SYMBOLCOMMON_NAMEaka. SYNONYMS
win.runningrat (Back to overview)

running_rat


There is no description at this point.

References

There are currently no references.

Yara Rules
[TLP:WHITE] win_runningrat_auto (20211008 | Detects win.runningrat.)
rule win_runningrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.runningrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ff15???????? 56 ff15???????? 8b8c2418010000 }
            // n = 5, score = 300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b8c2418010000       | mov                 ecx, dword ptr [esp + 0x118]

        $sequence_1 = { 8b442424 c70100000000 8b4c2428 57 c70200000000 32db c70000000000 }
            // n = 7, score = 200
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   57                   | push                edi
            //   c70200000000         | mov                 dword ptr [edx], 0
            //   32db                 | xor                 bl, bl
            //   c70000000000         | mov                 dword ptr [eax], 0

        $sequence_2 = { 83c404 85c0 7412 6a00 6a00 56 }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_3 = { 83c404 8bf8 8d442408 6a00 50 6800040000 }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   8bf8                 | mov                 edi, eax
            //   8d442408             | lea                 eax, dword ptr [esp + 8]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   6800040000           | push                0x400

        $sequence_4 = { 52 ffd5 83c704 4b 75ef 8b4640 50 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   ffd5                 | call                ebp
            //   83c704               | add                 edi, 4
            //   4b                   | dec                 ebx
            //   75ef                 | jne                 0xfffffff1
            //   8b4640               | mov                 eax, dword ptr [esi + 0x40]
            //   50                   | push                eax

        $sequence_5 = { 3d96000000 7308 6a64 ff15???????? ffd3 }
            // n = 5, score = 200
            //   3d96000000           | cmp                 eax, 0x96
            //   7308                 | jae                 0xa
            //   6a64                 | push                0x64
            //   ff15????????         |                     
            //   ffd3                 | call                ebx

        $sequence_6 = { 75c2 5f 5d 5e 33c0 5b }
            // n = 6, score = 200
            //   75c2                 | jne                 0xffffffc4
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx

        $sequence_7 = { 8bd1 6a3a c1e902 f3a5 8bca }
            // n = 5, score = 200
            //   8bd1                 | mov                 edx, ecx
            //   6a3a                 | push                0x3a
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx

        $sequence_8 = { 8b4620 8b4e34 8b1f 8b5704 8b6e1c 8944241c 8b4630 }
            // n = 7, score = 100
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   8b4e34               | mov                 ecx, dword ptr [esi + 0x34]
            //   8b1f                 | mov                 ebx, dword ptr [edi]
            //   8b5704               | mov                 edx, dword ptr [edi + 4]
            //   8b6e1c               | mov                 ebp, dword ptr [esi + 0x1c]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8b4630               | mov                 eax, dword ptr [esi + 0x30]

        $sequence_9 = { c644243800 e8???????? 69f604010000 83c40c 81c6???????? 8bc6 }
            // n = 6, score = 100
            //   c644243800           | mov                 byte ptr [esp + 0x38], 0
            //   e8????????           |                     
            //   69f604010000         | imul                esi, esi, 0x104
            //   83c40c               | add                 esp, 0xc
            //   81c6????????         |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_10 = { c743189c6a2a00 eb11 83fffc 740c c74318c06a2a00 }
            // n = 5, score = 100
            //   c743189c6a2a00       | mov                 dword ptr [ebx + 0x18], 0x2a6a9c
            //   eb11                 | jmp                 0x13
            //   83fffc               | cmp                 edi, -4
            //   740c                 | je                  0xe
            //   c74318c06a2a00       | mov                 dword ptr [ebx + 0x18], 0x2a6ac0

        $sequence_11 = { c3 83fbfd 7506 c70609000000 8b4c2414 }
            // n = 5, score = 100
            //   c3                   | ret                 
            //   83fbfd               | cmp                 ebx, -3
            //   7506                 | jne                 8
            //   c70609000000         | mov                 dword ptr [esi], 9
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_12 = { 89542414 8b4c2414 8b09 894c2424 85c9 }
            // n = 5, score = 100
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx
            //   85c9                 | test                ecx, ecx

        $sequence_13 = { 8b4c242c 56 8d542414 52 50 8b442430 }
            // n = 6, score = 100
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   56                   | push                esi
            //   8d542414             | lea                 edx, dword ptr [esp + 0x14]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]

        $sequence_14 = { 5e c3 8b4728 8b4f20 53 6a01 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8b4728               | mov                 eax, dword ptr [edi + 0x28]
            //   8b4f20               | mov                 ecx, dword ptr [edi + 0x20]
            //   53                   | push                ebx
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 278528
}
[TLP:WHITE] win_runningrat_w0   (20180301 | No description)
import "pe"

rule win_runningrat_w0 {
	meta:
		author = "Florian Roth"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "C:\\USERS\\WIN7_x64\\result.log" fullword wide
        $x2 = "rundll32.exe %s RunningRat" fullword ascii
        $x3 = "SystemRat.dll" fullword ascii
        $x4 = "rundll32.exe %s ExportFunction" fullword ascii
        $x5 = "rundll32.exe \"%s\" RunningRat" fullword ascii
        $x6 = "ixeorat.bin" fullword ascii
        $x7 = "C:\\USERS\\Public\\result.log" fullword ascii

        $a1 = "emanybtsohteg" fullword ascii /* reversed goodware string 'gethostbyname' */
        $a2 = "tekcosesolc" fullword ascii /* reversed goodware string 'closesocket' */
        $a3 = "emankcosteg" fullword ascii /* reversed goodware string 'getsockname' */
        $a4 = "emantsohteg" fullword ascii /* reversed goodware string 'gethostname' */
        $a5 = "tpokcostes" fullword ascii /* reversed goodware string 'setsockopt' */
        $a6 = "putratSASW" fullword ascii /* reversed goodware string 'WSAStartup' */

        $s1 = "ParentDll.dll" fullword ascii
        $s2 = "MR - Already Existed" fullword ascii
        $s3 = "MR First Started, Registed OK!" fullword ascii
        $s4 = "RM-M : LoadResource OK!" fullword ascii
        $s5 = "D:\\result.log" fullword ascii
    condition:
        pe.imphash() == "c78ccc8f02286648c4373d3bf03efc43" or
        pe.exports("RunningRat") or
        1 of ($x*) or
        5 of ($a*) or
        3 of ($s*)
}
Download all Yara Rules