SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retro (Back to overview)

Retro

Actor(s): DarkHotel


There is no description at this point.

References
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-05-13ESET ResearchIgnacio Sanmillan
@online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
Ramsay Retro
2018-05-25360360 Helios Team
@online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
Retro
Yara Rules
[TLP:WHITE] win_retro_auto (20230125 | Detects win.retro.)
rule win_retro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.retro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f3410f5900 f30f5cd1 f30f5cd0 0f2fd7 7608 6644890b ffc7 }
            // n = 7, score = 200
            //   f3410f5900           | inc                 ecx
            //   f30f5cd1             | mov                 edx, 0x20
            //   f30f5cd0             | nop                 word ptr [eax + eax]
            //   0f2fd7               | dec                 ecx
            //   7608                 | mov                 edx, ecx
            //   6644890b             | inc                 ecx
            //   ffc7                 | mov                 eax, 2

        $sequence_1 = { 83e001 837c845800 7405 4d85f6 7424 4c8d843d900a0000 488d943d900e0000 }
            // n = 7, score = 200
            //   83e001               | inc                 ecx
            //   837c845800           | prefetcht0          byte ptr [ebx]
            //   7405                 | movaps              xmm2, xmm4
            //   4d85f6               | movaps              xmmword ptr [esp + 0x20], xmm4
            //   7424                 | movaps              xmm3, xmm4
            //   4c8d843d900a0000     | inc                 esp
            //   488d943d900e0000     | sub                 eax, edx

        $sequence_2 = { 7409 488b05???????? ebe6 4533c0 488d15076a0200 458d4803 498bc8 }
            // n = 7, score = 200
            //   7409                 | test                ecx, ecx
            //   488b05????????       |                     
            //   ebe6                 | je                  0x15d
            //   4533c0               | dec                 ebp
            //   488d15076a0200       | mov                 edx, eax
            //   458d4803             | inc                 ecx
            //   498bc8               | mov                 dword ptr [ecx + 0x14], ecx

        $sequence_3 = { 41b804000000 488d542460 488bc8 e8???????? 8b442424 4883c004 89442424 }
            // n = 7, score = 200
            //   41b804000000         | dec                 eax
            //   488d542460           | lea                 edx, [edx + eax*2]
            //   488bc8               | jmp                 0x1da
            //   e8????????           |                     
            //   8b442424             | mov                 dword ptr [esi + 0x15558], ecx
            //   4883c004             | jmp                 0x1da
            //   89442424             | mov                 dword ptr [esi + 0x15558], 0

        $sequence_4 = { 4c2bcd 660f1f840000000000 418b0409 4883c104 410fafc4 0141fc }
            // n = 6, score = 200
            //   4c2bcd               | mov                 eax, dword ptr [ecx + 4]
            //   660f1f840000000000     | dec    eax
            //   418b0409             | mov                 dword ptr [esp + 0x48], esi
            //   4883c104             | cmp                 eax, -1
            //   410fafc4             | je                  0xf49
            //   0141fc               | pxor                xmm1, xmm1

        $sequence_5 = { 7610 f20f590d???????? 660f2fc8 7310 eb15 f20f5915???????? 660f2fd0 }
            // n = 7, score = 200
            //   7610                 | mov                 eax, 0x1ff
            //   f20f590d????????     |                     
            //   660f2fc8             | inc                 ecx
            //   7310                 | cmp                 dword ptr [ebp + 0x1460], 0x240
            //   eb15                 | jl                  0x40d
            //   f20f5915????????     |                     
            //   660f2fd0             | dec                 eax

        $sequence_6 = { 488d95900a0000 f30f11442428 f30f117c2420 488d8d900e0000 4981c1d4000000 e8???????? 4533f6 }
            // n = 7, score = 200
            //   488d95900a0000       | movaps              xmm0, xmm2
            //   f30f11442428         | addss               xmm3, xmm0
            //   f30f117c2420         | movss               xmm0, dword ptr [ecx + 4]
            //   488d8d900e0000       | mulss               xmm0, xmm0
            //   4981c1d4000000       | comiss              xmm2, xmm1
            //   e8????????           |                     
            //   4533f6               | jbe                 0x449

        $sequence_7 = { 4157 b8680c0000 e8???????? 482be0 488b05???????? 4833c4 48898424500c0000 }
            // n = 7, score = 200
            //   4157                 | mov                 eax, esp
            //   b8680c0000           | dec                 eax
            //   e8????????           |                     
            //   482be0               | mov                 edx, ebx
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   48898424500c0000     | mov                 ecx, esi

        $sequence_8 = { 4c8d6304 4e8d0c9d00000000 90 0fbf02 4803d7 4983c410 }
            // n = 6, score = 200
            //   4c8d6304             | inc                 esp
            //   4e8d0c9d00000000     | movaps              xmm3, xmmword ptr [eax - 0x68]
            //   90                   | cvtsd2ss            xmm3, xmm1
            //   0fbf02               | dec                 esp
            //   4803d7               | lea                 ebx, [eax]
            //   4983c410             | unpcklps            xmm6, xmm6

        $sequence_9 = { f3410f59491c 0f28c2 f3410f11481c f3410f594104 f3410f584004 f3410f114004 f3410f595110 }
            // n = 7, score = 200
            //   f3410f59491c         | mov                 dword ptr [esp + 0xa8], edi
            //   0f28c2               | inc                 ecx
            //   f3410f11481c         | cmp                 edx, dword ptr [esp + 0x48]
            //   f3410f594104         | mov                 dword ptr [esp + 0x98], edx
            //   f3410f584004         | dec                 eax
            //   f3410f114004         | lea                 edx, [0xffff1a13]
            //   f3410f595110         | dec                 ecx

    condition:
        7 of them and filesize < 1409024
}
Download all Yara Rules