SYMBOLCOMMON_NAMEaka. SYNONYMS
win.romcom_rat (Back to overview)

ROMCOM RAT

VTCollection    

Unit 42 observed threat actor Tropical Scorpius using this RAT in operations where also Cuba ransomware was deployed.

References
2023-09-08K7 SecuritySudeep Waingankar
RomCom RAT: Not Your Typical Love Story
ROMCOM RAT RomCom
2023-07-11MicrosoftMicrosoft
Storm-0978 attacks reveal financial and espionage motives
ROMCOM RAT
2023-07-08BlackberryBlackBerry Research & Intelligence Team
RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit
ROMCOM RAT
2023-05-30Trend MicroFeike Hacquebord, Fernando Mercês, Lord Alfred Remorin, Stephen Hilt
Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals
ROMCOM RAT RomCom
2023-04-19GoogleGoogle Threat Analysis Group
Ukraine remains Russia’s biggest cyber focus in 2023
ROMCOM RAT
2022-12-22Cert-UACert-UA
Cyber ​​attack on DELTA system users using RomCom/FateGrab/StealDeal malware (CERT-UA#5709)
ROMCOM RAT
2022-11-02BlackberryBlackberry Research
RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom
ROMCOM RAT RomCom
2022-10-23BlackberryThe BlackBerry Research & Intelligence Team
Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries
ROMCOM RAT RomCom
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
Yara Rules
[TLP:WHITE] win_romcom_rat_auto (20230808 | Detects win.romcom_rat.)
rule win_romcom_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.romcom_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b910000000 e8???????? 488945a0 4885c0 7410 44897008 488d0d6fc20400 }
            // n = 7, score = 100
            //   b910000000           | inc                 ecx
            //   e8????????           |                     
            //   488945a0             | add                 eax, esi
            //   4885c0               | dec                 eax
            //   7410                 | arpl                ax, bx
            //   44897008             | dec                 eax
            //   488d0d6fc20400       | mov                 ecx, ebx

        $sequence_1 = { d3e8 49895108 418901 49895110 0fb60a 83e10f 4a0fbe8401a0ac0600 }
            // n = 7, score = 100
            //   d3e8                 | lea                 eax, [edx + 8]
            //   49895108             | mov                 dword ptr [esp + 0x3c], 0x510002
            //   418901               | mov                 dword ptr [esp + 0x40], 0x7c0070
            //   49895110             | mov                 dword ptr [esp + 0x44], 0x630074
            //   0fb60a               | mov                 dword ptr [esp + 0x48], 0x750079
            //   83e10f               | mov                 dword ptr [esp + 0x4c], 0x75006f
            //   4a0fbe8401a0ac0600     | inc    ecx

        $sequence_2 = { 488d95e0310000 488d4dc0 e8???????? 448bc6 33d2 488d8de0310000 e8???????? }
            // n = 7, score = 100
            //   488d95e0310000       | dec                 esp
            //   488d4dc0             | mov                 esi, eax
            //   e8????????           |                     
            //   448bc6               | dec                 eax
            //   33d2                 | test                eax, eax
            //   488d8de0310000       | je                  0xe9b
            //   e8????????           |                     

        $sequence_3 = { 488b01 488b4030 ff15???????? 83f8ff 7406 41884709 eb03 }
            // n = 7, score = 100
            //   488b01               | dec                 eax
            //   488b4030             | mov                 dword ptr [ebp - 0x21], eax
            //   ff15????????         |                     
            //   83f8ff               | dec                 eax
            //   7406                 | lea                 eax, [ebp - 0x31]
            //   41884709             | dec                 eax
            //   eb03                 | cmp                 dword ptr [ebp - 0x19], 0x10

        $sequence_4 = { 482bc1 4883c0f8 4883f81f 0f877d030000 e8???????? 488d4580 48837d9808 }
            // n = 7, score = 100
            //   482bc1               | dec                 eax
            //   4883c0f8             | lea                 eax, [0x63b77]
            //   4883f81f             | dec                 eax
            //   0f877d030000         | mov                 ebx, ecx
            //   e8????????           |                     
            //   488d4580             | dec                 eax
            //   48837d9808           | mov                 dword ptr [ecx], eax

        $sequence_5 = { 8a4709 3a4508 744b 84c9 7542 488b0f 4885c9 }
            // n = 7, score = 100
            //   8a4709               | lea                 ecx, [ebp + 0x10e0]
            //   3a4508               | xor                 edx, edx
            //   744b                 | inc                 esp
            //   84c9                 | lea                 eax, [edx + 0x40]
            //   7542                 | dec                 eax
            //   488b0f               | lea                 ecx, [ebp + 0x1060]
            //   4885c9               | xor                 edx, edx

        $sequence_6 = { 488d0dbac50400 488908 eb03 498bc6 4c8bc3 488bd0 488bcf }
            // n = 7, score = 100
            //   488d0dbac50400       | mov                 byte ptr [ecx], al
            //   488908               | test                esi, esi
            //   eb03                 | je                  0x714
            //   498bc6               | dec                 ecx
            //   4c8bc3               | mov                 eax, dword ptr [esi + 8]
            //   488bd0               | dec                 ecx
            //   488bcf               | mov                 ecx, dword ptr [esi + 0x18]

        $sequence_7 = { eb04 4d895d00 b801000000 41884508 488b542468 eb05 b801000000 }
            // n = 7, score = 100
            //   eb04                 | mov                 ecx, dword ptr [edi]
            //   4d895d00             | dec                 eax
            //   b801000000           | test                ecx, ecx
            //   41884508             | je                  0x1ad
            //   488b542468           | dec                 eax
            //   eb05                 | mov                 eax, dword ptr [ecx + 0x38]
            //   b801000000           | dec                 esp

        $sequence_8 = { f20f10fc f20f58cc f20f10d1 f20f10c1 4c8d0d39090300 f20f101d???????? f20f100d???????? }
            // n = 7, score = 100
            //   f20f10fc             | xor                 edi, edi
            //   f20f58cc             | inc                 esp
            //   f20f10d1             | mov                 ch, byte ptr [esp + 0x30]
            //   f20f10c1             | inc                 ebp
            //   4c8d0d39090300       | mov                 cl, ch
            //   f20f101d????????     |                     
            //   f20f100d????????     |                     

        $sequence_9 = { 7510 488d0d12c90500 e8???????? 85c0 742e 32c0 eb33 }
            // n = 7, score = 100
            //   7510                 | add                 dword ptr [eax + 8], ecx
            //   488d0d12c90500       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 eax, dword ptr [ebx + 0x28]
            //   742e                 | mov                 dword ptr [eax], 4
            //   32c0                 | mov                 eax, dword ptr [ebx + 8]
            //   eb33                 | test                eax, eax

    condition:
        7 of them and filesize < 1211392
}
Download all Yara Rules