SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rdat (Back to overview)

RDAT

aka: GREYSTUFF

Actor(s): OilRig


There is no description at this point.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:evasive:ccfb062, author = {Unit 42}, title = {{Evasive Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/}, language = {English}, urldate = {2022-07-29} } Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
Yara Rules
[TLP:WHITE] win_rdat_auto (20220808 | Detects win.rdat.)
rule win_rdat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.rdat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4898 4885c0 751e 483bfb 7313 83c8ff 488b5c2430 }
            // n = 7, score = 300
            //   4898                 | cmp                 dword ptr [ecx + 0x18], 0x10
            //   4885c0               | dec                 eax
            //   751e                 | mov                 edi, dword ptr [ecx + 0x10]
            //   483bfb               | jb                  0xe
            //   7313                 | inc                 eax
            //   83c8ff               | cmp                 byte ptr [edx + ebx], dh
            //   488b5c2430           | jne                 0xfffffffd

        $sequence_1 = { 4863ed 4885ed 0f8ed8000000 8b54b430 }
            // n = 4, score = 300
            //   4863ed               | dec                 esp
            //   4885ed               | cmovb               eax, edi
            //   0f8ed8000000         | dec                 ebp
            //   8b54b430             | test                eax, eax

        $sequence_2 = { 453b7e44 0f8c9ffeffff 488b5c2440 408ac5 }
            // n = 4, score = 300
            //   453b7e44             | dec                 eax
            //   0f8c9ffeffff         | cmp                 edi, ebx
            //   488b5c2440           | dec                 esp
            //   408ac5               | mov                 eax, ebx

        $sequence_3 = { 4c8bc3 4c0f42c7 4d85c0 7504 8bc6 eb05 e8???????? }
            // n = 7, score = 300
            //   4c8bc3               | jb                  5
            //   4c0f42c7             | dec                 eax
            //   4d85c0               | mov                 ecx, dword ptr [ecx]
            //   7504                 | dec                 eax
            //   8bc6                 | cmp                 edi, ebx
            //   eb05                 | dec                 esp
            //   e8????????           |                     

        $sequence_4 = { 453b426c 7d46 498b4260 453b4268 }
            // n = 4, score = 300
            //   453b426c             | jne                 0x23
            //   7d46                 | dec                 eax
            //   498b4260             | cmp                 edi, ebx
            //   453b4268             | jae                 0x18

        $sequence_5 = { 488b7910 7203 488b09 483bfb 4c8bc3 4c0f42c7 }
            // n = 6, score = 300
            //   488b7910             | mov                 edi, dword ptr [ecx + 0x10]
            //   7203                 | jb                  9
            //   488b09               | dec                 eax
            //   483bfb               | mov                 ecx, dword ptr [ecx]
            //   4c8bc3               | dec                 eax
            //   4c0f42c7             | mov                 edi, dword ptr [ecx + 0x10]

        $sequence_6 = { 453b4268 7c1f 452b4268 49634a68 4c8b4cc8f8 7817 418d4801 }
            // n = 7, score = 300
            //   453b4268             | cmp                 edi, ebx
            //   7c1f                 | dec                 esp
            //   452b4268             | mov                 eax, ebx
            //   49634a68             | dec                 esp
            //   4c8b4cc8f8           | cmovb               eax, edi
            //   7817                 | dec                 eax
            //   418d4801             | test                eax, eax

        $sequence_7 = { 453bc4 7358 e9???????? f6421403 }
            // n = 4, score = 300
            //   453bc4               | dec                 eax
            //   7358                 | cwde                
            //   e9????????           |                     
            //   f6421403             | dec                 eax

        $sequence_8 = { 453bc6 7733 41f6421440 750f }
            // n = 4, score = 300
            //   453bc6               | dec                 eax
            //   7733                 | cmp                 edi, ebx
            //   41f6421440           | dec                 esp
            //   750f                 | mov                 eax, ebx

        $sequence_9 = { 85c0 740b b9e8030000 ff15???????? }
            // n = 4, score = 300
            //   85c0                 | mov                 eax, ebx
            //   740b                 | dec                 esp
            //   b9e8030000           | cmovb               eax, edi
            //   ff15????????         |                     

        $sequence_10 = { 4038341a 75f7 4883791810 488b7910 7203 488b09 }
            // n = 6, score = 300
            //   4038341a             | inc                 eax
            //   75f7                 | cmp                 byte ptr [edx + ebx], dh
            //   4883791810           | jne                 0xfffffff9
            //   488b7910             | dec                 eax
            //   7203                 | cmp                 dword ptr [ecx + 0x18], 0x10
            //   488b09               | dec                 eax

        $sequence_11 = { 4863d8 48c1e305 f30fe6db 4803d9 }
            // n = 4, score = 300
            //   4863d8               | dec                 eax
            //   48c1e305             | cmp                 edi, ebx
            //   f30fe6db             | dec                 eax
            //   4803d9               | cmp                 edi, ebx

        $sequence_12 = { 453bc5 0f8795000000 4584c9 0f849a000000 }
            // n = 4, score = 300
            //   453bc5               | mov                 ecx, dword ptr [ecx]
            //   0f8795000000         | dec                 eax
            //   4584c9               | cmp                 dword ptr [ecx + 0x18], 0x10
            //   0f849a000000         | dec                 eax

        $sequence_13 = { e8???????? 85c0 7510 41bc03000000 4489642430 e9???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   7510                 | cmovb               eax, edi
            //   41bc03000000         | dec                 ebp
            //   4489642430           | test                eax, eax
            //   e9????????           |                     

        $sequence_14 = { 488d442468 488b4c2468 488b5580 4883fa10 480f43c1 4c2bc0 }
            // n = 6, score = 100
            //   488d442468           | dec                 eax
            //   488b4c2468           | cwde                
            //   488b5580             | dec                 eax
            //   4883fa10             | test                eax, eax
            //   480f43c1             | jne                 0x20
            //   4c2bc0               | dec                 eax

        $sequence_15 = { 33f6 0f1f00 ba32000000 488b4da0 ff15???????? }
            // n = 5, score = 100
            //   33f6                 | dec                 eax
            //   0f1f00               | cmp                 edi, ebx
            //   ba32000000           | dec                 esp
            //   488b4da0             | mov                 eax, ebx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1573888
}
Download all Yara Rules