SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rdat (Back to overview)

RDAT

aka: GREYSTUFF

Actor(s): OilRig

There is no description at this point.

References
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
Yara Rules
[TLP:WHITE] win_rdat_auto (20211008 | Detects win.rdat.)
rule win_rdat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.rdat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 450fb6c9 486344300c 4803c6 4a630c80 4533c0 }
            // n = 5, score = 300
            //   450fb6c9             | arpl                word ptr [ebx + 0x18], ax
            //   486344300c           | inc                 ebp
            //   4803c6               | movzx               ecx, cl
            //   4a630c80             | dec                 eax
            //   4533c0               | arpl                word ptr [eax + esi + 0xc], ax

        $sequence_1 = { 85c0 740b b9e8030000 ff15???????? }
            // n = 4, score = 300
            //   85c0                 | cmp                 byte ptr [edx + ebx], dh
            //   740b                 | jne                 0xfffffffd
            //   b9e8030000           | dec                 eax
            //   ff15????????         |                     

        $sequence_2 = { 488903 48894c2428 4885c9 744b }
            // n = 4, score = 300
            //   488903               | inc                 esp
            //   48894c2428           | cmp                 edx, dword ptr [ebx + 0x68]
            //   4885c9               | jl                  0x2e
            //   744b                 | inc                 esp

        $sequence_3 = { 498bcf e8???????? 48ffc3 4883fb03 }
            // n = 4, score = 300
            //   498bcf               | cmp                 dword ptr [ecx + 0x18], 0x10
            //   e8????????           |                     
            //   48ffc3               | dec                 eax
            //   4883fb03             | mov                 edi, dword ptr [ecx + 0x10]

        $sequence_4 = { 452bc4 453bc5 0f8795000000 4584c9 }
            // n = 4, score = 300
            //   452bc4               | cmp                 edx, dword ptr [ebx + 0x68]
            //   453bc5               | jl                  0x2e
            //   0f8795000000         | inc                 ebp
            //   4584c9               | and                 ebx, eax

        $sequence_5 = { 4183e601 7432 8a442440 4d8bcc 88442438 4d8bc5 8b44ac78 }
            // n = 7, score = 300
            //   4183e601             | sub                 eax, esp
            //   7432                 | inc                 ebp
            //   8a442440             | cmp                 eax, ebp
            //   4d8bcc               | ja                  0xa1
            //   88442438             | inc                 ebp
            //   4d8bc5               | test                cl, cl
            //   8b44ac78             | inc                 ebp

        $sequence_6 = { e8???????? 4898 4885c0 751e 483bfb }
            // n = 5, score = 300
            //   e8????????           |                     
            //   4898                 | test                cl, cl
            //   4885c0               | je                  0xa9
            //   751e                 | dec                 eax
            //   483bfb               | mov                 dword ptr [ebx], eax

        $sequence_7 = { 450fb6c9 450f45c8 b201 eb2b 48634318 450fb6c9 486344300c }
            // n = 7, score = 300
            //   450fb6c9             | inc                 ebp
            //   450f45c8             | movzx               ecx, cl
            //   b201                 | inc                 ebp
            //   eb2b                 | cmovne              ecx, eax
            //   48634318             | mov                 dl, 1
            //   450fb6c9             | jmp                 0x2d
            //   486344300c           | dec                 eax

        $sequence_8 = { 452b4268 49634a68 4c8b4cc8f8 7817 }
            // n = 4, score = 300
            //   452b4268             | inc                 esp
            //   49634a68             | cmp                 edx, dword ptr [ebx + 0x6c]
            //   4c8b4cc8f8           | jge                 0xfe
            //   7817                 | dec                 eax

        $sequence_9 = { 488903 488bc3 488b4c2458 4833cc e8???????? 4c8d5c2460 }
            // n = 6, score = 300
            //   488903               | sub                 eax, dword ptr [edx + 0x68]
            //   488bc3               | dec                 ecx
            //   488b4c2458           | arpl                word ptr [edx + 0x68], cx
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4c8d5c2460           | mov                 ecx, dword ptr [eax + ecx*8 - 8]

        $sequence_10 = { 4523d8 443b536c 0f8df8000000 488b4360 }
            // n = 4, score = 300
            //   4523d8               | arpl                word ptr [eax + esi + 0xc], ax
            //   443b536c             | dec                 eax
            //   0f8df8000000         | add                 eax, esi
            //   488b4360             | dec                 edx

        $sequence_11 = { 7413 4983c9ff 4533c0 488bd0 }
            // n = 4, score = 300
            //   7413                 | dec                 ebp
            //   4983c9ff             | mov                 ecx, esp
            //   4533c0               | mov                 byte ptr [esp + 0x38], al
            //   488bd0               | dec                 ebp

        $sequence_12 = { 488b09 483bfb 4c8bc3 4c0f42c7 4d85c0 7504 }
            // n = 6, score = 300
            //   488b09               | je                  0x55
            //   483bfb               | dec                 eax
            //   4c8bc3               | mov                 dword ptr [ebx], eax
            //   4c0f42c7             | dec                 eax
            //   4d85c0               | mov                 dword ptr [esp + 0x28], ecx
            //   7504                 | dec                 eax

        $sequence_13 = { 4038341a 75f7 4883791810 488b7910 7203 488b09 }
            // n = 6, score = 300
            //   4038341a             | mov                 dword ptr [esp + 0x28], ecx
            //   75f7                 | dec                 eax
            //   4883791810           | test                ecx, ecx
            //   488b7910             | je                  0x55
            //   7203                 | or                  eax, 0xffffffff
            //   488b09               | lock xadd           dword ptr [ecx + 8], eax

        $sequence_14 = { 33c9 ff15???????? 488b4c2470 ff15???????? }
            // n = 4, score = 200
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   488b4c2470           | cmp                 edi, ebx
            //   ff15????????         |                     

        $sequence_15 = { 488d8c2420070000 e8???????? 90 488b942420070000 }
            // n = 4, score = 100
            //   488d8c2420070000     | jae                 0x1d
            //   e8????????           |                     
            //   90                   | or                  eax, 0xffffffff
            //   488b942420070000     | dec                 eax

    condition:
        7 of them and filesize < 1573888
}
Download all Yara Rules