SYMBOLCOMMON_NAMEaka. SYNONYMS
win.romcom_rat (Back to overview)

ROMCOM RAT

Unit 42 observed threat actor Tropical Scorpius using this RAT in operations where also Cuba ransomware was deployed.

References
2022-12-22Cert-UACert-UA
@online{certua:20221222:cyber:bc80a7f, author = {Cert-UA}, title = {{Cyber ​​attack on DELTA system users using RomCom/FateGrab/StealDeal malware (CERT-UA#5709)}}, date = {2022-12-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/3349703}, language = {Ukrainian}, urldate = {2023-01-17} } Cyber ​​attack on DELTA system users using RomCom/FateGrab/StealDeal malware (CERT-UA#5709)
ROMCOM RAT
2022-11-02BlackberryBlackberry Research
@online{research:20221102:romcom:73ba97d, author = {Blackberry Research}, title = {{RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom}}, date = {2022-11-02}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass}, language = {English}, urldate = {2023-01-03} } RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom
ROMCOM RAT RomCom
2022-10-23BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20221023:unattributed:b83a409, author = {The BlackBerry Research & Intelligence Team}, title = {{Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries}}, date = {2022-10-23}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries}, language = {English}, urldate = {2022-10-30} } Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries
ROMCOM RAT RomCom
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
@online{galiette:20220810:novel:9849ff4, author = {Anthony Galiette and Daniel Bunce and Doel Santos and Shawn Westfall}, title = {{Novel News on Cuba Ransomware: Greetings From Tropical Scorpius}}, date = {2022-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/}, language = {English}, urldate = {2022-08-11} } Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
Yara Rules
[TLP:WHITE] win_romcom_rat_auto (20230125 | Detects win.romcom_rat.)
rule win_romcom_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.romcom_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4a0fbe842810940800 4803c8 48ffc7 48ffc1 483bfd 75c8 488d442440 }
            // n = 7, score = 100
            //   4a0fbe842810940800     | dec    ecx
            //   4803c8               | cmp                 edi, 0x10
            //   48ffc7               | setae               dl
            //   48ffc1               | mov                 byte ptr [ebp - 0x76], dl
            //   483bfd               | dec                 ecx
            //   75c8                 | cmovae              eax, esi
            //   488d442440           | dec                 eax

        $sequence_1 = { e9???????? 498bd4 488bcf e8???????? 33db 84c0 758b }
            // n = 7, score = 100
            //   e9????????           |                     
            //   498bd4               | dec                 ecx
            //   488bcf               | inc                 esi
            //   e8????????           |                     
            //   33db                 | dec                 eax
            //   84c0                 | mov                 edx, dword ptr [esp + 0x40]
            //   758b                 | inc                 ebp

        $sequence_2 = { 488b55c8 4883fa10 490f43d8 41807f0800 7552 498b0f 4885c9 }
            // n = 7, score = 100
            //   488b55c8             | and                 dword ptr [ebx], 0
            //   4883fa10             | mov                 byte ptr [ebx + 8], 1
            //   490f43d8             | movzx               ecx, byte ptr [ebx + 9]
            //   41807f0800           | dec                 ecx
            //   7552                 | mov                 eax, dword ptr [esp + 0x18]
            //   498b0f               | mov                 byte ptr [ebx + 9], al
            //   4885c9               | jmp                 0xdc1

        $sequence_3 = { 0fb60a 83e10f 4a0fbe8409a0ac0600 428a8c09b0ac0600 482bd0 8b42fc d3e8 }
            // n = 7, score = 100
            //   0fb60a               | jae                 0x1f45
            //   83e10f               | dec                 eax
            //   4a0fbe8409a0ac0600     | lea    ecx, [0x5bff3]
            //   428a8c09b0ac0600     | jne                 0x1f2f
            //   482bd0               | dec                 eax
            //   8b42fc               | mov                 ecx, dword ptr [edi + 0x10]
            //   d3e8                 | dec                 esp

        $sequence_4 = { e8???????? 4c8b842480000000 418bd5 498bcf e8???????? 488b8c2480000000 498d141c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8b842480000000     | movzx               ecx, si
            //   418bd5               | xor                 edi, edi
            //   498bcf               | dec                 esp
            //   e8????????           |                     
            //   488b8c2480000000     | lea                 ecx, [ebp - 0x39]
            //   498d141c             | dec                 eax

        $sequence_5 = { 75f7 4803c8 4963c7 483bc8 7656 41ffc4 4181c700100000 }
            // n = 7, score = 100
            //   75f7                 | mov                 dword ptr [eax], 0x22
            //   4803c8               | dec                 ebp
            //   4963c7               | test                edi, edi
            //   483bc8               | xor                 edx, edx
            //   7656                 | dec                 ecx
            //   41ffc4               | sub                 ebx, esp
            //   4181c700100000       | jne                 0x5d8

        $sequence_6 = { 0f114b10 48894f10 48894718 880f 488b5c2440 4883c420 5f }
            // n = 7, score = 100
            //   0f114b10             | mov                 ecx, esp
            //   48894f10             | or                  dword ptr [esi], eax
            //   48894718             | jmp                 0xec1
            //   880f                 | dec                 ecx
            //   488b5c2440           | mov                 eax, dword ptr [esp]
            //   4883c420             | dec                 eax
            //   5f                   | mov                 edx, edi

        $sequence_7 = { 7412 488d45b0 4983fd10 480f43c3 413a1404 7520 4d85e4 }
            // n = 7, score = 100
            //   7412                 | dec                 esp
            //   488d45b0             | mov                 esi, dword ptr [esp + 0x50]
            //   4983fd10             | dec                 esp
            //   480f43c3             | mov                 edi, dword ptr [esp + 0x58]
            //   413a1404             | ja                  0x16e2
            //   7520                 | inc                 ecx
            //   4d85e4               | cmp                 edi, edi

        $sequence_8 = { 84c0 0f85cd000000 448b7c2434 beffff0000 385f08 7540 488b0f }
            // n = 7, score = 100
            //   84c0                 | cmove               edi, edi
            //   0f85cd000000         | inc                 ebp
            //   448b7c2434           | xor                 eax, eax
            //   beffff0000           | test                eax, eax
            //   385f08               | dec                 eax
            //   7540                 | lea                 edx, [ebp + 0x67]
            //   488b0f               | dec                 eax

        $sequence_9 = { 0f859e100000 498b4d00 4885c9 0f8489100000 488b4138 488b10 4885d2 }
            // n = 7, score = 100
            //   0f859e100000         | lea                 eax, [0xfffc17e9]
            //   498b4d00             | mov                 eax, dword ptr [eax + ecx*4 + 0x6d8a8]
            //   4885c9               | test                eax, eax
            //   0f8489100000         | jne                 0x8bc
            //   488b4138             | inc                 ebp
            //   488b10               | mov                 esi, ebx
            //   4885d2               | inc                 esp

    condition:
        7 of them and filesize < 1211392
}
Download all Yara Rules