SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retro (Back to overview)

Retro

Actor(s): DarkHotel

There is no description at this point.

References
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-05-13ESET ResearchIgnacio Sanmillan
@online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
Ramsay Retro
2018-05-25360360 Helios Team
@online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
Retro
Yara Rules
[TLP:WHITE] win_retro_auto (20220411 | Detects win.retro.)
rule win_retro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.retro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d0dae5f0400 8bd0 e8???????? 488bce e8???????? 488d0d785f0400 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d0dae5f0400       | jb                  0x19df
            //   8bd0                 | inc                 esp
            //   e8????????           |                     
            //   488bce               | mov                 eax, dword ptr [edx]
            //   e8????????           |                     
            //   488d0d785f0400       | mov                 ecx, dword ptr [edx - 4]

        $sequence_1 = { 33ff 660f1f440000 498bc4 83e001 837c845800 7405 4d85f6 }
            // n = 7, score = 200
            //   33ff                 | mov                 edx, eax
            //   660f1f440000         | dec                 esp
            //   498bc4               | sub                 edx, eax
            //   83e001               | nop                 dword ptr [eax]
            //   837c845800           | inc                 ecx
            //   7405                 | mov                 eax, dword ptr [edx + edx]
            //   4d85f6               | jle                 0x44b

        $sequence_2 = { 0f8580feffff 4903df 803b20 74f8 488d157cda0100 41b805000000 488bcb }
            // n = 7, score = 200
            //   0f8580feffff         | jne                 0x220
            //   4903df               | inc                 ebp
            //   803b20               | xor                 eax, eax
            //   74f8                 | inc                 ebp
            //   488d157cda0100       | xor                 ecx, ecx
            //   41b805000000         | inc                 esp
            //   488bcb               | cmp                 dword ptr [ebx + 0xf0], eax

        $sequence_3 = { 7919 488d156ac30300 488d0df3c40300 41b8e7000000 e8???????? 83fb08 7c5f }
            // n = 7, score = 200
            //   7919                 | nop                 
            //   488d156ac30300       | inc                 esp
            //   488d0df3c40300       | mov                 eax, edi
            //   41b8e7000000         | dec                 eax
            //   e8????????           |                     
            //   83fb08               | mov                 eax, edi
            //   7c5f                 | jle                 0x1981

        $sequence_4 = { 448974242c 4889442450 ff93c8590100 488d8df0130000 4d8be6 4c8b742448 89442424 }
            // n = 7, score = 200
            //   448974242c           | mov                 word ptr [edi - 2], ax
            //   4889442450           | mov                 edx, esi
            //   ff93c8590100         | mov                 dword ptr [ebx + 0x12c0], eax
            //   488d8df0130000       | mov                 eax, dword ptr [esp + 0x24]
            //   4d8be6               | sub                 edx, ecx
            //   4c8b742448           | sub                 edx, 2
            //   89442424             | inc                 esp

        $sequence_5 = { 750a 33f6 8bd7 89742448 eb09 33d2 85f6 }
            // n = 7, score = 200
            //   750a                 | movups              xmmword ptr [ecx + edx - 0x2900], xmm1
            //   33f6                 | mulss               xmm0, dword ptr [eax + edi - 0x53a8]
            //   8bd7                 | dec                 eax
            //   89742448             | mov                 eax, dword ptr [ebp + 0x159b8]
            //   eb09                 | cvtps2pd            xmm1, xmm0
            //   33d2                 | movss               xmm0, dword ptr [esp + edi*4 + 0xa0]
            //   85f6                 | inc                 ecx

        $sequence_6 = { f2410f58440018 f2410f11440018 488b8338560000 0f14d2 0f5ac2 f2410f59440018 f2410f11440018 }
            // n = 7, score = 200
            //   f2410f58440018       | dec                 eax
            //   f2410f11440018       | add                 ecx, dword ptr [edx + eax*8]
            //   488b8338560000       | jmp                 0x8fc
            //   0f14d2               | dec                 eax
            //   0f5ac2               | lea                 ecx, dword ptr [0x16be7]
            //   f2410f59440018       | test                byte ptr [ecx + 8], 0x20
            //   f2410f11440018       | je                  0x919

        $sequence_7 = { 7cf8 4883c704 49ffc8 75df 81f981000000 7419 488d15a03c0300 }
            // n = 7, score = 200
            //   7cf8                 | movzx               edi, al
            //   4883c704             | jmp                 0xd7e
            //   49ffc8               | movzx               edi, byte ptr [ebx + 1]
            //   75df                 | shl                 al, 4
            //   81f981000000         | and                 cl, 0xf
            //   7419                 | or                  cl, al
            //   488d15a03c0300       | inc                 eax

        $sequence_8 = { e8???????? b9feffffff 4885c0 48898300590100 0f44f9 8bc7 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   b9feffffff           | mov                 esi, dword ptr [esp + 0x88]
            //   4885c0               | dec                 eax
            //   48898300590100       | mov                 ebx, dword ptr [esp + 0x78]
            //   0f44f9               | movss               dword ptr [esp + 0x70], xmm0
            //   8bc7                 | mov                 eax, dword ptr [esp + 0x70]

        $sequence_9 = { f20f11842498000000 488b942498000000 0f297c2450 660f28f0 488bca 4823c8 48b8182d4454fb21e93f }
            // n = 7, score = 200
            //   f20f11842498000000     | mov    ecx, edi
            //   488b942498000000     | mov                 dword ptr [esp + 0x20], ebp
            //   0f297c2450           | dec                 eax
            //   660f28f0             | mov                 ecx, dword ptr [edi + 0x20]
            //   488bca               | dec                 eax
            //   4823c8               | lea                 edx, dword ptr [esp + 0x50]
            //   48b8182d4454fb21e93f     | inc    ebp

    condition:
        7 of them and filesize < 1409024
}
Download all Yara Rules