SYMBOLCOMMON_NAMEaka. SYNONYMS
win.romeos (Back to overview)

Romeo(Alfa,Bravo, ...)

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References

There are currently no references.

Yara Rules
[TLP:WHITE] win_romeos_auto (20260504 | Detects win.romeos.)
rule win_romeos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.romeos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9ff070000 33c0 8d7c2449 c644244800 6a16 }
            // n = 5, score = 400
            //   b9ff070000           | mov                 ecx, 0x7ff
            //   33c0                 | xor                 eax, eax
            //   8d7c2449             | lea                 edi, [esp + 0x49]
            //   c644244800           | mov                 byte ptr [esp + 0x48], 0
            //   6a16                 | push                0x16

        $sequence_1 = { 85f6 750a 5e 33c0 5b 83c408 c20c00 }
            // n = 7, score = 400
            //   85f6                 | test                esi, esi
            //   750a                 | jne                 0xc
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   83c408               | add                 esp, 8
            //   c20c00               | ret                 0xc

        $sequence_2 = { 85ed 7e0e e8???????? 88441c18 }
            // n = 4, score = 400
            //   85ed                 | test                ebp, ebp
            //   7e0e                 | jle                 0x10
            //   e8????????           |                     
            //   88441c18             | mov                 byte ptr [esp + ebx + 0x18], al

        $sequence_3 = { 83c408 807c24480e 7406 43 83fb08 7cb6 e8???????? }
            // n = 7, score = 400
            //   83c408               | add                 esp, 8
            //   807c24480e           | cmp                 byte ptr [esp + 0x48], 0xe
            //   7406                 | je                  8
            //   43                   | inc                 ebx
            //   83fb08               | cmp                 ebx, 8
            //   7cb6                 | jl                  0xffffffb8
            //   e8????????           |                     

        $sequence_4 = { 7406 43 83fb08 7cb6 e8???????? }
            // n = 5, score = 400
            //   7406                 | je                  8
            //   43                   | inc                 ebx
            //   83fb08               | cmp                 ebx, 8
            //   7cb6                 | jl                  0xffffffb8
            //   e8????????           |                     

        $sequence_5 = { 43 3bdd 7cf2 8b542414 6a16 8d44244c 52 }
            // n = 7, score = 400
            //   43                   | inc                 ebx
            //   3bdd                 | cmp                 ebx, ebp
            //   7cf2                 | jl                  0xfffffff4
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   6a16                 | push                0x16
            //   8d44244c             | lea                 eax, [esp + 0x4c]
            //   52                   | push                edx

        $sequence_6 = { f3ab 66ab aa 8d44244c c644241701 50 }
            // n = 6, score = 400
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   8d44244c             | lea                 eax, [esp + 0x4c]
            //   c644241701           | mov                 byte ptr [esp + 0x17], 1
            //   50                   | push                eax

        $sequence_7 = { 85c0 754c 6a16 8d54241c 55 52 57 }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   754c                 | jne                 0x4e
            //   6a16                 | push                0x16
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   55                   | push                ebp
            //   52                   | push                edx
            //   57                   | push                edi

        $sequence_8 = { 754c 6a16 8d54241c 55 }
            // n = 4, score = 400
            //   754c                 | jne                 0x4e
            //   6a16                 | push                0x16
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   55                   | push                ebp

        $sequence_9 = { 5b 81c438200000 c20400 5f 5e }
            // n = 5, score = 400
            //   5b                   | pop                 ebx
            //   81c438200000         | add                 esp, 0x2038
            //   c20400               | ret                 4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 294912
}
[TLP:WHITE] win_romeos_w0   (20170517 | No description)
import "pe"

rule win_romeos_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		hash = "fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/RomeoAlfa.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		68 C4 94 41 00     push    offset a0_0_0_0 ; "0.0.0.0"
		56                 push    esi             ; wchar_t *
		E8 1C B4 00 00     call    _wcscpy
		83 C6 28           add     esi, 28h
		83 C4 08           add     esp, 8
		81 FE E8 CD 41 00  cmp     esi, offset unk_41CDE8
		7C E7              jl      short loc_4039DA
	*/

	$zeroIPLoader = {
			68 [4] 
			56 
			E8 [4] 
			83 C6 28 
			83 C4 08 
			81 FE [4] 
			7C E? 
		}
		


		// push    esi                              
		// mov     esi, [esp+4+a1]                  
		// test    esi, esi                         
		// jle     short loc_403FEB                 
		// push    edi                              
		// mov     edi, ds:Sleep                    
		// push    0EA60h          ; dwMilliseconds 
		// call    edi ; Sleep                      
		// dec     esi                              
		// jnz     short loc_403FE0                 
		// pop     edi                              
		// pop     esi                              
		// retn                                     
		$sleeper  = {
				5? 
				8B [3]                       
				85 ??                        
				7E ??                        
				5? 
				8B 3D [4]                    
				68 [4]               
				FF ??                        
				4? 
				75 ??                        
				5? 
				5? 
				C3                           
			}
			
		$xercesc = "xercesc"
		
	condition:
		($sleeper in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or $zeroIPLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)))
		and not $xercesc
}
[TLP:WHITE] win_romeos_w1   (20170517 | No description)
import "pe"

rule win_romeos_w1 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		hash = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/RomeoGolf.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
	/*
		FF 15 70 80 01 10  call    ds:GetTickCount
		50                 push    eax             ; unsigned int
		E8 80 93 00 00     call    _srand
		83 C4 04           add     esp, 4
		E8 85 93 00 00     call    _rand
		C1 E0 10           shl     eax, 10h
		89 46 0C           mov     [esi+0Ch], eax
		E8 7A 93 00 00     call    _rand
		01 46 0C           add     [esi+0Ch], eax
		E8 72 93 00 00     call    _rand
		C1 E0 10           shl     eax, 10h
		89 46 08           mov     [esi+8], eax
		E8 67 93 00 00     call    _rand
		01 46 08           add     [esi+8], eax
	*/

	$idGen = {
			FF 15 [4]
			50 
			E8 [4] 
			83 C4 04 
			E8 [4]
			C1 ?? 10 
			89 [2]
			E8 [4] 
			01 [2]
			E8 [4] 
			C1 ?? 10 
			89 [2] 
			E8
		}

	condition:
		$idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
Download all Yara Rules