SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rdat (Back to overview)

RDAT

aka: GREYSTUFF

Actor(s): OilRig


There is no description at this point.

References
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
Yara Rules
[TLP:WHITE] win_rdat_auto (20220411 | Detects win.rdat.)
rule win_rdat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.rdat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6690 48ffc3 4038341a 75f7 4883791810 }
            // n = 5, score = 300
            //   6690                 | dec                 esp
            //   48ffc3               | cmovb               eax, edi
            //   4038341a             | dec                 ebp
            //   75f7                 | test                eax, eax
            //   4883791810           | dec                 eax

        $sequence_1 = { 4533db 85c0 0f8eae000000 8b8aa4000000 }
            // n = 4, score = 300
            //   4533db               | mov                 edi, dword ptr [ecx + 0x10]
            //   85c0                 | jb                  5
            //   0f8eae000000         | dec                 eax
            //   8b8aa4000000         | mov                 ecx, dword ptr [ecx]

        $sequence_2 = { eb0f 4883cbff 6690 48ffc3 }
            // n = 4, score = 300
            //   eb0f                 | xor                 esi, esi
            //   4883cbff             | inc                 eax
            //   6690                 | cmp                 byte ptr [edx], dh
            //   48ffc3               | jne                 9

        $sequence_3 = { 48634e68 4c8b44c8f8 7816 8d4a01 }
            // n = 4, score = 300
            //   48634e68             | dec                 esp
            //   4c8b44c8f8           | cmovb               eax, edi
            //   7816                 | inc                 eax
            //   8d4a01               | cmp                 byte ptr [edx], dh

        $sequence_4 = { 7504 8bde eb0f 4883cbff }
            // n = 4, score = 300
            //   7504                 | inc                 eax
            //   8bde                 | cmp                 byte ptr [edx + ebx], dh
            //   eb0f                 | jmp                 7
            //   4883cbff             | dec                 eax

        $sequence_5 = { 4889742410 57 4883ec20 33f6 403832 7504 8bde }
            // n = 7, score = 300
            //   4889742410           | mov                 ecx, dword ptr [ecx]
            //   57                   | dec                 eax
            //   4883ec20             | cmp                 edi, ebx
            //   33f6                 | dec                 esp
            //   403832               | mov                 eax, ebx
            //   7504                 | dec                 eax
            //   8bde                 | mov                 dword ptr [esp + 0x10], esi

        $sequence_6 = { 483bfb 4c8bc3 4c0f42c7 4d85c0 7504 }
            // n = 5, score = 300
            //   483bfb               | cmp                 byte ptr [edx], dh
            //   4c8bc3               | jne                 0xb
            //   4c0f42c7             | mov                 ebx, esi
            //   4d85c0               | dec                 eax
            //   7504                 | cmp                 edi, ebx

        $sequence_7 = { 75f7 4883791810 488b7910 7203 488b09 483bfb 4c8bc3 }
            // n = 7, score = 300
            //   75f7                 | jne                 0xfffffff9
            //   4883791810           | dec                 eax
            //   488b7910             | cmp                 dword ptr [ecx + 0x18], 0x10
            //   7203                 | dec                 eax
            //   488b09               | mov                 edi, dword ptr [ecx + 0x10]
            //   483bfb               | jb                  5
            //   4c8bc3               | dec                 eax

        $sequence_8 = { 4533db 488b4730 4d8b0403 4d85c0 0f84c7000000 418b80c0000000 }
            // n = 6, score = 300
            //   4533db               | dec                 eax
            //   488b4730             | cmp                 dword ptr [ecx + 0x18], 0x10
            //   4d8b0403             | dec                 eax
            //   4d85c0               | mov                 edi, dword ptr [ecx + 0x10]
            //   0f84c7000000         | inc                 eax
            //   418b80c0000000       | cmp                 byte ptr [edx], dh

        $sequence_9 = { 4883ec30 48c740e8feffffff 48895810 48897018 48897820 4c8bf2 }
            // n = 6, score = 300
            //   4883ec30             | dec                 eax
            //   48c740e8feffffff     | sub                 esp, 0x20
            //   48895810             | xor                 esi, esi
            //   48897018             | inc                 eax
            //   48897820             | cmp                 byte ptr [edx], dh
            //   4c8bf2               | mov                 ebx, esi

        $sequence_10 = { 483bfb 7313 83c8ff 488b5c2430 488b742438 4883c420 5f }
            // n = 7, score = 300
            //   483bfb               | cmp                 edi, ebx
            //   7313                 | dec                 esp
            //   83c8ff               | mov                 eax, ebx
            //   488b5c2430           | dec                 eax
            //   488b742438           | cmp                 dword ptr [ecx + 0x18], 0x10
            //   4883c420             | dec                 eax
            //   5f                   | mov                 edi, dword ptr [ecx + 0x10]

        $sequence_11 = { 4883ec30 48c740d8feffffff 48895818 48896820 498bf9 }
            // n = 5, score = 300
            //   4883ec30             | dec                 eax
            //   48c740d8feffffff     | cmp                 edi, ebx
            //   48895818             | dec                 esp
            //   48896820             | mov                 eax, ebx
            //   498bf9               | dec                 esp

        $sequence_12 = { 4883ec30 48c740d8feffffff 48895808 48896810 48897018 488bf2 }
            // n = 6, score = 300
            //   4883ec30             | sub                 esp, 0x20
            //   48c740d8feffffff     | xor                 esi, esi
            //   48895808             | inc                 eax
            //   48896810             | cmp                 byte ptr [edx], dh
            //   48897018             | jne                 0xb
            //   488bf2               | jne                 6

        $sequence_13 = { 48634e04 488b4608 8b1488 eb07 }
            // n = 4, score = 300
            //   48634e04             | mov                 dword ptr [esp + 8], ebx
            //   488b4608             | dec                 eax
            //   8b1488               | mov                 dword ptr [esp + 0x10], esi
            //   eb07                 | push                edi

        $sequence_14 = { 4883ec30 48c7442420feffffff 48895c2440 4889742448 488bf9 813963736de0 }
            // n = 6, score = 300
            //   4883ec30             | jne                 6
            //   48c7442420feffffff     | mov    ebx, esi
            //   48895c2440           | jmp                 0x15
            //   4889742448           | dec                 esp
            //   488bf9               | mov                 eax, ebx
            //   813963736de0         | dec                 esp

        $sequence_15 = { 8bc6 eb05 e8???????? 4898 4885c0 751e 483bfb }
            // n = 7, score = 300
            //   8bc6                 | cmp                 dword ptr [ecx + 0x18], 0x10
            //   eb05                 | dec                 eax
            //   e8????????           |                     
            //   4898                 | mov                 edi, dword ptr [ecx + 0x10]
            //   4885c0               | dec                 eax
            //   751e                 | inc                 ebx
            //   483bfb               | inc                 eax

    condition:
        7 of them and filesize < 1573888
}
Download all Yara Rules