There is no description at this point.
rule win_redalpha_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.redalpha." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 83c40c c0e304 0fb6c3 50 } // n = 5, score = 400 // e8???????? | // 83c40c | add esp, 0xc // c0e304 | shl bl, 4 // 0fb6c3 | movzx eax, bl // 50 | push eax $sequence_1 = { 8b3e 8bce e8???????? 8b4df8 } // n = 4, score = 300 // 8b3e | movzx eax, byte ptr [edi] // 8bce | movzx ecx, byte ptr [edi + 1] // e8???????? | // 8b4df8 | xor ecx, dword ptr [esi + eax*4 + 0x60] $sequence_2 = { 4585c0 7417 0f1f4000 410fb602 4d8d5201 03c8 } // n = 6, score = 300 // 4585c0 | add edx, eax // 7417 | dec eax // 0f1f4000 | mov ecx, ebx // 410fb602 | inc edx // 4d8d5201 | cmp byte ptr [eax + eax], 0 // 03c8 | jne 0xfffffffd $sequence_3 = { 443bd3 7d0b 6645019489a40a0000 eb33 } // n = 4, score = 300 // 443bd3 | mov edx, dword ptr [eax + 0x10] // 7d0b | inc ecx // 6645019489a40a0000 | movzx eax, byte ptr [ecx + edx] // eb33 | inc ecx $sequence_4 = { 8b4004 c74408e840d24300 8b41e8 8b5004 } // n = 4, score = 300 // 8b4004 | mov ecx, esi // c74408e840d24300 | mov ecx, dword ptr [ebp - 8] // 8b41e8 | sub edi, dword ptr [esi] // 8b5004 | mov edi, dword ptr [esi] $sequence_5 = { 8b3d???????? eb96 8b8b48010000 e8???????? 8bce e8???????? 8b7e04 } // n = 7, score = 300 // 8b3d???????? | // eb96 | add esp, 0xc // 8b8b48010000 | shl bl, 4 // e8???????? | // 8bce | movzx eax, bl // e8???????? | // 8b7e04 | push eax $sequence_6 = { 8b3f ff750c 53 6aff } // n = 4, score = 300 // 8b3f | mov edi, dword ptr [esi] // ff750c | mov ecx, ebx // 53 | shr eax, cl // 6aff | and eax, 1 $sequence_7 = { 8b3e 897df4 0fb607 0fb64f01 } // n = 4, score = 300 // 8b3e | movzx eax, bl // 897df4 | push eax // 0fb607 | shl bl, 4 // 0fb64f01 | movzx eax, bl $sequence_8 = { 42803c0000 75f6 49ffc0 488d4f0d 488d542450 } // n = 5, score = 300 // 42803c0000 | inc bp // 75f6 | add dword ptr [ecx + ecx*4 + 0xaa4], edx // 49ffc0 | jmp 0x43 // 488d4f0d | inc esp // 488d542450 | lea ecx, [eax + 0x58] $sequence_9 = { e8???????? 488d043b 4d63c4 488d8dea020000 } // n = 4, score = 300 // e8???????? | // 488d043b | dec eax // 4d63c4 | lea eax, [ebx + edi] // 488d8dea020000 | dec ebp $sequence_10 = { 498d4505 894208 d3e5 ffcd 23dd } // n = 5, score = 300 // 498d4505 | test eax, eax // 894208 | jne 0x5e // d3e5 | dec eax // ffcd | lea edx, [esp + 0x58] // 23dd | dec eax $sequence_11 = { 488b4b10 488b5010 410fb60411 41880408 ff4328 ff4338 } // n = 6, score = 300 // 488b4b10 | arpl sp, ax // 488b5010 | dec eax // 410fb60411 | lea ecx, [ebp + 0x2ea] // 41880408 | dec eax // ff4328 | mov ecx, dword ptr [ebx + 0x10] // ff4338 | dec eax $sequence_12 = { 448d4858 e8???????? 85c0 7556 } // n = 4, score = 300 // 448d4858 | mov byte ptr [eax + ecx], al // e8???????? | // 85c0 | inc dword ptr [ebx + 0x28] // 7556 | inc dword ptr [ebx + 0x38] $sequence_13 = { 8b3e 8bcb d3e8 83e001 895d08 } // n = 5, score = 300 // 8b3e | movzx eax, byte ptr [edi] // 8bcb | movzx ecx, byte ptr [edi + 1] // d3e8 | movzx edi, byte ptr [edi + 2] // 83e001 | mov edi, dword ptr [esi] // 895d08 | mov dword ptr [ebp - 0xc], edi $sequence_14 = { 488d542458 4803d0 488bcb e8???????? } // n = 4, score = 300 // 488d542458 | inc esp // 4803d0 | cmp edx, ebx // 488bcb | jge 0x10 // e8???????? | $sequence_15 = { 8b3d???????? ffd7 ffb548f7ffff ffd7 } // n = 4, score = 300 // 8b3d???????? | // ffd7 | add esp, 0xc // ffb548f7ffff | shl bl, 4 // ffd7 | push eax $sequence_16 = { 50 e8???????? 83c418 c785f0fdffff00000000 8d85f0fdffff 50 6a0b } // n = 7, score = 100 // 50 | inc ebp // e8???????? | // 83c418 | test eax, eax // c785f0fdffff00000000 | je 0x1c // 8d85f0fdffff | nop dword ptr [eax] // 50 | inc ecx // 6a0b | movzx eax, byte ptr [edx] $sequence_17 = { 0f8413050000 8b3c8d8c864000 85ff 755d 33c0 89859cf6ffff 89855cfcffff } // n = 7, score = 100 // 0f8413050000 | je 0x519 // 8b3c8d8c864000 | mov edi, dword ptr [ecx*4 + 0x40868c] // 85ff | test edi, edi // 755d | jne 0x5f // 33c0 | xor eax, eax // 89859cf6ffff | mov dword ptr [ebp - 0x964], eax // 89855cfcffff | mov dword ptr [ebp - 0x3a4], eax $sequence_18 = { c3 55 8bec 81ec04010000 56 68cf010040 6a00 } // n = 7, score = 100 // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 81ec04010000 | sub esp, 0x104 // 56 | push esi // 68cf010040 | push 0x400001cf // 6a00 | push 0 $sequence_19 = { 8d7608 660fd60f 8d7f08 8b048d74e84000 } // n = 4, score = 100 // 8d7608 | push ebx // 660fd60f | push esi // 8d7f08 | mov eax, dword ptr [eax*4 + 0x417430] // 8b048d74e84000 | xor ebx, ebx $sequence_20 = { 50 8d45f4 64a300000000 683f000f00 } // n = 4, score = 100 // 50 | shl ecx, 0x10 // 8d45f4 | inc esp // 64a300000000 | or ecx, ecx // 683f000f00 | inc ecx $sequence_21 = { 897c2428 e8???????? 83c410 8d442424 50 } // n = 5, score = 100 // 897c2428 | push eax // e8???????? | // 83c410 | add esp, 0x18 // 8d442424 | mov dword ptr [ebp - 0x210], 0 // 50 | lea eax, [ebp - 0x210] $sequence_22 = { 50 e8???????? 6aff c645fc01 ff75dc } // n = 5, score = 100 // 50 | push eax // e8???????? | // 6aff | push -1 // c645fc01 | mov byte ptr [ebp - 4], 1 // ff75dc | push dword ptr [ebp - 0x24] $sequence_23 = { 8b5df4 8bf7 8b4b04 85c9 0f85f2000000 33c0 } // n = 6, score = 100 // 8b5df4 | mov ebx, dword ptr [ebp - 0xc] // 8bf7 | mov esi, edi // 8b4b04 | mov ecx, dword ptr [ebx + 4] // 85c9 | test ecx, ecx // 0f85f2000000 | jne 0xf8 // 33c0 | xor eax, eax $sequence_24 = { 7605 e8???????? 8b4f14 8bf0 } // n = 4, score = 100 // 7605 | dec ebp // e8???????? | // 8b4f14 | lea edx, [edx + 1] // 8bf0 | add ecx, eax $sequence_25 = { e8???????? 83f801 7512 68d0070000 ff15???????? e8???????? eb39 } // n = 7, score = 100 // e8???????? | // 83f801 | mov eax, ecx // 7512 | sar eax, 6 // 68d0070000 | and ecx, 0x3f // ff15???????? | // e8???????? | // eb39 | imul ecx, ecx, 0x30 $sequence_26 = { 7512 8b04bd30744100 807c302900 7504 } // n = 4, score = 100 // 7512 | jb 0x299 // 8b04bd30744100 | inc ecx // 807c302900 | add ecx, 0xffff000f // 7504 | inc ecx $sequence_27 = { 8b8fbc000000 52 ff7730 8b01 ff5004 ff75ec } // n = 6, score = 100 // 8b8fbc000000 | mov ecx, dword ptr [edi + 0xbc] // 52 | push edx // ff7730 | push dword ptr [edi + 0x30] // 8b01 | mov eax, dword ptr [ecx] // ff5004 | call dword ptr [eax + 4] // ff75ec | push dword ptr [ebp - 0x14] $sequence_28 = { c1f806 83e13f 6bc930 53 56 8b048530744100 33db } // n = 7, score = 100 // c1f806 | lea edx, [esp + 0x50] // 83e13f | dec ecx // 6bc930 | lea eax, [ebp + 5] // 53 | mov dword ptr [edx + 8], eax // 56 | shl ebp, cl // 8b048530744100 | dec ebp // 33db | and ebx, ebp $sequence_29 = { 89b8bc000000 ff15???????? 894708 ff7518 8b4514 } // n = 5, score = 100 // 89b8bc000000 | mov dword ptr [eax + 0xbc], edi // ff15???????? | // 894708 | mov dword ptr [edi + 8], eax // ff7518 | push dword ptr [ebp + 0x18] // 8b4514 | mov eax, dword ptr [ebp + 0x14] $sequence_30 = { 6bc830 894de0 8b049d581f4000 0fb6440828 83e001 7469 } // n = 6, score = 100 // 6bc830 | imul ecx, eax, 0x30 // 894de0 | mov dword ptr [ebp - 0x20], ecx // 8b049d581f4000 | mov eax, dword ptr [ebx*4 + 0x401f58] // 0fb6440828 | movzx eax, byte ptr [eax + ecx + 0x28] // 83e001 | and eax, 1 // 7469 | je 0x6b condition: 7 of them and filesize < 606208 }
rule win_redalpha_w0 { meta: desc = "RedAlpha 2017 Campaign, Dropper" author = "JAG-S, Insikt Group, RecordedFuture" TLP = "White" source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/" md5_x86 = "cb71f3b4f08eba58857532ac90bac77d" md5_x64 = "1412102eda0c2e5a5a85cb193dbb1524" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_version = "20180706" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $drops1 = "http://doc.internetdocss.com/nethelp x86.dll" ascii wide $drops2 = "http://doc.internetdocss.com/audio x86.exe" ascii wide $drops3 = "http://doc.internetdocss.com/nethelp x64.dll" ascii wide $drops4 = "http://doc.internetdocss.com/audio x64.exe" ascii wide $source1 = "http://doc.internetdocss.com/word x86.exe" ascii wide $source2 = "http://doc.internetdocss.com/word x64.exe" ascii wide $path1 = "\\Programs\\Startup\\audio.exe" ascii wide $path2 = "c:\\Windows\\nethelp.dll" ascii wide $persistence1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\svchost" ascii wide $persistence2 = "%SystemRoot%\\system32\\svchost.exe -k " ascii wide $persistence3 = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide $persistence4 = "Parameters" ascii wide $persistence5 = "ServiceDll" ascii wide $persistence6 = "NetHelp" ascii wide $persistence7 = "Windows Internet Help" ascii wide condition: ( any of ($drops*) or any of ($source*) or any of ($path*) or 6 of ($persistence*) ) }
rule win_redalpha_w1 { meta: desc = "RedAlpha 2017 Campaign, NetHelp Drop" author = "JAG-S, Insikt Group, RecordedFuture" TLP = "White" source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/" md5_x86 = "42256b4753724f7feb411bc9912155fd" md5_x86 = "6d1d6987d0677f40e473befab121ab1b" md5_x64 = "8f0fe2620f8dadf93eee285834e35655" md5_x64 = "cd32ce54ed94dfbde7fb85930a16597d" md5_x64_striker = "6dd1be1e491d5bf9cd14686c185c3009" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_version = "20180706" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $postreq1 = "POST /index.html HTTP/1.1" ascii wide $postreq2 = "Host: index.ackques.com" ascii wide $postreq3 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0" ascii wide $postreq4 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*" ascii wide $postreq5 = "Accept-Language: en-US;q=0.5,en;q=0.3" ascii wide $postreq6 = "Accept-Encoding: gzip, deflate" ascii wide $postreq7 = "Content-Type: application/x-www-form-urlencoded" ascii wide $postreq8 = "Content-Length: %d" ascii wide $postreq9 = "Connection: keep-alive" ascii wide $postreq10 = "Upgrade-Insecure-Requests: 1" ascii wide $cnc1 = "index.ackques.com" ascii wide $cnc2 = "www.hktechy.com" ascii wide $cnc3 = "striker.internetdocss.com" ascii wide $service1 = "Windows Internet Help" ascii wide $service2 = "Client.dll" ascii wide $service3 = "ServiceMain" ascii wide condition: ( all of ($postreq*) or any of ($cnc*) or all of ($service*) ) }
rule win_redalpha_w2 { meta: author = "JAG-S, Insikt Group, Recorded Future" tlp = "White" source = "https://www.recordedfuture.com/redalpha-cyber-campaigns/" md5 = "e6c0ac26b473d1e0fa9f74fdf1d01af8" md5 = "e28db08b2326a34958f00d68dfb034b0" md5 = "c94a39d58450b81087b4f1f5fd304add" md5 = "3a2b1a98c0a31ed32759f48df34b4bc8" desc = "RedAlpha Dropper" version = "1.0" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" malpedia_version = "20180706" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cnc = "http://doc.internetdocss.com/index?" condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY