SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redalpha (Back to overview)

RedAlpha


There is no description at this point.

References
2018-06-26Recorded FutureJuan Andrés Guerrero-Saade, Sanil Chohan
@online{guerrerosaade:20180626:redalpha:58724c7, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting the Tibetan Community}}, date = {2018-06-26}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redalpha-cyber-campaigns/}, language = {English}, urldate = {2020-01-07} } RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
RedAlpha RedAlpha
Yara Rules
[TLP:WHITE] win_redalpha_auto (20220808 | Detects win.redalpha.)
rule win_redalpha_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.redalpha."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 83c40c c0e304 0fb6c3 }
            // n = 5, score = 400
            //   50                   | and                 eax, edx
            //   e8????????           |                     
            //   83c40c               | mov                 ecx, edx
            //   c0e304               | add                 ecx, dword ptr [esp]
            //   0fb6c3               | add                 edx, ecx

        $sequence_1 = { c0e304 0fb6c3 50 68???????? }
            // n = 4, score = 400
            //   c0e304               | rol                 edx, 7
            //   0fb6c3               | inc                 ecx
            //   50                   | add                 edx, edx
            //   68????????           |                     

        $sequence_2 = { 030c24 03d1 c1c207 4103d2 }
            // n = 4, score = 300
            //   030c24               | add                 ebx, edx
            //   03d1                 | inc                 ecx
            //   c1c207               | mov                 eax, ebx
            //   4103d2               | inc                 ecx

        $sequence_3 = { 01839c000000 8b839c000000 448b8b0c170000 4103c1 83f803 0f82a7000000 }
            // n = 6, score = 300
            //   01839c000000         | jb                  0x71
            //   8b839c000000         | test                esi, esi
            //   448b8b0c170000       | je                  0x38
            //   4103c1               | add                 dword ptr [ebx + 0x9c], eax
            //   83f803               | mov                 eax, dword ptr [ebx + 0x9c]
            //   0f82a7000000         | inc                 esp

        $sequence_4 = { 8b3d???????? eb96 8b8b48010000 e8???????? }
            // n = 4, score = 300
            //   8b3d????????         |                     
            //   eb96                 | add                 esp, 0xc
            //   8b8b48010000         | shl                 bl, 4
            //   e8????????           |                     

        $sequence_5 = { 014314 8bf7 2bf2 3bee 726f }
            // n = 5, score = 300
            //   014314               | inc                 ebp
            //   8bf7                 | test                eax, eax
            //   2bf2                 | je                  0x11a
            //   3bee                 | add                 dword ptr [ebx + 0x14], eax
            //   726f                 | mov                 esi, edi

        $sequence_6 = { 8b3d???????? 8d4594 50 56 ffd7 }
            // n = 5, score = 300
            //   8b3d????????         |                     
            //   8d4594               | add                 esp, 0xc
            //   50                   | shl                 bl, 4
            //   56                   | movzx               eax, bl
            //   ffd7                 | push                eax

        $sequence_7 = { 030424 4403d8 41c1c30b 4503da }
            // n = 4, score = 300
            //   030424               | inc                 esp
            //   4403d8               | mov                 edx, dword ptr [ebx + 0x94]
            //   41c1c30b             | add                 dword ptr [ebx + 0x9c], eax
            //   4503da               | lea                 eax, [ecx - 2]

        $sequence_8 = { 030c24 4403d1 418bc8 f7d1 41c1ca0c }
            // n = 5, score = 300
            //   030c24               | inc                 esp
            //   4403d1               | lea                 ecx, [ecx + 0x432aff97]
            //   418bc8               | add                 edx, eax
            //   f7d1                 | inc                 ecx
            //   41c1ca0c             | lea                 ecx, [edx - 0x546bdc59]

        $sequence_9 = { 8b3d???????? 8bd8 895dc4 85db }
            // n = 4, score = 300
            //   8b3d????????         |                     
            //   8bd8                 | shl                 bl, 4
            //   895dc4               | movzx               eax, bl
            //   85db                 | push                eax

        $sequence_10 = { 4403c8 4983eb01 0f8514ffffff 4585c0 0f8414010000 }
            // n = 5, score = 300
            //   4403c8               | inc                 esp
            //   4983eb01             | add                 ecx, eax
            //   0f8514ffffff         | dec                 ecx
            //   4585c0               | sub                 ebx, 1
            //   0f8414010000         | jne                 0xffffff1a

        $sequence_11 = { 030424 448d8997ff2a43 03d0 418d8aa72394ab }
            // n = 4, score = 300
            //   030424               | rol                 ebx, 0xb
            //   448d8997ff2a43       | inc                 ebp
            //   03d0                 | add                 ebx, edx
            //   418d8aa72394ab       | inc                 ecx

        $sequence_12 = { 8b3d???????? ffd7 ffb548f7ffff ffd7 }
            // n = 4, score = 300
            //   8b3d????????         |                     
            //   ffd7                 | mov                 dword ptr [ebp - 8], ebx
            //   ffb548f7ffff         | mov                 ecx, dword ptr [ebx + 0x13c]
            //   ffd7                 | lea                 esi, [ebx + 0x140]

        $sequence_13 = { 01839c000000 8d41fe 8983a0000000 0f1f4000 }
            // n = 4, score = 300
            //   01839c000000         | inc                 esp
            //   8d41fe               | mov                 ecx, dword ptr [ebx + 0x170c]
            //   8983a0000000         | inc                 ecx
            //   0f1f4000             | add                 eax, ecx

        $sequence_14 = { 8b3d???????? e9???????? 8b45fc 8d8b44010000 }
            // n = 4, score = 300
            //   8b3d????????         |                     
            //   e9????????           |                     
            //   8b45fc               | add                 esp, 0xc
            //   8d8b44010000         | shl                 bl, 4

        $sequence_15 = { 8b3d???????? 895df8 8b8b3c010000 8db340010000 33c0 }
            // n = 5, score = 300
            //   8b3d????????         |                     
            //   895df8               | push                0x20
            //   8b8b3c010000         | lea                 eax, [ebp - 0x8c]
            //   8db340010000         | push                eax
            //   33c0                 | je                  0xffffffd4

        $sequence_16 = { 6a20 8d8574ffffff 50 68???????? e8???????? }
            // n = 5, score = 100
            //   6a20                 | movzx               eax, bl
            //   8d8574ffffff         | push                eax
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_17 = { ebc6 c745e048314100 e9???????? c745e050314100 e9???????? c745e058314100 e9???????? }
            // n = 7, score = 100
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e048314100       | mov                 dword ptr [ebp - 0x20], 0x413148
            //   e9????????           |                     
            //   c745e050314100       | mov                 dword ptr [ebp - 0x20], 0x413150
            //   e9????????           |                     
            //   c745e058314100       | mov                 dword ptr [ebp - 0x20], 0x413158
            //   e9????????           |                     

        $sequence_18 = { 8d85f0fdffff 50 6a0b 6a00 ff15???????? }
            // n = 5, score = 100
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   6a0b                 | push                0xb
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_19 = { 33ff 8bc7 8bcf 83e03f c1f906 6bf030 03348d30744100 }
            // n = 7, score = 100
            //   33ff                 | xor                 edi, edi
            //   8bc7                 | mov                 eax, edi
            //   8bcf                 | mov                 ecx, edi
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf030               | imul                esi, eax, 0x30
            //   03348d30744100       | add                 esi, dword ptr [ecx*4 + 0x417430]

        $sequence_20 = { 8d87a4000000 50 ff15???????? ffb7ac000000 ff15???????? ffb7b0000000 }
            // n = 6, score = 100
            //   8d87a4000000         | add                 esp, 0xc
            //   50                   | shl                 bl, 4
            //   ff15????????         |                     
            //   ffb7ac000000         | movzx               eax, bl
            //   ff15????????         |                     
            //   ffb7b0000000         | shl                 bl, 4

        $sequence_21 = { 895728 395724 7507 c74724c0ee4000 }
            // n = 4, score = 100
            //   895728               | dec                 eax
            //   395724               | mov                 dword ptr [edi + ecx*8 + 0x120], ebx
            //   7507                 | inc                 dword ptr [edi + 0x139a0]
            //   c74724c0ee4000       | dec                 eax

        $sequence_22 = { 8d8df4fdffff c7461407000000 668906 8d5102 0f1f440000 668b01 83c102 }
            // n = 7, score = 100
            //   8d8df4fdffff         | lea                 ecx, [ebp - 0x20c]
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7
            //   668906               | mov                 word ptr [esi], ax
            //   8d5102               | lea                 edx, [ecx + 2]
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   668b01               | mov                 ax, word ptr [ecx]
            //   83c102               | add                 ecx, 2

        $sequence_23 = { 394610 0f82cb000000 894610 837e1408 721a }
            // n = 5, score = 100
            //   394610               | cmp                 dword ptr [esi + 0x10], eax
            //   0f82cb000000         | jb                  0xd1
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   721a                 | jb                  0x1c

        $sequence_24 = { 8bd8 85db 0f8436010000 57 57 57 }
            // n = 6, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   0f8436010000         | je                  0x13c
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi

        $sequence_25 = { 8bcf 83e73f c1f906 6bd730 8b0c8d30744100 c644112800 }
            // n = 6, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   83e73f               | and                 edi, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bd730               | imul                edx, edi, 0x30
            //   8b0c8d30744100       | mov                 ecx, dword ptr [ecx*4 + 0x417430]
            //   c644112800           | mov                 byte ptr [ecx + edx + 0x28], 0

        $sequence_26 = { 83f8ff 7423 57 8d4c2428 51 ff742418 ff742424 }
            // n = 7, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   7423                 | je                  0x25
            //   57                   | push                edi
            //   8d4c2428             | lea                 ecx, [esp + 0x28]
            //   51                   | push                ecx
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   ff742424             | push                dword ptr [esp + 0x24]

        $sequence_27 = { c645fc01 8d8d14feffff c78514feffff5cb84000 c78524feffff00000000 e8???????? }
            // n = 5, score = 100
            //   c645fc01             | mov                 ebx, dword ptr [esp + 0x80]
            //   8d8d14feffff         | jae                 0x2b
            //   c78514feffff5cb84000     | movzx    eax, byte ptr [esi + 1]
            //   c78524feffff00000000     | dec    eax
            //   e8????????           |                     

        $sequence_28 = { 55 8bec b8182a0000 e8???????? 53 8b5d08 56 }
            // n = 7, score = 100
            //   55                   | inc                 esi
            //   8bec                 | inc                 ecx
            //   b8182a0000           | mov                 ecx, ebx
            //   e8????????           |                     
            //   53                   | inc                 ecx
            //   8b5d08               | add                 ebx, 8
            //   56                   | push                eax

        $sequence_29 = { 74d2 6690 837dfc00 76ca }
            // n = 4, score = 100
            //   74d2                 | add                 esp, 0xc
            //   6690                 | shl                 bl, 4
            //   837dfc00             | movzx               eax, bl
            //   76ca                 | add                 esp, 0xc

    condition:
        7 of them and filesize < 606208
}
[TLP:WHITE] win_redalpha_w0   (20180706 | No description)
rule win_redalpha_w0 {
    meta:
        desc = "RedAlpha 2017 Campaign, Dropper"
        author = "JAG-S, Insikt Group, RecordedFuture"
        TLP = "White"
        source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/"
        md5_x86 = "cb71f3b4f08eba58857532ac90bac77d"
        md5_x64 = "1412102eda0c2e5a5a85cb193dbb1524"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_version = "20180706"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $drops1 = "http://doc.internetdocss.com/nethelp x86.dll" ascii wide
        $drops2 = "http://doc.internetdocss.com/audio x86.exe" ascii wide
        $drops3 = "http://doc.internetdocss.com/nethelp x64.dll" ascii wide
        $drops4 = "http://doc.internetdocss.com/audio x64.exe" ascii wide
        $source1 = "http://doc.internetdocss.com/word x86.exe" ascii wide
        $source2 = "http://doc.internetdocss.com/word x64.exe" ascii wide 
        $path1 = "\\Programs\\Startup\\audio.exe" ascii wide
        $path2 = "c:\\Windows\\nethelp.dll" ascii wide
        $persistence1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\svchost" ascii wide
        $persistence2 = "%SystemRoot%\\system32\\svchost.exe -k " ascii wide
        $persistence3 = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide
        $persistence4 = "Parameters" ascii wide
        $persistence5 = "ServiceDll" ascii wide
        $persistence6 = "NetHelp" ascii wide
        $persistence7 = "Windows Internet Help" ascii wide
    condition:
    ( any of ($drops*) or any of ($source*) or any of ($path*) or 6 of ($persistence*) )
}
[TLP:WHITE] win_redalpha_w1   (20180706 | No description)
rule win_redalpha_w1 {
    meta:
        desc = "RedAlpha 2017 Campaign, NetHelp Drop"
        author = "JAG-S, Insikt Group, RecordedFuture"
        TLP = "White"
        source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/"
        md5_x86 = "42256b4753724f7feb411bc9912155fd"
        md5_x86 = "6d1d6987d0677f40e473befab121ab1b"
        md5_x64 = "8f0fe2620f8dadf93eee285834e35655"
        md5_x64 = "cd32ce54ed94dfbde7fb85930a16597d"
        md5_x64_striker = "6dd1be1e491d5bf9cd14686c185c3009"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_version = "20180706"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $postreq1 = "POST /index.html HTTP/1.1" ascii wide
        $postreq2 = "Host: index.ackques.com" ascii wide
        $postreq3 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0" ascii wide
        $postreq4 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*" ascii wide
        $postreq5 = "Accept-Language: en-US;q=0.5,en;q=0.3" ascii wide
        $postreq6 = "Accept-Encoding: gzip, deflate" ascii wide
        $postreq7 = "Content-Type: application/x-www-form-urlencoded" ascii wide
        $postreq8 = "Content-Length: %d" ascii wide
        $postreq9 = "Connection: keep-alive" ascii wide
        $postreq10 = "Upgrade-Insecure-Requests: 1" ascii wide
        $cnc1 = "index.ackques.com" ascii wide
        $cnc2 = "www.hktechy.com" ascii wide
        $cnc3 = "striker.internetdocss.com" ascii wide
        $service1 = "Windows Internet Help" ascii wide
        $service2 = "Client.dll" ascii wide
        $service3 = "ServiceMain" ascii wide
    condition:
    ( all of ($postreq*) or any of ($cnc*) or all of ($service*) )
}
[TLP:WHITE] win_redalpha_w2   (20180706 | No description)
rule win_redalpha_w2 {
    meta:
        author = "JAG-S, Insikt Group, Recorded Future"
        tlp = "White"
        source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/"
        md5 = "e6c0ac26b473d1e0fa9f74fdf1d01af8"
        md5 = "e28db08b2326a34958f00d68dfb034b0"
        md5 = "c94a39d58450b81087b4f1f5fd304add"
        md5 = "3a2b1a98c0a31ed32759f48df34b4bc8"
        desc = "RedAlpha Dropper"
        version = "1.0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha"
        malpedia_version = "20180706"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc = "http://doc.internetdocss.com/index?"
    condition:
        all of them
}
Download all Yara Rules