SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rdat (Back to overview)

RDAT

aka: GREYSTUFF

Actor(s): OilRig


There is no description at this point.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:evasive:ccfb062, author = {Unit 42}, title = {{Evasive Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/}, language = {English}, urldate = {2022-07-29} } Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
Yara Rules
[TLP:WHITE] win_rdat_auto (20230715 | Detects win.rdat.)
rule win_rdat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.rdat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883c450 415e 5f 5e c3 4057 }
            // n = 6, score = 300
            //   4883c450             | test                eax, eax
            //   415e                 | jne                 0x25
            //   5f                   | dec                 eax
            //   5e                   | cmp                 edi, ebx
            //   c3                   | jne                 0xfffffff9
            //   4057                 | dec                 eax

        $sequence_1 = { 4883cbff 6690 48ffc3 4038341a 75f7 4883791810 488b7910 }
            // n = 7, score = 300
            //   4883cbff             | dec                 eax
            //   6690                 | or                  ebx, 0xffffffff
            //   48ffc3               | nop                 
            //   4038341a             | dec                 eax
            //   75f7                 | inc                 ebx
            //   4883791810           | inc                 eax
            //   488b7910             | cmp                 byte ptr [edx + ebx], dh

        $sequence_2 = { 488911 488bd1 4c894108 498bc9 e8???????? }
            // n = 5, score = 300
            //   488911               | cmovb               eax, edi
            //   488bd1               | dec                 esp
            //   4c894108             | mov                 eax, ebx
            //   498bc9               | dec                 esp
            //   e8????????           |                     

        $sequence_3 = { 85c0 740b b9e8030000 ff15???????? }
            // n = 4, score = 300
            //   85c0                 | jae                 0x1d
            //   740b                 | or                  eax, 0xffffffff
            //   b9e8030000           | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 4c8bc3 4c0f42c7 4d85c0 7504 8bc6 eb05 e8???????? }
            // n = 7, score = 300
            //   4c8bc3               | dec                 eax
            //   4c0f42c7             | mov                 edi, dword ptr [ecx + 0x10]
            //   4d85c0               | dec                 eax
            //   7504                 | mov                 edi, dword ptr [ecx + 0x10]
            //   8bc6                 | jb                  5
            //   eb05                 | dec                 eax
            //   e8????????           |                     

        $sequence_5 = { 4584c9 0f849a000000 f6431440 7519 }
            // n = 4, score = 300
            //   4584c9               | dec                 eax
            //   0f849a000000         | cmp                 edi, ebx
            //   f6431440             | dec                 eax
            //   7519                 | cwde                

        $sequence_6 = { 4584c9 744e 84d2 744a }
            // n = 4, score = 300
            //   4584c9               | dec                 esp
            //   744e                 | cmovb               eax, edi
            //   84d2                 | dec                 ebp
            //   744a                 | test                eax, eax

        $sequence_7 = { 4898 4885c0 751e 483bfb 7313 }
            // n = 5, score = 300
            //   4898                 | inc                 eax
            //   4885c0               | cmp                 byte ptr [edx + ebx], dh
            //   751e                 | jne                 0
            //   483bfb               | dec                 eax
            //   7313                 | cmp                 dword ptr [ecx + 0x18], 0x10

        $sequence_8 = { 488b7910 7203 488b09 483bfb 4c8bc3 4c0f42c7 4d85c0 }
            // n = 7, score = 300
            //   488b7910             | dec                 eax
            //   7203                 | cwde                
            //   488b09               | dec                 eax
            //   483bfb               | test                eax, eax
            //   4c8bc3               | jne                 0x25
            //   4c0f42c7             | dec                 eax
            //   4d85c0               | cmp                 edi, ebx

        $sequence_9 = { 4883c450 415e c3 4883ec28 4885c9 7422 }
            // n = 6, score = 300
            //   4883c450             | cmp                 edi, ebx
            //   415e                 | dec                 eax
            //   c3                   | inc                 ebx
            //   4883ec28             | inc                 eax
            //   4885c9               | cmp                 byte ptr [edx + ebx], dh
            //   7422                 | jne                 0xfffffffd

        $sequence_10 = { 4584e4 7505 4585f6 7476 448bc6 41b9feffffff 442bc0 }
            // n = 7, score = 300
            //   4584e4               | mov                 eax, ebx
            //   7505                 | dec                 esp
            //   4585f6               | cmovb               eax, edi
            //   7476                 | dec                 ebp
            //   448bc6               | test                eax, eax
            //   41b9feffffff         | jne                 0x13
            //   442bc0               | jne                 0xfffffff9

        $sequence_11 = { 4584c9 740a 4885ed 7405 }
            // n = 4, score = 300
            //   4584c9               | cmp                 edi, ebx
            //   740a                 | dec                 esp
            //   4885ed               | mov                 eax, ebx
            //   7405                 | dec                 esp

        $sequence_12 = { 4584e4 0f84a5000000 8b8310010000 33ff }
            // n = 4, score = 300
            //   4584e4               | mov                 edi, dword ptr [ecx + 0x10]
            //   0f84a5000000         | jmp                 7
            //   8b8310010000         | dec                 eax
            //   33ff                 | cwde                

        $sequence_13 = { 488d8a50000000 e9???????? 488d8a50030000 e9???????? 488d8a90020000 e9???????? }
            // n = 6, score = 100
            //   488d8a50000000       | dec                 eax
            //   e9????????           |                     
            //   488d8a50030000       | mov                 ecx, dword ptr [ecx]
            //   e9????????           |                     
            //   488d8a90020000       | dec                 eax
            //   e9????????           |                     

        $sequence_14 = { c3 488d0df3e00100 e8???????? cc }
            // n = 4, score = 100
            //   c3                   | mov                 eax, ebx
            //   488d0df3e00100       | dec                 esp
            //   e8????????           |                     
            //   cc                   | cmovb               eax, edi

        $sequence_15 = { e8???????? 90 4c8d842470020000 488bd0 488d8c24b0030000 e8???????? 90 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   4c8d842470020000     | cmp                 dword ptr [ecx + 0x18], 0x10
            //   488bd0               | dec                 eax
            //   488d8c24b0030000     | mov                 edi, dword ptr [ecx + 0x10]
            //   e8????????           |                     
            //   90                   | jb                  0xe

    condition:
        7 of them and filesize < 1573888
}
Download all Yara Rules