Unit 42 observed threat actor Tropical Scorpius using this RAT in operations where also Cuba ransomware was deployed.
rule win_romcom_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.romcom_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4a0fbe842810940800 4803c8 48ffc7 48ffc1 483bfd 75c8 488d442440 } // n = 7, score = 100 // 4a0fbe842810940800 | dec ecx // 4803c8 | cmp edi, 0x10 // 48ffc7 | setae dl // 48ffc1 | mov byte ptr [ebp - 0x76], dl // 483bfd | dec ecx // 75c8 | cmovae eax, esi // 488d442440 | dec eax $sequence_1 = { e9???????? 498bd4 488bcf e8???????? 33db 84c0 758b } // n = 7, score = 100 // e9???????? | // 498bd4 | dec ecx // 488bcf | inc esi // e8???????? | // 33db | dec eax // 84c0 | mov edx, dword ptr [esp + 0x40] // 758b | inc ebp $sequence_2 = { 488b55c8 4883fa10 490f43d8 41807f0800 7552 498b0f 4885c9 } // n = 7, score = 100 // 488b55c8 | and dword ptr [ebx], 0 // 4883fa10 | mov byte ptr [ebx + 8], 1 // 490f43d8 | movzx ecx, byte ptr [ebx + 9] // 41807f0800 | dec ecx // 7552 | mov eax, dword ptr [esp + 0x18] // 498b0f | mov byte ptr [ebx + 9], al // 4885c9 | jmp 0xdc1 $sequence_3 = { 0fb60a 83e10f 4a0fbe8409a0ac0600 428a8c09b0ac0600 482bd0 8b42fc d3e8 } // n = 7, score = 100 // 0fb60a | jae 0x1f45 // 83e10f | dec eax // 4a0fbe8409a0ac0600 | lea ecx, [0x5bff3] // 428a8c09b0ac0600 | jne 0x1f2f // 482bd0 | dec eax // 8b42fc | mov ecx, dword ptr [edi + 0x10] // d3e8 | dec esp $sequence_4 = { e8???????? 4c8b842480000000 418bd5 498bcf e8???????? 488b8c2480000000 498d141c } // n = 7, score = 100 // e8???????? | // 4c8b842480000000 | movzx ecx, si // 418bd5 | xor edi, edi // 498bcf | dec esp // e8???????? | // 488b8c2480000000 | lea ecx, [ebp - 0x39] // 498d141c | dec eax $sequence_5 = { 75f7 4803c8 4963c7 483bc8 7656 41ffc4 4181c700100000 } // n = 7, score = 100 // 75f7 | mov dword ptr [eax], 0x22 // 4803c8 | dec ebp // 4963c7 | test edi, edi // 483bc8 | xor edx, edx // 7656 | dec ecx // 41ffc4 | sub ebx, esp // 4181c700100000 | jne 0x5d8 $sequence_6 = { 0f114b10 48894f10 48894718 880f 488b5c2440 4883c420 5f } // n = 7, score = 100 // 0f114b10 | mov ecx, esp // 48894f10 | or dword ptr [esi], eax // 48894718 | jmp 0xec1 // 880f | dec ecx // 488b5c2440 | mov eax, dword ptr [esp] // 4883c420 | dec eax // 5f | mov edx, edi $sequence_7 = { 7412 488d45b0 4983fd10 480f43c3 413a1404 7520 4d85e4 } // n = 7, score = 100 // 7412 | dec esp // 488d45b0 | mov esi, dword ptr [esp + 0x50] // 4983fd10 | dec esp // 480f43c3 | mov edi, dword ptr [esp + 0x58] // 413a1404 | ja 0x16e2 // 7520 | inc ecx // 4d85e4 | cmp edi, edi $sequence_8 = { 84c0 0f85cd000000 448b7c2434 beffff0000 385f08 7540 488b0f } // n = 7, score = 100 // 84c0 | cmove edi, edi // 0f85cd000000 | inc ebp // 448b7c2434 | xor eax, eax // beffff0000 | test eax, eax // 385f08 | dec eax // 7540 | lea edx, [ebp + 0x67] // 488b0f | dec eax $sequence_9 = { 0f859e100000 498b4d00 4885c9 0f8489100000 488b4138 488b10 4885d2 } // n = 7, score = 100 // 0f859e100000 | lea eax, [0xfffc17e9] // 498b4d00 | mov eax, dword ptr [eax + ecx*4 + 0x6d8a8] // 4885c9 | test eax, eax // 0f8489100000 | jne 0x8bc // 488b4138 | inc ebp // 488b10 | mov esi, ebx // 4885d2 | inc esp condition: 7 of them and filesize < 1211392 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY