SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ratel (Back to overview)

RATel


There is no description at this point.

References
2023-04-24Kaspersky LabsPierre Delcher, Ivan Kwiatkowski
@online{delcher:20230424:tomiris:2d65352, author = {Pierre Delcher and Ivan Kwiatkowski}, title = {{Tomiris called, they want their Turla malware back}}, date = {2023-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/}, language = {English}, urldate = {2023-04-26} } Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour
2023-02-23BitdefenderMartin Zugec, Bitdefender Team
@online{zugec:20230223:technical:710242c, author = {Martin Zugec and Bitdefender Team}, title = {{Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966}}, date = {2023-02-23}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966}, language = {English}, urldate = {2023-02-27} } Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet RATel
2021-04-06Github (FrenchCisco)FrenchCisco
@online{frenchcisco:20210406:github:33bf219, author = {FrenchCisco}, title = {{Github Repository: RATel}}, date = {2021-04-06}, organization = {Github (FrenchCisco)}, url = {https://github.com/FrenchCisco/RATel}, language = {English}, urldate = {2023-02-27} } Github Repository: RATel
RATel
Yara Rules
[TLP:WHITE] win_ratel_auto (20230407 | Detects win.ratel.)
rule win_ratel_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.ratel."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b4b60 01f1 ebb9 85c0 7f24 89f8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4b60               | mov                 ecx, dword ptr [ebx + 0x60]
            //   01f1                 | add                 ecx, esi
            //   ebb9                 | jmp                 0xffffffbb
            //   85c0                 | test                eax, eax
            //   7f24                 | jg                  0x26
            //   89f8                 | mov                 eax, edi

        $sequence_1 = { 83ec2c 8b11 8b5c2440 8b442448 8b742444 29d3 8944241c }
            // n = 7, score = 100
            //   83ec2c               | sub                 esp, 0x2c
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b5c2440             | mov                 ebx, dword ptr [esp + 0x40]
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   8b742444             | mov                 esi, dword ptr [esp + 0x44]
            //   29d3                 | sub                 ebx, edx
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax

        $sequence_2 = { 8d55b8 8d5db4 89d7 8d55a4 81ec90000000 c745b444000000 f3ab }
            // n = 7, score = 100
            //   8d55b8               | lea                 edx, [ebp - 0x48]
            //   8d5db4               | lea                 ebx, [ebp - 0x4c]
            //   89d7                 | mov                 edi, edx
            //   8d55a4               | lea                 edx, [ebp - 0x5c]
            //   81ec90000000         | sub                 esp, 0x90
            //   c745b444000000       | mov                 dword ptr [ebp - 0x4c], 0x44
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_3 = { 0f45c6 8945c0 b800000000 0f45d8 e9???????? 8b55c8 8b4208 }
            // n = 7, score = 100
            //   0f45c6               | cmovne              eax, esi
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   b800000000           | mov                 eax, 0
            //   0f45d8               | cmovne              ebx, eax
            //   e9????????           |                     
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   8b4208               | mov                 eax, dword ptr [edx + 8]

        $sequence_4 = { 8b4c2440 89442410 8b842468010000 c74424181f000000 89442408 8b842460010000 c74424140a000000 }
            // n = 7, score = 100
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8b842468010000       | mov                 eax, dword ptr [esp + 0x168]
            //   c74424181f000000     | mov                 dword ptr [esp + 0x18], 0x1f
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   8b842460010000       | mov                 eax, dword ptr [esp + 0x160]
            //   c74424140a000000     | mov                 dword ptr [esp + 0x14], 0xa

        $sequence_5 = { c6043000 83c410 5b 5e 5f c20400 85f6 }
            // n = 7, score = 100
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   83c410               | add                 esp, 0x10
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c20400               | ret                 4
            //   85f6                 | test                esi, esi

        $sequence_6 = { 8d5904 8d7912 6690 0fb703 89d5 83cd01 a801 }
            // n = 7, score = 100
            //   8d5904               | lea                 ebx, [ecx + 4]
            //   8d7912               | lea                 edi, [ecx + 0x12]
            //   6690                 | nop                 
            //   0fb703               | movzx               eax, word ptr [ebx]
            //   89d5                 | mov                 ebp, edx
            //   83cd01               | or                  ebp, 1
            //   a801                 | test                al, 1

        $sequence_7 = { e8???????? 85c0 7fbf 3b7c2468 730b 85c0 7507 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7fbf                 | jg                  0xffffffc1
            //   3b7c2468             | cmp                 edi, dword ptr [esp + 0x68]
            //   730b                 | jae                 0xd
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9

        $sequence_8 = { 8b5108 885c024a 83c001 83f81a 75ed 8b4108 c74014fd824b00 }
            // n = 7, score = 100
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   885c024a             | mov                 byte ptr [edx + eax + 0x4a], bl
            //   83c001               | add                 eax, 1
            //   83f81a               | cmp                 eax, 0x1a
            //   75ed                 | jne                 0xffffffef
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   c74014fd824b00       | mov                 dword ptr [eax + 0x14], 0x4b82fd

        $sequence_9 = { 8b842494000000 8b542438 c70004000000 83c46c 89f0 5b 5e }
            // n = 7, score = 100
            //   8b842494000000       | mov                 eax, dword ptr [esp + 0x94]
            //   8b542438             | mov                 edx, dword ptr [esp + 0x38]
            //   c70004000000         | mov                 dword ptr [eax], 4
            //   83c46c               | add                 esp, 0x6c
            //   89f0                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 2174976
}
Download all Yara Rules