SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retro (Back to overview)

Retro

Actor(s): DarkHotel

There is no description at this point.

References
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-05-13ESET ResearchIgnacio Sanmillan
@online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
Ramsay Retro
2018-05-25360360 Helios Team
@online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
Retro
Yara Rules
[TLP:WHITE] win_retro_auto (20230407 | Detects win.retro.)
rule win_retro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.retro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 498bcc 03f0 e8???????? 03f0 8b85a0120000 0385ec120000 }
            // n = 6, score = 200
            //   498bcc               | lea                 ecx, [0x32ccc]
            //   03f0                 | inc                 ecx
            //   e8????????           |                     
            //   03f0                 | cmp                 esp, 0x20
            //   8b85a0120000         | jl                  0xcbf
            //   0385ec120000         | mov                 ecx, dword ptr [esp + 0x24]

        $sequence_1 = { e8???????? 4889842408050000 4883bc240805000000 7555 4883bc24b007000000 740f 488b8c24b0070000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4889842408050000     | add                 esi, 4
            //   4883bc240805000000     | dec    ecx
            //   7555                 | dec                 esp
            //   4883bc24b007000000     | inc    esp
            //   740f                 | mov                 ebp, ebx
            //   488b8c24b0070000     | subss               xmm0, xmm6

        $sequence_2 = { 4c894c2420 4489442418 89542410 48894c2408 4883ec38 c744242400000000 }
            // n = 6, score = 200
            //   4c894c2420           | dec                 esp
            //   4489442418           | arpl                word ptr [edi - 4], bx
            //   89542410             | dec                 esp
            //   48894c2408           | arpl                word ptr [edi], dx
            //   4883ec38             | inc                 ecx
            //   c744242400000000     | mov                 ebp, ebp

        $sequence_3 = { 8d7520 8bfb 8d041e 2bfe 99 2bc2 d1f8 }
            // n = 7, score = 200
            //   8d7520               | cmovl               eax, edx
            //   8bfb                 | inc                 ecx
            //   8d041e               | cmp                 eax, esp
            //   2bfe                 | cmovl               ecx, eax
            //   99                   | inc                 ebp
            //   2bc2                 | mov                 esi, edi
            //   d1f8                 | inc                 ebp

        $sequence_4 = { 488d2dd9240300 8bfe 440f2940a8 440f294898 f2440f100d???????? f2440f1005???????? 6666660f1f840000000000 }
            // n = 7, score = 200
            //   488d2dd9240300       | add                 esp, 0x20
            //   8bfe                 | pop                 edi
            //   440f2940a8           | inc                 eax
            //   440f294898           | mov                 dword ptr [esp + 0x20], eax
            //   f2440f100d????????     |     
            //   f2440f1005????????     |     
            //   6666660f1f840000000000     | cmp    dword ptr [esp + 0x20], eax

        $sequence_5 = { 4889b42488400000 418bd8 488bf9 48894c2438 4c89a42480400000 488bf2 }
            // n = 6, score = 200
            //   4889b42488400000     | cvtps2pd            xmm0, xmm2
            //   418bd8               | inc                 ecx
            //   488bf9               | mulps               xmm0, xmm1
            //   48894c2438           | cvtsd2ss            xmm0, xmm0
            //   4c89a42480400000     | jmp                 0x110
            //   488bf2               | movaps              xmm0, xmm6

        $sequence_6 = { f30f59c4 f30f59dc f30f114018 f30f119818100000 f30f105810 0f28c1 f30f58c2 }
            // n = 7, score = 200
            //   f30f59c4             | lea                 eax, [ebp + 0x1e0]
            //   f30f59dc             | dec                 eax
            //   f30f114018           | mov                 ebp, dword ptr [esp + 0x3f58]
            //   f30f119818100000     | cmp                 dword ptr [ebx + 0x15294], eax
            //   f30f105810           | jge                 0x8c0
            //   0f28c1               | dec                 eax
            //   f30f58c2             | lea                 ecx, [0x3bcb2]

        $sequence_7 = { 488bce e8???????? 488d2da35b0400 4c8d2d985b0400 85c0 488bd5 488d0d705b0400 }
            // n = 7, score = 200
            //   488bce               | mulps               xmm2, xmmword ptr [ecx + 0x10]
            //   e8????????           |                     
            //   488d2da35b0400       | inc                 ecx
            //   4c8d2d985b0400       | movaps              xmm0, xmm1
            //   85c0                 | mulss               xmm0, xmm4
            //   488bd5               | inc                 ecx
            //   488d0d705b0400       | addps               xmm2, xmmword ptr [edx + 0x800]

        $sequence_8 = { 0fbfd7 e8???????? 448bd8 0fbfc6 83f803 745a 83f805 }
            // n = 7, score = 200
            //   0fbfd7               | mov                 eax, 0x28b
            //   e8????????           |                     
            //   448bd8               | test                ecx, ecx
            //   0fbfc6               | jg                  0x16d3
            //   83f803               | dec                 esp
            //   745a                 | mov                 ecx, dword ptr [esp + 0x50]
            //   83f805               | dec                 ecx

        $sequence_9 = { 7d24 8b93fc120000 488d8c8300120000 412bd0 0f1f00 8b01 3bf8 }
            // n = 7, score = 200
            //   7d24                 | dec                 eax
            //   8b93fc120000         | inc                 edx
            //   488d8c8300120000     | dec                 ecx
            //   412bd0               | dec                 eax
            //   0f1f00               | inc                 ecx
            //   8b01                 | mov                 ecx, dword ptr [edx]
            //   3bf8                 | inc                 ecx

    condition:
        7 of them and filesize < 1409024
}
Download all Yara Rules