SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redsalt (Back to overview)

REDSALT

aka: Dipsind

Actor(s): PLATINUM


There is no description at this point.

References
2019-06-05Twitter (@ItsReallyNick)Nick Carr
@online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } Tweet on Malware Sample
REDPEPPER REDSALT
2018-10FireEyeAdrian Bataille, Matias Bevilacqua
@techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } Hunting for PLATINUM
REDSALT
2015-09-08FireEyeFireEye
@techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days
REDSALT
Yara Rules
[TLP:WHITE] win_redsalt_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_redsalt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c414 33c9 83f8ff }
            // n = 4, score = 1100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   33c9                 | xor                 ecx, ecx
            //   83f8ff               | cmp                 eax, -1

        $sequence_1 = { 750b 68e8030000 ff15???????? e8???????? }
            // n = 4, score = 1100
            //   750b                 | jne                 0xd
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_2 = { 7515 c705????????01000000 ff15???????? e9???????? }
            // n = 4, score = 1000
            //   7515                 | jne                 0x17
            //   c705????????01000000     |     
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_3 = { 51 ffd6 85c0 7510 }
            // n = 4, score = 900
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12

        $sequence_4 = { 85c0 7413 e8???????? 85c0 750a 6a32 }
            // n = 6, score = 900
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   6a32                 | push                0x32

        $sequence_5 = { 8d45d0 50 6806100000 68ffff0000 }
            // n = 4, score = 900
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   6806100000           | push                0x1006
            //   68ffff0000           | push                0xffff

        $sequence_6 = { 52 e8???????? 83c414 6a00 6a01 }
            // n = 5, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_7 = { 8bd8 83c404 85db 0f840f020000 }
            // n = 4, score = 800
            //   8bd8                 | mov                 ebx, eax
            //   83c404               | add                 esp, 4
            //   85db                 | test                ebx, ebx
            //   0f840f020000         | je                  0x215

        $sequence_8 = { eb03 83c9ff 85f6 7c0e 83fe7f }
            // n = 5, score = 800
            //   eb03                 | jmp                 5
            //   83c9ff               | or                  ecx, 0xffffffff
            //   85f6                 | test                esi, esi
            //   7c0e                 | jl                  0x10
            //   83fe7f               | cmp                 esi, 0x7f

        $sequence_9 = { b800030000 eb13 b800020000 eb0c b800010000 }
            // n = 5, score = 700
            //   b800030000           | mov                 eax, 0x300
            //   eb13                 | jmp                 0x15
            //   b800020000           | mov                 eax, 0x200
            //   eb0c                 | jmp                 0xe
            //   b800010000           | mov                 eax, 0x100

        $sequence_10 = { 7303 c60100 5f 5e }
            // n = 4, score = 700
            //   7303                 | jae                 5
            //   c60100               | mov                 byte ptr [ecx], 0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_11 = { 7405 80fafc 7502 b1fe }
            // n = 4, score = 700
            //   7405                 | je                  7
            //   80fafc               | cmp                 dl, 0xfc
            //   7502                 | jne                 4
            //   b1fe                 | mov                 cl, 0xfe

        $sequence_12 = { 7509 80780120 7503 83c002 }
            // n = 4, score = 700
            //   7509                 | jne                 0xb
            //   80780120             | cmp                 byte ptr [eax + 1], 0x20
            //   7503                 | jne                 5
            //   83c002               | add                 eax, 2

        $sequence_13 = { 52 c744242401000000 8944242c c744243002000000 ff15???????? }
            // n = 5, score = 700
            //   52                   | pop                 edi
            //   c744242401000000     | pop                 esi
            //   8944242c             | xor                 eax, eax
            //   c744243002000000     | push                edx
            //   ff15????????         |                     

        $sequence_14 = { e8???????? 83c408 6800010000 68???????? }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6800010000           | push                0x100
            //   68????????           |                     

        $sequence_15 = { c705????????00090000 eb0a c705????????00080000 eb0a c705????????00070000 }
            // n = 5, score = 500
            //   c705????????00090000     |     
            //   eb0a                 | jmp                 0xc
            //   c705????????00080000     |     
            //   eb0a                 | jmp                 0xc
            //   c705????????00070000     |     

        $sequence_16 = { 894c2414 8b4c2420 c1e902 894c2420 0f841e010000 }
            // n = 5, score = 500
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   c1e902               | shr                 ecx, 2
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   0f841e010000         | je                  0x124

        $sequence_17 = { 750a b857000000 e9???????? 833d????????00 }
            // n = 4, score = 500
            //   750a                 | jne                 0xc
            //   b857000000           | mov                 eax, 0x57
            //   e9????????           |                     
            //   833d????????00       |                     

        $sequence_18 = { 83fe7f 0f8f7affffff 80be????????ff 0f846dffffff c1fa04 c0e302 0ad3 }
            // n = 7, score = 500
            //   83fe7f               | cmp                 esi, 0x7f
            //   0f8f7affffff         | jg                  0xffffff80
            //   80be????????ff       |                     
            //   0f846dffffff         | je                  0xffffff73
            //   c1fa04               | sar                 edx, 4
            //   c0e302               | shl                 bl, 2
            //   0ad3                 | or                  dl, bl

        $sequence_19 = { 33c0 83ef03 8a06 83c603 }
            // n = 4, score = 500
            //   33c0                 | xor                 eax, eax
            //   83ef03               | sub                 edi, 3
            //   8a06                 | mov                 al, byte ptr [esi]
            //   83c603               | add                 esi, 3

        $sequence_20 = { 833800 750f c705????????01000000 e9???????? }
            // n = 4, score = 500
            //   833800               | cmp                 dword ptr [eax], 0
            //   750f                 | jne                 0x11
            //   c705????????01000000     |     
            //   e9????????           |                     

        $sequence_21 = { c644243423 c644243572 c64424367a c644243700 }
            // n = 4, score = 300
            //   c644243423           | mov                 byte ptr [esp + 0x34], 0x23
            //   c644243572           | mov                 byte ptr [esp + 0x35], 0x72
            //   c64424367a           | mov                 byte ptr [esp + 0x36], 0x7a
            //   c644243700           | mov                 byte ptr [esp + 0x37], 0

        $sequence_22 = { e9???????? fff3 4883ec50 b901000000 e8???????? }
            // n = 5, score = 100
            //   e9????????           |                     
            //   fff3                 | dec                 eax
            //   4883ec50             | mov                 eax, dword ptr [esp + 0x1170]
            //   b901000000           | push                ebx
            //   e8????????           |                     

        $sequence_23 = { 4889f1 e8???????? 21c0 0f85c97a0900 }
            // n = 4, score = 100
            //   4889f1               | dec                 eax
            //   e8????????           |                     
            //   21c0                 | mov                 ecx, esi
            //   0f85c97a0900         | and                 eax, eax

        $sequence_24 = { 0fb74004 21c0 0f8e2a230900 488b842470110000 }
            // n = 4, score = 100
            //   0fb74004             | jne                 0x97acf
            //   21c0                 | movzx               eax, word ptr [eax + 4]
            //   0f8e2a230900         | and                 eax, eax
            //   488b842470110000     | jle                 0x92330

    condition:
        7 of them and filesize < 2957312
}
[TLP:WHITE] win_redsalt_w0   (20200103 | Dipsind variant)
rule win_redsalt_w0 {
	meta:
		author = "Microsoft"
		description = "Dipsind variant"
		activity_group = "Platinum"
		version = "1.0"
		last_modified = "2016-04-12"
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt"
		malpedia_version = "20200103"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$str1 = "VPLRXZHTU"
		$str2 = {64 6F 67 32 6A 7E 6C}
		$str3 = "Dqpqftk(Wou\"Isztk)"
		$str4 = "StartThreadAtWinLogon"
   condition:
		all of them
}
Download all Yara Rules