download all Yara Rules