SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rm3 (Back to overview)

RM3

Created from the codebase of Gozi/ISFB.

References
2022-12-06Twitter (@URSNIFleak)URSNIFleak
@online{ursnifleak:20221206:twitter:5c60199, author = {URSNIFleak}, title = {{Twitter account with leaked data about the group behind URSNIF}}, date = {2022-12-06}, organization = {Twitter (@URSNIFleak)}, url = {https://twitter.com/URSNIFleak}, language = {English}, urldate = {2022-12-29} } Twitter account with leaked data about the group behind URSNIF
RM3
2021-05-04NCC Groupfumik0, NCC RIFT
@online{fumik0:20210504:rm3:cd994e6, author = {fumik0 and NCC RIFT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-19} } RM3 – Curiosities of the wildest banking malware
ISFB RM3
Yara Rules
[TLP:WHITE] win_rm3_auto (20230125 | Detects win.rm3.)
rule win_rm3_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.rm3."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 51 8b483c 03c8 0fb74106 8365f800 53 }
            // n = 7, score = 2300
            //   51                   | add                 esi, 0x28
            //   51                   | dec                 dword ptr [ebp - 4]
            //   8b483c               | and                 dword ptr [ebp - 8], 0
            //   03c8                 | push                ebx
            //   0fb74106             | mov                 dword ptr [ebp - 4], eax
            //   8365f800             | movzx               eax, word ptr [ecx + 0x14]
            //   53                   | push                esi

        $sequence_1 = { 8365f800 53 8945fc 0fb74114 56 57 }
            // n = 6, score = 2300
            //   8365f800             | dec                 eax
            //   53                   | xor                 eax, ecx
            //   8945fc               | dec                 eax
            //   0fb74114             | mov                 ecx, eax
            //   56                   | dec                 eax
            //   57                   | shr                 ecx, 0x1b

        $sequence_2 = { 0fb74114 56 57 8d740818 8b4508 3b460c 7247 }
            // n = 7, score = 2300
            //   0fb74114             | lea                 ecx, [esp + 0x80]
            //   56                   | cmp                 al, 0x30
            //   57                   | jb                  6
            //   8d740818             | cmp                 al, 0x39
            //   8b4508               | jbe                 0x4c
            //   3b460c               | cmp                 al, 0x41
            //   7247                 | jb                  0xe

        $sequence_3 = { 4a f7d2 23fa 3bf8 7609 }
            // n = 5, score = 2300
            //   4a                   | movzx               eax, word ptr [ecx + 0x14]
            //   f7d2                 | push                esi
            //   23fa                 | push                edi
            //   3bf8                 | mov                 dword ptr [ebp - 8], esi
            //   7609                 | mov                 eax, dword ptr [ebp - 8]

        $sequence_4 = { 23d0 8b460c 03c2 394508 7303 }
            // n = 5, score = 2300
            //   23d0                 | dec                 eax
            //   8b460c               | mov                 ebx, dword ptr [esp + 0x70]
            //   03c2                 | and                 dword ptr [ebp - 8], 0
            //   394508               | push                ebx
            //   7303                 | mov                 dword ptr [ebp - 4], eax

        $sequence_5 = { 8975f8 8b45f8 83c628 ff4dfc }
            // n = 4, score = 2300
            //   8975f8               | dec                 eax
            //   8b45f8               | xor                 eax, ecx
            //   83c628               | mov                 ecx, ebp
            //   ff4dfc               | mov                 edx, edi

        $sequence_6 = { 8b413c 8d5418ff eb0a 8b4138 8b5608 }
            // n = 5, score = 2300
            //   8b413c               | dec                 esp
            //   8d5418ff             | mov                 eax, ebp
            //   eb0a                 | xor                 edx, edx
            //   8b4138               | dec                 eax
            //   8b5608               | mov                 eax, esi

        $sequence_7 = { 8931 8b7004 897104 8b4808 ff7004 }
            // n = 5, score = 2300
            //   8931                 | push                ecx
            //   8b7004               | mov                 ecx, dword ptr [eax + 0x3c]
            //   897104               | add                 ecx, eax
            //   8b4808               | movzx               eax, word ptr [ecx + 6]
            //   ff7004               | and                 dword ptr [ebp - 8], 0

        $sequence_8 = { ff7518 8d8578ffffff 50 50 8bc8 e8???????? }
            // n = 6, score = 1800
            //   ff7518               | cmp                 eax, dword ptr [esi + 0xc]
            //   8d8578ffffff         | jb                  0x49
            //   50                   | mov                 edi, dword ptr [ecx + 0x38]
            //   50                   | mov                 eax, dword ptr [esi + 8]
            //   8bc8                 | mov                 edx, dword ptr [ecx + 0x3c]
            //   e8????????           |                     

        $sequence_9 = { 8d85f0feffff ff750c 8d8d6cfeffff 50 e8???????? }
            // n = 5, score = 1800
            //   8d85f0feffff         | push                eax
            //   ff750c               | push                eax
            //   8d8d6cfeffff         | mov                 ecx, eax
            //   50                   | push                edi
            //   e8????????           |                     

        $sequence_10 = { 2bf3 89750c 0f88b3000000 8d3c1e 8dbcbd58feffff }
            // n = 5, score = 1800
            //   2bf3                 | mov                 esi, eax
            //   89750c               | push                8
            //   0f88b3000000         | lea                 edi, [esi + 0x10]
            //   8d3c1e               | push                eax
            //   8dbcbd58feffff       | push                eax

        $sequence_11 = { 7420 8d45fc 50 53 ffd7 }
            // n = 5, score = 1800
            //   7420                 | dec                 dword ptr [ebp - 4]
            //   8d45fc               | test                eax, eax
            //   50                   | jne                 0xf
            //   53                   | cmp                 dword ptr [ebp - 4], eax
            //   ffd7                 | jne                 0xffffffae

        $sequence_12 = { 8d9568ffffff 8bc6 e8???????? ebd2 8b4d0c ff4d0c 8b4510 }
            // n = 7, score = 1800
            //   8d9568ffffff         | jne                 7
            //   8bc6                 | cmp                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   ebd2                 | jne                 0xffffffa1
            //   8b4d0c               | pop                 edi
            //   ff4d0c               | pop                 esi
            //   8b4510               | pop                 ebx

        $sequence_13 = { 57 8bf0 6a08 8d7e10 }
            // n = 4, score = 1800
            //   57                   | mov                 dword ptr [ecx + 4], esi
            //   8bf0                 | mov                 ecx, dword ptr [eax + 8]
            //   6a08                 | push                dword ptr [eax + 4]
            //   8d7e10               | add                 ecx, dword ptr [esp + 0xc]

        $sequence_14 = { 740a ff750c 57 ff15???????? }
            // n = 4, score = 1800
            //   740a                 | je                  0x22
            //   ff750c               | lea                 eax, [ebp - 4]
            //   57                   | push                eax
            //   ff15????????         |                     

        $sequence_15 = { 5f 5e 8bc3 2b45f0 }
            // n = 4, score = 1800
            //   5f                   | push                ebx
            //   5e                   | call                edi
            //   8bc3                 | push                dword ptr [ebp + 0x18]
            //   2b45f0               | lea                 eax, [ebp - 0x88]

        $sequence_16 = { e8???????? eb16 83bc24b000000000 7411 8b442450 49897500 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   eb16                 | mov                 ecx, dword ptr [esp + 0x40]
            //   83bc24b000000000     | dec                 eax
            //   7411                 | mov                 eax, dword ptr [esp + 0x2b0]
            //   8b442450             | dec                 esp
            //   49897500             | lea                 ebx, [esp + 0x260]

        $sequence_17 = { bb08000000 488b4c2440 ff15???????? 488b8424b0020000 4c8d9c2460020000 830001 498b6b38 }
            // n = 7, score = 300
            //   bb08000000           | mov                 esi, dword ptr [esp + 0x58]
            //   488b4c2440           | dec                 eax
            //   ff15????????         |                     
            //   488b8424b0020000     | add                 esp, 0x30
            //   4c8d9c2460020000     | inc                 esp
            //   830001               | lea                 eax, [esi + 0x2c]
            //   498b6b38             | xor                 edx, edx

        $sequence_18 = { 33d2 ff15???????? 4885ed 0f8457010000 488bcd ff15???????? 498bce }
            // n = 7, score = 300
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     
            //   4885ed               | dec                 eax
            //   0f8457010000         | test                ebp, ebp
            //   488bcd               | je                  0x15d
            //   ff15????????         |                     
            //   498bce               | dec                 eax

        $sequence_19 = { 488bc8 48c1e119 4833c1 488bc8 48c1e91b 4833c1 8bcd }
            // n = 7, score = 300
            //   488bc8               | add                 dword ptr [eax], 1
            //   48c1e119             | dec                 ecx
            //   4833c1               | mov                 ebp, dword ptr [ebx + 0x38]
            //   488bc8               | inc                 ecx
            //   48c1e91b             | push                esp
            //   4833c1               | inc                 ecx
            //   8bcd                 | push                ebp

        $sequence_20 = { 8bd7 4c8bcd 488bce 4889442420 e8???????? 488d8c2480000000 }
            // n = 6, score = 300
            //   8bd7                 | dec                 eax
            //   4c8bcd               | sub                 esp, 0x70
            //   488bce               | dec                 ecx
            //   4889442420           | lea                 eax, [ebx - 0x38]
            //   e8????????           |                     
            //   488d8c2480000000     | xor                 esi, esi

        $sequence_21 = { 8bcf ff15???????? 488b5c2440 488b6c2448 488b742458 4883c430 }
            // n = 6, score = 300
            //   8bcf                 | mov                 ecx, ebp
            //   ff15????????         |                     
            //   488b5c2440           | dec                 ecx
            //   488b6c2448           | mov                 ecx, esi
            //   488b742458           | mov                 ecx, edi
            //   4883c430             | dec                 eax

        $sequence_22 = { 4154 4155 4883ec70 498d43c8 33f6 }
            // n = 5, score = 300
            //   4154                 | mov                 dword ptr [edi + 0x10], eax
            //   4155                 | dec                 eax
            //   4883ec70             | test                eax, eax
            //   498d43c8             | mov                 ebx, 8
            //   33f6                 | dec                 eax

        $sequence_23 = { 488b0d???????? 448d462c 33d2 894710 ff15???????? 4885c0 }
            // n = 6, score = 300
            //   488b0d????????       |                     
            //   448d462c             | mov                 ebx, dword ptr [esp + 0x40]
            //   33d2                 | dec                 eax
            //   894710               | mov                 ebp, dword ptr [esp + 0x48]
            //   ff15????????         |                     
            //   4885c0               | dec                 eax

        $sequence_24 = { 89bd4cffffff e8???????? 83c40c 8b45b4 8b486c 894ddc 8b4870 }
            // n = 7, score = 100
            //   89bd4cffffff         | dec                 edi
            //   e8????????           |                     
            //   83c40c               | not                 edi
            //   8b45b4               | and                 eax, edi
            //   8b486c               | add                 esp, 0xc
            //   894ddc               | mov                 eax, dword ptr [ebp - 0x42c]
            //   8b4870               | push                eax

        $sequence_25 = { 8b45e8 8b4dec 89c2 83c201 89ce 83c601 8a5901 }
            // n = 7, score = 100
            //   8b45e8               | mov                 eax, dword ptr [ecx + 0x3c]
            //   8b4dec               | lea                 edx, [eax + ebx - 1]
            //   89c2                 | jmp                 0x10
            //   83c201               | mov                 eax, dword ptr [ecx + 0x38]
            //   89ce                 | mov                 edx, dword ptr [esi + 8]
            //   83c601               | lea                 edx, [eax + edx - 1]
            //   8a5901               | movzx               eax, word ptr [ecx + 0x14]

        $sequence_26 = { 8b55e0 813c0a50450000 8b4ddc 0f44c8 8b45f0 }
            // n = 5, score = 100
            //   8b55e0               | mov                 eax, dword ptr [ebp + 8]
            //   813c0a50450000       | cmp                 eax, dword ptr [esi + 0xc]
            //   8b4ddc               | mov                 edx, dword ptr [ecx + 0x3c]
            //   0f44c8               | mov                 ebx, dword ptr [esi + 0x10]
            //   8b45f0               | lea                 eax, [eax + edi - 1]

        $sequence_27 = { 83c40c 8b85d4fbffff 50 e8???????? 83c404 8b0d???????? 50 }
            // n = 7, score = 100
            //   83c40c               | add                 ecx, eax
            //   8b85d4fbffff         | mov                 edx, dword ptr [ecx + 0x3c]
            //   50                   | mov                 ebx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   83c404               | lea                 eax, [eax + edi - 1]
            //   8b0d????????         |                     
            //   50                   | dec                 edi

        $sequence_28 = { c70204010000 8b15???????? 898568fdffff 898d64fdffff ffd2 83ec08 }
            // n = 6, score = 100
            //   c70204010000         | mov                 eax, dword ptr [esi + 8]
            //   8b15????????         |                     
            //   898568fdffff         | mov                 eax, dword ptr [esi + 8]
            //   898d64fdffff         | mov                 edx, dword ptr [ecx + 0x3c]
            //   ffd2                 | mov                 ebx, dword ptr [esi + 0x10]
            //   83ec08               | lea                 eax, [eax + edi - 1]

        $sequence_29 = { 8b45e8 83c428 5d c3 55 89e5 }
            // n = 6, score = 100
            //   8b45e8               | push                edi
            //   83c428               | lea                 esi, [eax + ecx + 0x18]
            //   5d                   | mov                 eax, dword ptr [ebp + 8]
            //   c3                   | cmp                 eax, dword ptr [esi + 0xc]
            //   55                   | jb                  0x4f
            //   89e5                 | mov                 edi, dword ptr [ecx + 0x38]

        $sequence_30 = { e8???????? 890424 8b853cffffff 89442404 e8???????? 8b8d50ffffff 894120 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   890424               | not                 eax
            //   8b853cffffff         | mov                 eax, dword ptr [ebp - 0x18]
            //   89442404             | mov                 ecx, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   8b8d50ffffff         | mov                 edx, eax
            //   894120               | add                 edx, 1

        $sequence_31 = { c1ea0c 31ff 88d3 88df 80ef0a 89459c }
            // n = 6, score = 100
            //   c1ea0c               | mov                 eax, dword ptr [ebp + 8]
            //   31ff                 | cmp                 eax, dword ptr [esi + 0xc]
            //   88d3                 | jb                  0x4c
            //   88df                 | mov                 edi, dword ptr [ecx + 0x38]
            //   80ef0a               | mov                 eax, dword ptr [esi + 8]
            //   89459c               | mov                 edx, dword ptr [ecx + 0x3c]

        $sequence_32 = { b978000000 bacc000000 be10100000 8b7da8 8b5db4 }
            // n = 5, score = 100
            //   b978000000           | mov                 dword ptr [ecx + 4], esi
            //   bacc000000           | mov                 ecx, dword ptr [eax + 8]
            //   be10100000           | push                dword ptr [eax + 4]
            //   8b7da8               | add                 ecx, dword ptr [esp + 0xc]
            //   8b5db4               | mov                 eax, dword ptr [eax]

        $sequence_33 = { 8945ec e8???????? 8b45fc 890424 e8???????? }
            // n = 5, score = 100
            //   8945ec               | push                esi
            //   e8????????           |                     
            //   8b45fc               | push                edi
            //   890424               | lea                 esi, [eax + ecx + 0x18]
            //   e8????????           |                     

        $sequence_34 = { c7460cfe308702 c74604???????? 8b35???????? 898560fdffff }
            // n = 4, score = 100
            //   c7460cfe308702       | mov                 ecx, dword ptr [ebp + 8]
            //   c74604????????       |                     
            //   8b35????????         |                     
            //   898560fdffff         | lea                 edx, [0x287309e]

        $sequence_35 = { 894ddc 8945e0 0f841a010000 31c0 8b4ddc }
            // n = 5, score = 100
            //   894ddc               | mov                 ebx, dword ptr [esi + 0x10]
            //   8945e0               | mov                 eax, dword ptr [ecx + 0x38]
            //   0f841a010000         | mov                 edx, dword ptr [esi + 8]
            //   31c0                 | lea                 edx, [eax + edx - 1]
            //   8b4ddc               | dec                 eax

        $sequence_36 = { 894df0 897dec 8955e8 7714 }
            // n = 4, score = 100
            //   894df0               | dec                 edi
            //   897dec               | not                 edi
            //   8955e8               | and                 eax, edi
            //   7714                 | lea                 edi, [ebx + edx - 1]

        $sequence_37 = { 894c2404 c744240814000000 e8???????? c68556ffffff56 8b85f8feffff 8985ecfeffff }
            // n = 6, score = 100
            //   894c2404             | mov                 eax, dword ptr [ebp - 4]
            //   c744240814000000     | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c68556ffffff56       | mov                 edx, dword ptr [ebp - 0x20]
            //   8b85f8feffff         | cmp                 dword ptr [edx + ecx], 0x4550
            //   8985ecfeffff         | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_38 = { 8b450c 8b4d08 8d159e308702 83ec04 891424 8945e8 894de4 }
            // n = 7, score = 100
            //   8b450c               | jae                 0x15
            //   8b4d08               | bt                  dword ptr [esi], 0x1f
            //   8d159e308702         | setb                al
            //   83ec04               | neg                 al
            //   891424               | sbb                 eax, eax
            //   8945e8               | and                 eax, 0x20
            //   894de4               | mov                 esi, dword ptr [eax + 4]

        $sequence_39 = { c605????????00 a1???????? 6a00 6a00 6a00 }
            // n = 5, score = 100
            //   c605????????00       |                     
            //   a1????????           |                     
            //   6a00                 | add                 esp, 4
            //   6a00                 | push                eax
            //   6a00                 | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules