Actor(s): Lazarus Group
There is no description at this point.
There are currently no references.
rule win_romeos_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.romeos." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b9ff070000 33c0 8d7c2449 c644244800 6a16 } // n = 5, score = 400 // b9ff070000 | mov ecx, 0x7ff // 33c0 | xor eax, eax // 8d7c2449 | lea edi, [esp + 0x49] // c644244800 | mov byte ptr [esp + 0x48], 0 // 6a16 | push 0x16 $sequence_1 = { 85f6 750a 5e 33c0 5b 83c408 c20c00 } // n = 7, score = 400 // 85f6 | test esi, esi // 750a | jne 0xc // 5e | pop esi // 33c0 | xor eax, eax // 5b | pop ebx // 83c408 | add esp, 8 // c20c00 | ret 0xc $sequence_2 = { 85ed 7e0e e8???????? 88441c18 } // n = 4, score = 400 // 85ed | test ebp, ebp // 7e0e | jle 0x10 // e8???????? | // 88441c18 | mov byte ptr [esp + ebx + 0x18], al $sequence_3 = { 83c408 807c24480e 7406 43 83fb08 7cb6 e8???????? } // n = 7, score = 400 // 83c408 | add esp, 8 // 807c24480e | cmp byte ptr [esp + 0x48], 0xe // 7406 | je 8 // 43 | inc ebx // 83fb08 | cmp ebx, 8 // 7cb6 | jl 0xffffffb8 // e8???????? | $sequence_4 = { 7406 43 83fb08 7cb6 e8???????? } // n = 5, score = 400 // 7406 | je 8 // 43 | inc ebx // 83fb08 | cmp ebx, 8 // 7cb6 | jl 0xffffffb8 // e8???????? | $sequence_5 = { 43 3bdd 7cf2 8b542414 6a16 8d44244c 52 } // n = 7, score = 400 // 43 | inc ebx // 3bdd | cmp ebx, ebp // 7cf2 | jl 0xfffffff4 // 8b542414 | mov edx, dword ptr [esp + 0x14] // 6a16 | push 0x16 // 8d44244c | lea eax, [esp + 0x4c] // 52 | push edx $sequence_6 = { f3ab 66ab aa 8d44244c c644241701 50 } // n = 6, score = 400 // f3ab | rep stosd dword ptr es:[edi], eax // 66ab | stosw word ptr es:[edi], ax // aa | stosb byte ptr es:[edi], al // 8d44244c | lea eax, [esp + 0x4c] // c644241701 | mov byte ptr [esp + 0x17], 1 // 50 | push eax $sequence_7 = { 85c0 754c 6a16 8d54241c 55 52 57 } // n = 7, score = 400 // 85c0 | test eax, eax // 754c | jne 0x4e // 6a16 | push 0x16 // 8d54241c | lea edx, [esp + 0x1c] // 55 | push ebp // 52 | push edx // 57 | push edi $sequence_8 = { 754c 6a16 8d54241c 55 } // n = 4, score = 400 // 754c | jne 0x4e // 6a16 | push 0x16 // 8d54241c | lea edx, [esp + 0x1c] // 55 | push ebp $sequence_9 = { 5b 81c438200000 c20400 5f 5e } // n = 5, score = 400 // 5b | pop ebx // 81c438200000 | add esp, 0x2038 // c20400 | ret 4 // 5f | pop edi // 5e | pop esi condition: 7 of them and filesize < 294912 }
import "pe" rule win_romeos_w0 { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" hash = "fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/RomeoAlfa.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* 68 C4 94 41 00 push offset a0_0_0_0 ; "0.0.0.0" 56 push esi ; wchar_t * E8 1C B4 00 00 call _wcscpy 83 C6 28 add esi, 28h 83 C4 08 add esp, 8 81 FE E8 CD 41 00 cmp esi, offset unk_41CDE8 7C E7 jl short loc_4039DA */ $zeroIPLoader = { 68 [4] 56 E8 [4] 83 C6 28 83 C4 08 81 FE [4] 7C E? } // push esi // mov esi, [esp+4+a1] // test esi, esi // jle short loc_403FEB // push edi // mov edi, ds:Sleep // push 0EA60h ; dwMilliseconds // call edi ; Sleep // dec esi // jnz short loc_403FE0 // pop edi // pop esi // retn $sleeper = { 5? 8B [3] 85 ?? 7E ?? 5? 8B 3D [4] 68 [4] FF ?? 4? 75 ?? 5? 5? C3 } $xercesc = "xercesc" condition: ($sleeper in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $zeroIPLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))) and not $xercesc }
import "pe" rule win_romeos_w1 { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" hash = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/RomeoGolf.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* FF 15 70 80 01 10 call ds:GetTickCount 50 push eax ; unsigned int E8 80 93 00 00 call _srand 83 C4 04 add esp, 4 E8 85 93 00 00 call _rand C1 E0 10 shl eax, 10h 89 46 0C mov [esi+0Ch], eax E8 7A 93 00 00 call _rand 01 46 0C add [esi+0Ch], eax E8 72 93 00 00 call _rand C1 E0 10 shl eax, 10h 89 46 08 mov [esi+8], eax E8 67 93 00 00 call _rand 01 46 08 add [esi+8], eax */ $idGen = { FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 } condition: $idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY