SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retro (Back to overview)

Retro

Actor(s): DarkHotel


There is no description at this point.

References
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-05-13ESET ResearchIgnacio Sanmillan
@online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
Ramsay Retro
2018-05-25360360 Helios Team
@online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
Retro
Yara Rules
[TLP:WHITE] win_retro_auto (20211008 | Detects win.retro.)
rule win_retro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.retro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb645b8 488d8b8c000000 888389000000 0fb645bc 448d427d 88838a000000 c6838b00000000 }
            // n = 7, score = 200
            //   0fb645b8             | inc                 edx
            //   488d8b8c000000       | movups              xmmword ptr [esi - 0xc], xmm1
            //   888389000000         | inc                 ecx
            //   0fb645bc             | movups              xmmword ptr [esp - 0xc], xmm2
            //   448d427d             | mulss               xmm2, xmm6
            //   88838a000000         | inc                 ecx
            //   c6838b00000000       | movups              xmmword ptr [eax + 0x3c], xmm2

        $sequence_1 = { 440f48e8 85f6 7511 85ff 750d 4c8b7c2428 4c8bb42490000000 }
            // n = 7, score = 200
            //   440f48e8             | movaps              xmm1, xmm0
            //   85f6                 | comiss              xmm3, xmm0
            //   7511                 | jbe                 0x156d
            //   85ff                 | comiss              xmm4, xmm0
            //   750d                 | jbe                 0x1576
            //   4c8b7c2428           | mov                 eax, 1
            //   4c8bb42490000000     | jmp                 0x1578

        $sequence_2 = { f3410f584178 f3410f114078 f3410f10597c f3410f5c5978 f30f59de f3410f11587c 0f28d3 }
            // n = 7, score = 200
            //   f3410f584178         | lea                 edx, dword ptr [ecx + 0x53a8]
            //   f3410f114078         | mov                 dword ptr [edx + 0x1300], eax
            //   f3410f10597c         | mov                 eax, dword ptr [edx + 0x12f0]
            //   f3410f5c5978         | inc                 ecx
            //   f30f59de             | mov                 ebx, 0x16
            //   f3410f11587c         | mov                 dword ptr [edx + 0x12fc], eax
            //   0f28d3               | dec                 eax

        $sequence_3 = { 7418 83fb01 7713 899f80000000 33c0 488b5c2430 4883c420 }
            // n = 7, score = 200
            //   7418                 | movss               dword ptr [ebp - 0x30], xmm6
            //   83fb01               | dec                 eax
            //   7713                 | mov                 ebx, ecx
            //   899f80000000         | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x80], ecx
            //   488b5c2430           | dec                 esp
            //   4883c420             | lea                 edi, dword ptr [ecx + 0x6ce8]

        $sequence_4 = { 488d0db4490300 41b8f0070000 e8???????? 488d842460020000 4c8d4c2460 0f28cf 41b800010000 }
            // n = 7, score = 200
            //   488d0db4490300       | mov                 esi, 5
            //   41b8f0070000         | inc                 esp
            //   e8????????           |                     
            //   488d842460020000     | mov                 dword ptr [ecx + 8], edx
            //   4c8d4c2460           | movzx               eax, byte ptr [edx + 1]
            //   0f28cf               | and                 al, 6
            //   41b800010000         | cmp                 al, 2

        $sequence_5 = { 488b442420 480529010000 4889442428 488b442428 488b8c2410010000 488908 488b442428 }
            // n = 7, score = 200
            //   488b442420           | mov                 eax, dword ptr [esp + 0x78]
            //   480529010000         | shl                 ecx, 3
            //   4889442428           | inc                 esp
            //   488b442428           | sub                 eax, ecx
            //   488b8c2410010000     | mov                 ecx, edi
            //   488908               | inc                 esp
            //   488b442428           | sub                 eax, dword ptr [eax + edx]

        $sequence_6 = { 488d4500 4c8d45d0 eb15 b8fcffffff e9???????? 488d85a0070000 }
            // n = 6, score = 200
            //   488d4500             | inc                 ebp
            //   4c8d45d0             | mov                 edx, edi
            //   eb15                 | nop                 word ptr [eax + eax]
            //   b8fcffffff           | inc                 ebp
            //   e9????????           |                     
            //   488d85a0070000       | mov                 eax, edi

        $sequence_7 = { 0f28c1 f30f104da0 0f2fc8 7603 0f28c1 f30f104da4 0f2fc8 }
            // n = 7, score = 200
            //   0f28c1               | movss               xmm3, dword ptr [ecx + 0x10]
            //   f30f104da0           | inc                 ecx
            //   0f2fc8               | cvtps2pd            xmm1, xmm0
            //   7603                 | inc                 ecx
            //   0f28c1               | mulps               xmm1, xmm3
            //   f30f104da4           | movaps              xmm0, xmm3
            //   0f2fc8               | inc                 ecx

        $sequence_8 = { 418986b4560100 4183fd02 751b 498d8c2400090000 488d942430120000 41b800090000 e8???????? }
            // n = 7, score = 200
            //   418986b4560100       | shl                 al, 2
            //   4183fd02             | add                 dl, dl
            //   751b                 | mov                 byte ptr [ebx + 2], dl
            //   498d8c2400090000     | movzx               eax, byte ptr [esi + 0xac]
            //   488d942430120000     | add                 dl, dl
            //   41b800090000         | and                 al, 1
            //   e8????????           |                     

        $sequence_9 = { ff15???????? 448bc0 488d15f7280400 488d0d30290400 e8???????? e9???????? 837c245405 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   448bc0               | dec                 esp
            //   488d15f7280400       | mov                 eax, ebx
            //   488d0d30290400       | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   837c245405           | mov                 ecx, esi

    condition:
        7 of them and filesize < 1409024
}
Download all Yara Rules