There is no description at this point.
rule win_redalpha_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.redalpha." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 e8???????? 83c40c c0e304 0fb6c3 50 } // n = 6, score = 400 // 50 | jne 0x23f // e8???????? | // 83c40c | dec eax // c0e304 | test ecx, ecx // 0fb6c3 | jne 0x28 // 50 | nop $sequence_1 = { ba00010000 488d8d00010000 ff15???????? 488b8b38010000 } // n = 4, score = 300 // ba00010000 | push edi // 488d8d00010000 | dec eax // ff15???????? | // 488b8b38010000 | sub esp, 0x430 $sequence_2 = { 8b4508 be00100000 89475c 8b978c000000 } // n = 4, score = 300 // 8b4508 | mov ecx, dword ptr [ecx*4 + 0x442830] // be00100000 | or byte ptr [ecx + edx + 0x28], 2 // 89475c | mov eax, dword ptr [ebp + 8] // 8b978c000000 | lea ecx, [ebp - 0x3c] $sequence_3 = { 8b4508 c645fc06 85c0 753f 8d45e0 c745dcd4024300 } // n = 6, score = 300 // 8b4508 | mov ecx, dword ptr [ebp - 4] // c645fc06 | seta al // 85c0 | mov eax, dword ptr [ebp + 8] // 753f | shr esi, 4 // 8d45e0 | xor esi, ecx // c745dcd4024300 | add edi, dword ptr [eax + esi*4] $sequence_4 = { 8b4508 c1ee04 33f1 033cb0 } // n = 4, score = 300 // 8b4508 | mov esi, dword ptr [ebp + 0x1c] // c1ee04 | mov dword ptr [ebp - 0x44], eax // 33f1 | mov eax, dword ptr [ebp + 8] // 033cb0 | mov esi, 0x1000 $sequence_5 = { 8b4508 8d4dc4 53 8b5d10 } // n = 4, score = 300 // 8b4508 | and eax, 0x3f // 8d4dc4 | sar ecx, 6 // 53 | imul eax, eax, 0x30 // 8b5d10 | add eax, dword ptr [ecx*4 + 0x442830] $sequence_6 = { 4889742420 57 4881ec30040000 33f6 } // n = 4, score = 300 // 4889742420 | dec eax // 57 | mov eax, dword ptr [ebx] // 4881ec30040000 | cmp dword ptr [eax + 8], 0 // 33f6 | jne 0xfffffe67 $sequence_7 = { 6690 39b42440040000 76b7 33d2 } // n = 4, score = 300 // 6690 | push ebp // 39b42440040000 | inc ecx // 76b7 | push esi // 33d2 | inc ecx $sequence_8 = { 803831 0f8539020000 83bc248800000058 0f852b020000 4885c9 750f } // n = 6, score = 300 // 803831 | mov edx, 0x100 // 0f8539020000 | dec eax // 83bc248800000058 | lea ecx, [ebp + 0x100] // 0f852b020000 | dec eax // 4885c9 | mov ecx, dword ptr [ebx + 0x138] // 750f | inc ecx $sequence_9 = { 8b4508 898850030000 8b4508 59 c74048c8154400 } // n = 5, score = 300 // 8b4508 | shl bl, 4 // 898850030000 | movzx eax, bl // 8b4508 | push eax // 59 | shl bl, 4 // c74048c8154400 | movzx eax, bl $sequence_10 = { 83cdff 488bd9 4c8bfa 458bc2 4c637014 } // n = 5, score = 300 // 83cdff | or ebp, 0xffffffff // 488bd9 | dec eax // 4c8bfa | mov ebx, ecx // 458bc2 | dec esp // 4c637014 | mov edi, edx $sequence_11 = { 4155 4156 4157 8bb994000000 448bda 448b4944 } // n = 6, score = 300 // 4155 | xor esi, esi // 4156 | dec eax // 4157 | mov ecx, dword ptr [ebx] // 8bb994000000 | dec eax // 448bda | mov ecx, dword ptr [ebx] // 448b4944 | inc edi $sequence_12 = { 730d 488b03 83780800 0f855dfeffff 8b8b18170000 } // n = 5, score = 300 // 730d | inc ebp // 488b03 | mov eax, edx // 83780800 | dec esp // 0f855dfeffff | arpl word ptr [eax + 0x14], si // 8b8b18170000 | jae 0xf $sequence_13 = { 488b0b ff15???????? 488b0b ff15???????? ffc7 } // n = 5, score = 300 // 488b0b | mov ecx, dword ptr [ebx + 0x1718] // ff15???????? | // 488b0b | dec eax // ff15???????? | // ffc7 | mov dword ptr [esp + 0x20], esi $sequence_14 = { 8b4508 8bc8 83e03f c1f906 6bc030 03048d30284400 } // n = 6, score = 300 // 8b4508 | mov dword ptr [ebp - 4], edx // 8bc8 | push esi // 83e03f | mov esi, ecx // c1f906 | push edi // 6bc030 | mov edi, 1 // 03048d30284400 | test eax, eax $sequence_15 = { 8b4508 8955fc 56 8bf1 57 bf01000000 85c0 } // n = 7, score = 300 // 8b4508 | add esp, 0xc // 8955fc | shl bl, 4 // 56 | push eax // 8bf1 | add esp, 0xc // 57 | shl bl, 4 // bf01000000 | movzx eax, bl // 85c0 | add esp, 0xc $sequence_16 = { 50 64892500000000 ff7108 c701???????? ff15???????? } // n = 5, score = 100 // 50 | lea esi, [esp + 0x2c] // 64892500000000 | add esp, 0xc // ff7108 | xor ecx, ecx // c701???????? | // ff15???????? | $sequence_17 = { 8d1c3f 53 50 51 } // n = 4, score = 100 // 8d1c3f | lea ebx, [edi + edi] // 53 | push ebx // 50 | push eax // 51 | push ecx $sequence_18 = { c645fc01 8d5102 668b01 83c102 6685c0 75f5 2bca } // n = 7, score = 100 // c645fc01 | mov byte ptr [ebp - 4], 1 // 8d5102 | lea edx, [ecx + 2] // 668b01 | mov ax, word ptr [ecx] // 83c102 | add ecx, 2 // 6685c0 | test ax, ax // 75f5 | jne 0xfffffff7 // 2bca | sub ecx, edx $sequence_19 = { 8d74242c 83c40c 33c9 8d5601 8a06 46 84c0 } // n = 7, score = 100 // 8d74242c | add esp, 0xc // 83c40c | shl bl, 4 // 33c9 | movzx eax, bl // 8d5601 | push eax // 8a06 | push eax // 46 | add esp, 0xc // 84c0 | shl bl, 4 $sequence_20 = { 8945f4 8b4514 40 c745ec33374000 894df8 8945fc 64a100000000 } // n = 7, score = 100 // 8945f4 | mov dword ptr [ebp - 0xc], eax // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 40 | inc eax // c745ec33374000 | mov dword ptr [ebp - 0x14], 0x403733 // 894df8 | mov dword ptr [ebp - 8], ecx // 8945fc | mov dword ptr [ebp - 4], eax // 64a100000000 | mov eax, dword ptr fs:[0] $sequence_21 = { 68???????? 50 ffd7 8b5d08 8d85f4fbffff 8b35???????? } // n = 6, score = 100 // 68???????? | // 50 | movzx eax, bl // ffd7 | push eax // 8b5d08 | push eax // 8d85f4fbffff | add esp, 0xc // 8b35???????? | $sequence_22 = { 50 e8???????? 8d842480140000 c74424443c000000 } // n = 4, score = 100 // 50 | push eax // e8???????? | // 8d842480140000 | lea eax, [esp + 0x1480] // c74424443c000000 | mov dword ptr [esp + 0x44], 0x3c $sequence_23 = { c3 8bff 55 8bec 8b4d08 33c0 3b0cc5a8fc4000 } // n = 7, score = 100 // c3 | ret // 8bff | mov edi, edi // 55 | push ebp // 8bec | mov ebp, esp // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 33c0 | xor eax, eax // 3b0cc5a8fc4000 | cmp ecx, dword ptr [eax*8 + 0x40fca8] $sequence_24 = { ffd6 8b45a0 85c0 7403 50 ffd6 85ff } // n = 7, score = 100 // ffd6 | call esi // 8b45a0 | mov eax, dword ptr [ebp - 0x60] // 85c0 | test eax, eax // 7403 | je 5 // 50 | push eax // ffd6 | call esi // 85ff | test edi, edi $sequence_25 = { 8b4308 2bc1 51 50 ff7658 8bce e8???????? } // n = 7, score = 100 // 8b4308 | shl bl, 4 // 2bc1 | movzx eax, bl // 51 | add esp, 0xc // 50 | shl bl, 4 // ff7658 | movzx eax, bl // 8bce | push eax // e8???????? | $sequence_26 = { 6800040000 894608 e8???????? 53 8b1d???????? } // n = 5, score = 100 // 6800040000 | lea edx, [esi + 1] // 894608 | mov al, byte ptr [esi] // e8???????? | // 53 | inc esi // 8b1d???????? | $sequence_27 = { ffd3 56 ffd3 ff742428 ffd3 8b8c246c180000 8bc7 } // n = 7, score = 100 // ffd3 | call ebx // 56 | push esi // ffd3 | call ebx // ff742428 | push dword ptr [esp + 0x28] // ffd3 | call ebx // 8b8c246c180000 | mov ecx, dword ptr [esp + 0x186c] // 8bc7 | mov eax, edi $sequence_28 = { e8???????? 84c0 7508 83ceff e9???????? 6a00 } // n = 6, score = 100 // e8???????? | // 84c0 | test al, al // 7508 | push eax // 83ceff | call edi // e9???????? | // 6a00 | mov ebx, dword ptr [ebp + 8] $sequence_29 = { b9???????? c745fc00000000 8d5102 6690 } // n = 4, score = 100 // b9???????? | // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 8d5102 | lea edx, [ecx + 2] // 6690 | nop $sequence_30 = { c1e902 50 f3a5 8d8574ffffff } // n = 4, score = 100 // c1e902 | shl bl, 4 // 50 | movzx eax, bl // f3a5 | push eax // 8d8574ffffff | add esp, 0xc condition: 7 of them and filesize < 606208 }
rule win_redalpha_w0 { meta: desc = "RedAlpha 2017 Campaign, Dropper" author = "JAG-S, Insikt Group, RecordedFuture" TLP = "White" source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/" md5_x86 = "cb71f3b4f08eba58857532ac90bac77d" md5_x64 = "1412102eda0c2e5a5a85cb193dbb1524" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_version = "20180706" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $drops1 = "http://doc.internetdocss.com/nethelp x86.dll" ascii wide $drops2 = "http://doc.internetdocss.com/audio x86.exe" ascii wide $drops3 = "http://doc.internetdocss.com/nethelp x64.dll" ascii wide $drops4 = "http://doc.internetdocss.com/audio x64.exe" ascii wide $source1 = "http://doc.internetdocss.com/word x86.exe" ascii wide $source2 = "http://doc.internetdocss.com/word x64.exe" ascii wide $path1 = "\\Programs\\Startup\\audio.exe" ascii wide $path2 = "c:\\Windows\\nethelp.dll" ascii wide $persistence1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\svchost" ascii wide $persistence2 = "%SystemRoot%\\system32\\svchost.exe -k " ascii wide $persistence3 = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide $persistence4 = "Parameters" ascii wide $persistence5 = "ServiceDll" ascii wide $persistence6 = "NetHelp" ascii wide $persistence7 = "Windows Internet Help" ascii wide condition: ( any of ($drops*) or any of ($source*) or any of ($path*) or 6 of ($persistence*) ) }
rule win_redalpha_w1 { meta: desc = "RedAlpha 2017 Campaign, NetHelp Drop" author = "JAG-S, Insikt Group, RecordedFuture" TLP = "White" source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/" md5_x86 = "42256b4753724f7feb411bc9912155fd" md5_x86 = "6d1d6987d0677f40e473befab121ab1b" md5_x64 = "8f0fe2620f8dadf93eee285834e35655" md5_x64 = "cd32ce54ed94dfbde7fb85930a16597d" md5_x64_striker = "6dd1be1e491d5bf9cd14686c185c3009" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_version = "20180706" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $postreq1 = "POST /index.html HTTP/1.1" ascii wide $postreq2 = "Host: index.ackques.com" ascii wide $postreq3 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0" ascii wide $postreq4 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*" ascii wide $postreq5 = "Accept-Language: en-US;q=0.5,en;q=0.3" ascii wide $postreq6 = "Accept-Encoding: gzip, deflate" ascii wide $postreq7 = "Content-Type: application/x-www-form-urlencoded" ascii wide $postreq8 = "Content-Length: %d" ascii wide $postreq9 = "Connection: keep-alive" ascii wide $postreq10 = "Upgrade-Insecure-Requests: 1" ascii wide $cnc1 = "index.ackques.com" ascii wide $cnc2 = "www.hktechy.com" ascii wide $cnc3 = "striker.internetdocss.com" ascii wide $service1 = "Windows Internet Help" ascii wide $service2 = "Client.dll" ascii wide $service3 = "ServiceMain" ascii wide condition: ( all of ($postreq*) or any of ($cnc*) or all of ($service*) ) }
rule win_redalpha_w2 { meta: author = "JAG-S, Insikt Group, Recorded Future" tlp = "White" source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/" md5 = "e6c0ac26b473d1e0fa9f74fdf1d01af8" md5 = "e28db08b2326a34958f00d68dfb034b0" md5 = "c94a39d58450b81087b4f1f5fd304add" md5 = "3a2b1a98c0a31ed32759f48df34b4bc8" desc = "RedAlpha Dropper" version = "1.0" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_version = "20180706" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cnc = "http://doc.internetdocss.com/index?" condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY