There is no description at this point.
rule win_rgdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.rgdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 448be8 4584e4 0f85a3010000 8a0f 4c8b6c2458 488d155a2d0200 80f90a } // n = 7, score = 100 // 448be8 | mov edi, eax // 4584e4 | dec edx // 0f85a3010000 | mov eax, dword ptr [eax + ebp*8 + 0x33f50] // 8a0f | inc eax // 4c8b6c2458 | setne bh // 488d155a2d0200 | add esi, esi // 80f90a | inc edx $sequence_1 = { 488d5598 48837db010 480f435598 4c8bc0 90 0fb60a } // n = 6, score = 100 // 488d5598 | mov eax, 1 // 48837db010 | dec eax // 480f435598 | or edx, 0xffffffff // 4c8bc0 | mov edx, 0xa // 90 | dec esp // 0fb60a | lea edx, [0xfffe7e29] $sequence_2 = { f6c202 488d542430 7438 4c8d05d24b0200 488d8c2480000000 e8???????? 488d053e4e0200 } // n = 7, score = 100 // f6c202 | jne 0xe49 // 488d542430 | dec eax // 7438 | lea ecx, [0x28c72] // 4c8d05d24b0200 | jmp 0xe4b // 488d8c2480000000 | dec esp // e8???????? | // 488d053e4e0200 | mov eax, edx $sequence_3 = { 488d053a540200 488bd9 488901 b908000000 e8???????? 33f6 488bf8 } // n = 7, score = 100 // 488d053a540200 | dec ebp // 488bd9 | mov ebp, eax // 488901 | dec esp // b908000000 | lea edx, [0xfffe81e9] // e8???????? | // 33f6 | and eax, 0x1f // 488bf8 | dec ecx $sequence_4 = { 48895c2430 895c2428 897c2420 4533c9 4533c0 } // n = 5, score = 100 // 48895c2430 | inc ecx // 895c2428 | cmp byte ptr [eax], al // 897c2420 | sete al // 4533c9 | test eax, eax // 4533c0 | je 0x202 $sequence_5 = { 85c0 747b 488d0d15700000 ff15???????? } // n = 4, score = 100 // 85c0 | dec eax // 747b | lea edx, [0x28894] // 488d0d15700000 | dec eax // ff15???????? | $sequence_6 = { 4983c402 e9???????? 4c8be0 e9???????? 4b8b8cea503f0300 } // n = 5, score = 100 // 4983c402 | add eax, 0x10 // e9???????? | // 4c8be0 | dec eax // e9???????? | // 4b8b8cea503f0300 | add esp, 0x28 $sequence_7 = { 488d05e199feff 4a8b84e8503f0300 42f644380804 7402 } // n = 4, score = 100 // 488d05e199feff | mov dword ptr [edx + 0x10], eax // 4a8b84e8503f0300 | mov byte ptr [edx], al // 42f644380804 | dec eax // 7402 | lea edx, [0x2962e] $sequence_8 = { ff15???????? 488d15a7580100 483305???????? 488bcb 488905???????? ff15???????? 488d15a1580100 } // n = 7, score = 100 // ff15???????? | // 488d15a7580100 | dec esp // 483305???????? | // 488bcb | mov esp, ecx // 488905???????? | // ff15???????? | // 488d15a1580100 | inc ebp $sequence_9 = { 4883ec20 488bd9 e8???????? 488d059fb40100 488903 488bc3 } // n = 6, score = 100 // 4883ec20 | dec eax // 488bd9 | lea ecx, [0x22c0f] // e8???????? | // 488d059fb40100 | dec esp // 488903 | mov dword ptr [esp + 0x20], ebp // 488bc3 | dec esp condition: 7 of them and filesize < 475136 }
import "pe" /* Yara Rule Set Author: Florian Roth Date: 2018-01-27 Identifier: RGDoor Reference: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ */ rule win_rgdoor_w0 { meta: author = "Florian Roth" description = "Detects RGDoor backdoor used by OilRig group" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" date = "2018-01-27" score = 80 hash = "a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa" malpedia_version = "20180208" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor" strings: $s1 = "MyNativeModule.dll" fullword ascii $s2 = "RGSESSIONID=" fullword ascii $s3 = "download$" fullword ascii $s4 = ".?AVCHelloWorld@@" fullword ascii condition: pe.imphash() == "47cb127aad6c7c9954058e61a2a6429a" or (2 of them) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY