SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rdat (Back to overview)

RDAT

aka: GREYSTUFF

Actor(s): OilRig


There is no description at this point.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:evasive:ccfb062, author = {Unit 42}, title = {{Evasive Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/}, language = {English}, urldate = {2022-07-29} } Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
Yara Rules
[TLP:WHITE] win_rdat_auto (20230125 | Detects win.rdat.)
rule win_rdat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.rdat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b09 483bfb 4c8bc3 4c0f42c7 }
            // n = 4, score = 300
            //   488b09               | dec                 eax
            //   483bfb               | mov                 ecx, dword ptr [ecx]
            //   4c8bc3               | dec                 eax
            //   4c0f42c7             | cmp                 edi, ebx

        $sequence_1 = { 4c8bc3 4c0f42c7 4d85c0 7504 }
            // n = 4, score = 300
            //   4c8bc3               | dec                 eax
            //   4c0f42c7             | inc                 ebx
            //   4d85c0               | inc                 eax
            //   7504                 | cmp                 byte ptr [edx + ebx], dh

        $sequence_2 = { 037750 48837b0800 757a 33c0 f04c0fb16b08 7570 }
            // n = 6, score = 300
            //   037750               | jb                  0x10
            //   48837b0800           | dec                 eax
            //   757a                 | mov                 ecx, dword ptr [ecx]
            //   33c0                 | dec                 eax
            //   f04c0fb16b08         | cmp                 edi, ebx
            //   7570                 | jne                 0xfffffff9

        $sequence_3 = { 0f8584000000 488b4f30 ff15???????? 90 }
            // n = 4, score = 300
            //   0f8584000000         | dec                 eax
            //   488b4f30             | cmp                 edi, ebx
            //   ff15????????         |                     
            //   90                   | jae                 0x1a

        $sequence_4 = { 0f8795000000 4584c9 0f849a000000 f6431440 }
            // n = 4, score = 300
            //   0f8795000000         | dec                 eax
            //   4584c9               | cmp                 dword ptr [ecx + 0x18], 0x10
            //   0f849a000000         | dec                 eax
            //   f6431440             | mov                 edi, dword ptr [ecx + 0x10]

        $sequence_5 = { 4883ec20 33db 408aea 488bf9 408af3 448d7301 }
            // n = 6, score = 300
            //   4883ec20             | dec                 esp
            //   33db                 | mov                 eax, ebx
            //   408aea               | dec                 esp
            //   488bf9               | cmovb               eax, edi
            //   408af3               | dec                 eax
            //   448d7301             | cmp                 edi, ebx

        $sequence_6 = { e8???????? 4898 4885c0 751e 483bfb 7313 83c8ff }
            // n = 7, score = 300
            //   e8????????           |                     
            //   4898                 | mov                 edi, dword ptr [ecx + 0x10]
            //   4885c0               | jb                  5
            //   751e                 | dec                 eax
            //   483bfb               | mov                 ecx, dword ptr [ecx]
            //   7313                 | dec                 eax
            //   83c8ff               | cwde                

        $sequence_7 = { 85c0 740b b9e8030000 ff15???????? }
            // n = 4, score = 300
            //   85c0                 | dec                 esp
            //   740b                 | cmovb               eax, edi
            //   b9e8030000           | dec                 ebp
            //   ff15????????         |                     

        $sequence_8 = { 4038341a 75f7 4883791810 488b7910 7203 488b09 }
            // n = 6, score = 300
            //   4038341a             | inc                 eax
            //   75f7                 | cmp                 byte ptr [edx + ebx], dh
            //   4883791810           | jne                 0xfffffff9
            //   488b7910             | dec                 eax
            //   7203                 | cmp                 dword ptr [ecx + 0x18], 0x10
            //   488b09               | dec                 eax

        $sequence_9 = { 4803d6 412bc4 413bc5 764a }
            // n = 4, score = 300
            //   4803d6               | cmovb               eax, edi
            //   412bc4               | dec                 ebp
            //   413bc5               | test                eax, eax
            //   764a                 | jne                 0x13

        $sequence_10 = { 2405 4c0f44f2 eb03 4533c0 ffc7 4983c704 3b7c2470 }
            // n = 7, score = 300
            //   2405                 | inc                 eax
            //   4c0f44f2             | cmp                 byte ptr [edx + ebx], dh
            //   eb03                 | jne                 0xfffffff9
            //   4533c0               | dec                 eax
            //   ffc7                 | cmp                 dword ptr [ecx + 0x18], 0x10
            //   4983c704             | dec                 eax
            //   3b7c2470             | mov                 edi, dword ptr [ecx + 0x10]

        $sequence_11 = { 4803d9 f20f5ed8 395314 7412 }
            // n = 4, score = 300
            //   4803d9               | dec                 eax
            //   f20f5ed8             | cwde                
            //   395314               | dec                 eax
            //   7412                 | test                eax, eax

        $sequence_12 = { 4803d1 48634308 4803c2 4885ed }
            // n = 4, score = 300
            //   4803d1               | dec                 eax
            //   48634308             | mov                 edi, dword ptr [ecx + 0x10]
            //   4803c2               | jb                  5
            //   4885ed               | dec                 eax

        $sequence_13 = { 488b4c2468 ff15???????? 85c0 0f8474060000 8b44245c 85c0 }
            // n = 6, score = 100
            //   488b4c2468           | mov                 ebx, dword ptr [esp + 0x30]
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   0f8474060000         | mov                 edi, dword ptr [ecx + 0x10]
            //   8b44245c             | jb                  5
            //   85c0                 | dec                 eax

        $sequence_14 = { ff15???????? 488d15571a0100 483305???????? 488bcb 488905???????? ff15???????? 488d15511a0100 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d15571a0100       | je                  0xd
            //   483305????????       |                     
            //   488bcb               | mov                 ecx, 0x3e8
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15511a0100       | dec                 eax

        $sequence_15 = { 4883ec20 4883610800 488d05123c0100 c6411000 488901 488b12 488bd9 }
            // n = 7, score = 100
            //   4883ec20             | test                eax, eax
            //   4883610800           | jne                 0x20
            //   488d05123c0100       | dec                 eax
            //   c6411000             | cmp                 edi, ebx
            //   488901               | jae                 0x1a
            //   488b12               | or                  eax, 0xffffffff
            //   488bd9               | dec                 eax

    condition:
        7 of them and filesize < 1573888
}
Download all Yara Rules