SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rctrl (Back to overview)

RCtrl

Actor(s): APT 30


There is no description at this point.

References
2020-06-19Positive TechnologiesAlexey Vishnyakov
@online{vishnyakov:20200619:eagle:01efbbd, author = {Alexey Vishnyakov}, title = {{The eagle eye is back: old and new backdoors from APT30}}, date = {2020-06-19}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/}, language = {English}, urldate = {2020-06-20} } The eagle eye is back: old and new backdoors from APT30
backspace NETEAGLE RCtrl RHttpCtrl APT30
Yara Rules
[TLP:WHITE] win_rctrl_auto (20221125 | Detects win.rctrl.)
rule win_rctrl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.rctrl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84f7000000 895dd8 c745d470535700 50 8d4dd4 895dfc }
            // n = 6, score = 100
            //   0f84f7000000         | je                  0xfd
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   c745d470535700       | mov                 dword ptr [ebp - 0x2c], 0x575370
            //   50                   | push                eax
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_1 = { 53 56 8bf1 57 8b8680000000 83b88800000000 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   8b8680000000         | mov                 eax, dword ptr [esi + 0x80]
            //   83b88800000000       | cmp                 dword ptr [eax + 0x88], 0

        $sequence_2 = { 5e 8be5 5d c21400 55 8bec 83ec3c }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c21400               | ret                 0x14
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec3c               | sub                 esp, 0x3c

        $sequence_3 = { c745cce0e85900 8975e0 8945f8 85c0 0f8489000000 8d8680040000 8bf0 }
            // n = 7, score = 100
            //   c745cce0e85900       | mov                 dword ptr [ebp - 0x34], 0x59e8e0
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   85c0                 | test                eax, eax
            //   0f8489000000         | je                  0x8f
            //   8d8680040000         | lea                 eax, [esi + 0x480]
            //   8bf0                 | mov                 esi, eax

        $sequence_4 = { c785f8f7ffff00000000 8db5f8f7ffff b901010000 c685f3e7ffff01 8dbdf8e7ffff f3a5 6804100000 }
            // n = 7, score = 100
            //   c785f8f7ffff00000000     | mov    dword ptr [ebp - 0x808], 0
            //   8db5f8f7ffff         | lea                 esi, [ebp - 0x808]
            //   b901010000           | mov                 ecx, 0x101
            //   c685f3e7ffff01       | mov                 byte ptr [ebp - 0x180d], 1
            //   8dbdf8e7ffff         | lea                 edi, [ebp - 0x1808]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   6804100000           | push                0x1004

        $sequence_5 = { 50 ff7638 ff7640 ff7618 ff15???????? 85c0 7467 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff7638               | push                dword ptr [esi + 0x38]
            //   ff7640               | push                dword ptr [esi + 0x40]
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7467                 | je                  0x69

        $sequence_6 = { 85c0 772c 7205 83f9ff 7725 ff7510 ff7508 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   772c                 | ja                  0x2e
            //   7205                 | jb                  7
            //   83f9ff               | cmp                 ecx, -1
            //   7725                 | ja                  0x27
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_7 = { e8???????? 83c404 8bc6 3b7304 75ee 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   3b7304               | cmp                 esi, dword ptr [ebx + 4]
            //   75ee                 | jne                 0xfffffff0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_8 = { 50 ff15???????? 8b5508 83c8ff 881e 83c2f0 f00fc1420c }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c8ff               | or                  eax, 0xffffffff
            //   881e                 | mov                 byte ptr [esi], bl
            //   83c2f0               | add                 edx, -0x10
            //   f00fc1420c           | lock xadd           dword ptr [edx + 0xc], eax

        $sequence_9 = { e8???????? cc 55 8bec 53 56 33db }
            // n = 7, score = 100
            //   e8????????           |                     
            //   cc                   | int3                
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx

    condition:
        7 of them and filesize < 4315136
}
Download all Yara Rules