SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redalpha (Back to overview)

RedAlpha


There is no description at this point.

References
2018-06-26Recorded FutureJuan Andrés Guerrero-Saade, Sanil Chohan
@online{guerrerosaade:20180626:redalpha:58724c7, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting the Tibetan Community}}, date = {2018-06-26}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redalpha-cyber-campaigns/}, language = {English}, urldate = {2020-01-07} } RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
RedAlpha RedAlpha
Yara Rules
[TLP:WHITE] win_redalpha_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_redalpha_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 50 e8???????? 83c40c c0e304 }
            // n = 5, score = 400
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c0e304               | shl                 bl, 4

        $sequence_1 = { 83c40c b8???????? 5f 5e 5b }
            // n = 5, score = 400
            //   83c40c               | add                 esp, 0xc
            //   b8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_2 = { e8???????? 83c40c c0e304 0fb6c3 50 68???????? }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c0e304               | shl                 bl, 4
            //   0fb6c3               | movzx               eax, bl
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_3 = { c1e904 0bca 83e13f 0fb689d0c24300 }
            // n = 4, score = 300
            //   c1e904               | shr                 ecx, 4
            //   0bca                 | or                  ecx, edx
            //   83e13f               | and                 ecx, 0x3f
            //   0fb689d0c24300       | movzx               ecx, byte ptr [ecx + 0x43c2d0]

        $sequence_4 = { 33c0 394214 0f95c0 89421c }
            // n = 4, score = 300
            //   33c0                 | xor                 eax, eax
            //   394214               | cmp                 dword ptr [edx + 0x14], eax
            //   0f95c0               | setne               al
            //   89421c               | mov                 dword ptr [edx + 0x1c], eax

        $sequence_5 = { 03f7 8d463f 3bc5 72ea 418bd6 eb03 418bf6 }
            // n = 7, score = 300
            //   03f7                 | mov                 ebp, 0x78
            //   8d463f               | sub                 ebp, edx
            //   3bc5                 | dec                 eax
            //   72ea                 | mov                 eax, dword ptr [esp + 0x60]
            //   418bd6               | dec                 eax
            //   eb03                 | mov                 dword ptr [edi + 0x40], eax
            //   418bf6               | dec                 eax

        $sequence_6 = { 8d8391d386eb 488b9c2488000000 41f7d0 440bc1 4433c2 4403442424 }
            // n = 6, score = 300
            //   8d8391d386eb         | lea                 eax, [ebx - 0x14792c6f]
            //   488b9c2488000000     | dec                 eax
            //   41f7d0               | mov                 ebx, dword ptr [esp + 0x88]
            //   440bc1               | inc                 ecx
            //   4433c2               | not                 eax
            //   4403442424           | inc                 esp

        $sequence_7 = { 488d4004 c1e208 0bd1 0fb648fb }
            // n = 4, score = 300
            //   488d4004             | or                  eax, ecx
            //   c1e208               | inc                 esp
            //   0bd1                 | xor                 eax, edx
            //   0fb648fb             | inc                 esp

        $sequence_8 = { 8945f8 83fe10 72a6 3b7508 7355 8d46f0 }
            // n = 6, score = 300
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   83fe10               | cmp                 esi, 0x10
            //   72a6                 | jb                  0xffffffa8
            //   3b7508               | cmp                 esi, dword ptr [ebp + 8]
            //   7355                 | jae                 0x57
            //   8d46f0               | lea                 eax, [esi - 0x10]

        $sequence_9 = { ff15???????? e9???????? 488b442460 48894740 488b442468 48894748 c6859801000082 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488b442460           | dec                 eax
            //   48894740             | test                ecx, ecx
            //   488b442468           | je                  0x24
            //   48894748             | cmp                 edx, 0x38
            //   c6859801000082       | jb                  0xa

        $sequence_10 = { 57 660f1f440000 33db c745fc04000000 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   33db                 | xor                 ebx, ebx
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4

        $sequence_11 = { 8b4310 2bc1 3bc6 730c 4885c9 741b }
            // n = 6, score = 300
            //   8b4310               | add                 eax, dword ptr [esp + 0x24]
            //   2bc1                 | dec                 eax
            //   3bc6                 | lea                 eax, [eax + 4]
            //   730c                 | shl                 edx, 8
            //   4885c9               | or                  edx, ecx
            //   741b                 | movzx               ecx, byte ptr [eax - 5]

        $sequence_12 = { eb0f 8bf2 c1fe04 ffc6 83fa30 }
            // n = 5, score = 300
            //   eb0f                 | mov                 eax, dword ptr [esp + 0x68]
            //   8bf2                 | dec                 eax
            //   c1fe04               | mov                 dword ptr [edi + 0x48], eax
            //   ffc6                 | mov                 byte ptr [ebp + 0x198], 0x82
            //   83fa30               | add                 esi, edi

        $sequence_13 = { 740a 8b0b 8b4314 015330 }
            // n = 4, score = 300
            //   740a                 | je                  0xc
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   015330               | add                 dword ptr [ebx + 0x30], edx

        $sequence_14 = { 83fa38 7205 bd78000000 2bea }
            // n = 4, score = 300
            //   83fa38               | mov                 eax, dword ptr [ebx + 0x10]
            //   7205                 | sub                 eax, ecx
            //   bd78000000           | cmp                 eax, esi
            //   2bea                 | jae                 0x10

        $sequence_15 = { 448bc6 4803d0 4c2bc0 8bcd 4c2bc3 4d03c4 0f1f8000000000 }
            // n = 7, score = 300
            //   448bc6               | lea                 eax, [esi + 0x3f]
            //   4803d0               | cmp                 eax, ebp
            //   4c2bc0               | jb                  0xffffffee
            //   8bcd                 | inc                 ecx
            //   4c2bc3               | mov                 edx, esi
            //   4d03c4               | jmp                 0xc
            //   0f1f8000000000       | inc                 ecx

        $sequence_16 = { 6bc830 8b049530744100 f644082801 7414 8d4508 8945fc 8d45fc }
            // n = 7, score = 100
            //   6bc830               | mov                 edi, dword ptr [ebx + 0x28]
            //   8b049530744100       | cmp                 eax, 1
            //   f644082801           | jne                 0x2c
            //   7414                 | sar                 ecx, 6
            //   8d4508               | imul                esi, eax, 0x30
            //   8945fc               | add                 esi, dword ptr [ecx*4 + 0x417430]
            //   8d45fc               | cmp                 dword ptr [esi + 0x18], -1

        $sequence_17 = { 8d8570feffff 0f57c0 6a00 50 0f1145b8 e8???????? }
            // n = 6, score = 100
            //   8d8570feffff         | shl                 bl, 4
            //   0f57c0               | movzx               eax, bl
            //   6a00                 | push                eax
            //   50                   | add                 esp, 0xc
            //   0f1145b8             | shl                 bl, 4
            //   e8????????           |                     

        $sequence_18 = { 8a906c544000 6683bc96760a000000 7506 48 83f803 }
            // n = 5, score = 100
            //   8a906c544000         | movzx               eax, bl
            //   6683bc96760a000000     | push    eax
            //   7506                 | push                eax
            //   48                   | add                 esp, 0xc
            //   83f803               | shl                 bl, 4

        $sequence_19 = { f20f59db 660f282d???????? 660f59f5 660f28aaa02f4100 660f54e5 660f58fe 660f58fc }
            // n = 7, score = 100
            //   f20f59db             | jae                 0x5c
            //   660f282d????????     |                     
            //   660f59f5             | lea                 eax, [esi - 0x10]
            //   660f28aaa02f4100     | jne                 0x4b
            //   660f54e5             | mov                 ecx, dword ptr [ebx]
            //   660f58fe             | mov                 eax, 0x111
            //   660f58fc             | push                edi

        $sequence_20 = { ffd7 8b4df0 8d85a4fdffff 83c410 }
            // n = 4, score = 100
            //   ffd7                 | push                eax
            //   8b4df0               | add                 esp, 0xc
            //   8d85a4fdffff         | shl                 bl, 4
            //   83c410               | movzx               eax, bl

        $sequence_21 = { ba???????? b9???????? e8???????? 83f801 7527 e8???????? }
            // n = 6, score = 100
            //   ba????????           |                     
            //   b9????????           |                     
            //   e8????????           |                     
            //   83f801               | push                edi
            //   7527                 | nop                 word ptr [eax + eax]
            //   e8????????           |                     

        $sequence_22 = { c1f906 6bf030 03348d30744100 837e18ff 740c 837e18fe 7406 }
            // n = 7, score = 100
            //   c1f906               | xor                 ebx, ebx
            //   6bf030               | mov                 dword ptr [ebp - 4], 4
            //   03348d30744100       | xor                 eax, eax
            //   837e18ff             | cmp                 dword ptr [edx + 0x14], eax
            //   740c                 | setne               al
            //   837e18fe             | mov                 dword ptr [edx + 0x1c], eax
            //   7406                 | shr                 ecx, 4

        $sequence_23 = { c745dc03000000 eb7c c745e040314100 ebbb d9e8 8b4510 dd18 }
            // n = 7, score = 100
            //   c745dc03000000       | je                  0x19
            //   eb7c                 | cmp                 dword ptr [esi + 0x18], -2
            //   c745e040314100       | je                  0x19
            //   ebbb                 | lea                 ecx, [esi + 0xc]
            //   d9e8                 | push                6
            //   8b4510               | lea                 edx, [eax + 0x41605c]
            //   dd18                 | pop                 edi

        $sequence_24 = { ff742414 8bf8 6a00 57 }
            // n = 4, score = 100
            //   ff742414             | mov                 ax, word ptr [edx]
            //   8bf8                 | lea                 edx, [edx + 2]
            //   6a00                 | mov                 word ptr [ecx], ax
            //   57                   | mulsd               xmm3, xmm3

        $sequence_25 = { 7791 ff248518ed4000 83ed03 c70301000000 8bcd 83e107 }
            // n = 6, score = 100
            //   7791                 | movzx               eax, bl
            //   ff248518ed4000       | push                eax
            //   83ed03               | push                eax
            //   c70301000000         | add                 esp, 0xc
            //   8bcd                 | shl                 bl, 4
            //   83e107               | movzx               eax, bl

        $sequence_26 = { 8d4e0c 6a06 8d905c604100 5f 668b02 8d5202 668901 }
            // n = 7, score = 100
            //   8d4e0c               | or                  ecx, edx
            //   6a06                 | and                 ecx, 0x3f
            //   8d905c604100         | movzx               ecx, byte ptr [ecx + 0x43c2d0]
            //   5f                   | mov                 dword ptr [ebp - 8], eax
            //   668b02               | cmp                 esi, 0x10
            //   8d5202               | jb                  0xffffffa8
            //   668901               | cmp                 esi, dword ptr [ebp + 8]

        $sequence_27 = { 57 897c2428 e8???????? 83c410 8d442424 50 ff742414 }
            // n = 7, score = 100
            //   57                   | mulpd               xmm6, xmm5
            //   897c2428             | movapd              xmm5, xmmword ptr [edx + 0x412fa0]
            //   e8????????           |                     
            //   83c410               | andpd               xmm4, xmm5
            //   8d442424             | addpd               xmm7, xmm6
            //   50                   | addpd               xmm7, xmm4
            //   ff742414             | imul                ecx, eax, 0x30

        $sequence_28 = { c707???????? 399f509d0000 7624 8db710010000 }
            // n = 4, score = 100
            //   c707????????         |                     
            //   399f509d0000         | push                eax
            //   7624                 | add                 esp, 0xc
            //   8db710010000         | shl                 bl, 4

    condition:
        7 of them and filesize < 606208
}
[TLP:WHITE] win_redalpha_w0   (20180706 | No description)
rule win_redalpha_w0 {
    meta:
        desc = "RedAlpha 2017 Campaign, Dropper"
        author = "JAG-S, Insikt Group, RecordedFuture"
        TLP = "White"
        source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/"
        md5_x86 = "cb71f3b4f08eba58857532ac90bac77d"
        md5_x64 = "1412102eda0c2e5a5a85cb193dbb1524"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_version = "20180706"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $drops1 = "http://doc.internetdocss.com/nethelp x86.dll" ascii wide
        $drops2 = "http://doc.internetdocss.com/audio x86.exe" ascii wide
        $drops3 = "http://doc.internetdocss.com/nethelp x64.dll" ascii wide
        $drops4 = "http://doc.internetdocss.com/audio x64.exe" ascii wide
        $source1 = "http://doc.internetdocss.com/word x86.exe" ascii wide
        $source2 = "http://doc.internetdocss.com/word x64.exe" ascii wide 
        $path1 = "\\Programs\\Startup\\audio.exe" ascii wide
        $path2 = "c:\\Windows\\nethelp.dll" ascii wide
        $persistence1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\svchost" ascii wide
        $persistence2 = "%SystemRoot%\\system32\\svchost.exe -k " ascii wide
        $persistence3 = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide
        $persistence4 = "Parameters" ascii wide
        $persistence5 = "ServiceDll" ascii wide
        $persistence6 = "NetHelp" ascii wide
        $persistence7 = "Windows Internet Help" ascii wide
    condition:
    ( any of ($drops*) or any of ($source*) or any of ($path*) or 6 of ($persistence*) )
}
[TLP:WHITE] win_redalpha_w1   (20180706 | No description)
rule win_redalpha_w1 {
    meta:
        desc = "RedAlpha 2017 Campaign, NetHelp Drop"
        author = "JAG-S, Insikt Group, RecordedFuture"
        TLP = "White"
        source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/"
        md5_x86 = "42256b4753724f7feb411bc9912155fd"
        md5_x86 = "6d1d6987d0677f40e473befab121ab1b"
        md5_x64 = "8f0fe2620f8dadf93eee285834e35655"
        md5_x64 = "cd32ce54ed94dfbde7fb85930a16597d"
        md5_x64_striker = "6dd1be1e491d5bf9cd14686c185c3009"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_version = "20180706"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $postreq1 = "POST /index.html HTTP/1.1" ascii wide
        $postreq2 = "Host: index.ackques.com" ascii wide
        $postreq3 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0" ascii wide
        $postreq4 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*" ascii wide
        $postreq5 = "Accept-Language: en-US;q=0.5,en;q=0.3" ascii wide
        $postreq6 = "Accept-Encoding: gzip, deflate" ascii wide
        $postreq7 = "Content-Type: application/x-www-form-urlencoded" ascii wide
        $postreq8 = "Content-Length: %d" ascii wide
        $postreq9 = "Connection: keep-alive" ascii wide
        $postreq10 = "Upgrade-Insecure-Requests: 1" ascii wide
        $cnc1 = "index.ackques.com" ascii wide
        $cnc2 = "www.hktechy.com" ascii wide
        $cnc3 = "striker.internetdocss.com" ascii wide
        $service1 = "Windows Internet Help" ascii wide
        $service2 = "Client.dll" ascii wide
        $service3 = "ServiceMain" ascii wide
    condition:
    ( all of ($postreq*) or any of ($cnc*) or all of ($service*) )
}
[TLP:WHITE] win_redalpha_w2   (20180706 | No description)
rule win_redalpha_w2 {
    meta:
        author = "JAG-S, Insikt Group, Recorded Future"
        tlp = "White"
        source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/"
        md5 = "e6c0ac26b473d1e0fa9f74fdf1d01af8"
        md5 = "e28db08b2326a34958f00d68dfb034b0"
        md5 = "c94a39d58450b81087b4f1f5fd304add"
        md5 = "3a2b1a98c0a31ed32759f48df34b4bc8"
        desc = "RedAlpha Dropper"
        version = "1.0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_version = "20180706"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc = "http://doc.internetdocss.com/index?"
    condition:
        all of them
}
Download all Yara Rules