SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strifewater_rat (Back to overview)

StrifeWater RAT

Actor(s): MosesStaff

VTCollection    

There is no description at this point.

References
2023-10-16Kaspersky LabsGReAT
A hack in hand is worth two in the bush
StrifeWater RAT Cyber Av3ngers
2023-01-26SecureworksSecureWorks' Counter Threat Unit Research Team
Abraham's Ax Likely Linked to Moses Staff
StrifeWater RAT
2022-02-15FortinetRotem Sde-Or
Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months
StrifeWater RAT MosesStaff
2022-02-01CybereasonTom Fakterman
StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations
StrifeWater RAT MosesStaff
Yara Rules
[TLP:WHITE] win_strifewater_rat_auto (20260504 | Detects win.strifewater_rat.)
rule win_strifewater_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.strifewater_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 48894522 448d4005 488d542440 488d4d20 e8???????? 48897c2478 }
            // n = 7, score = 100
            //   33c0                 | cmovle              edx, eax
            //   48894522             | dec                 eax
            //   448d4005             | lea                 edx, [0x6f3df]
            //   488d542440           | dec                 eax
            //   488d4d20             | lea                 ecx, [esp + 0x20]
            //   e8????????           |                     
            //   48897c2478           | or                  edx, 0x80070000

        $sequence_1 = { 4883c420 5f c3 488d0d029a0800 e8???????? cc }
            // n = 6, score = 100
            //   4883c420             | cmp                 edx, 0x10
            //   5f                   | jb                  0x9ce
            //   c3                   | dec                 eax
            //   488d0d029a0800       | inc                 edx
            //   e8????????           |                     
            //   cc                   | nop                 

        $sequence_2 = { 488907 488bcb ff15???????? 488bc8 e8???????? 488d15d0f50300 48894708 }
            // n = 7, score = 100
            //   488907               | sub                 esi, eax
            //   488bcb               | jne                 0x891
            //   ff15????????         |                     
            //   488bc8               | mov                 dword ptr [esp + 0x20], edi
            //   e8????????           |                     
            //   488d15d0f50300       | dec                 ebp
            //   48894708             | mov                 ecx, esi

        $sequence_3 = { 488d0d953d0300 48890b 488d5308 33c9 48890a 48894a08 488d4808 }
            // n = 7, score = 100
            //   488d0d953d0300       | lea                 eax, [0x91ef2]
            //   48890b               | dec                 eax
            //   488d5308             | mov                 edx, esi
            //   33c9                 | dec                 eax
            //   48890a               | lea                 ecx, [ebp - 0x68]
            //   48894a08             | nop                 
            //   488d4808             | dec                 esp

        $sequence_4 = { 8d43ff 4863c8 b25d 381439 7418 488bc3 4885c0 }
            // n = 7, score = 100
            //   8d43ff               | dec                 esp
            //   4863c8               | lea                 eax, [0x5716e]
            //   b25d                 | dec                 eax
            //   381439               | lea                 edx, [0x5715b]
            //   7418                 | dec                 ecx
            //   488bc3               | mov                 ecx, esi
            //   4885c0               | call                ebx

        $sequence_5 = { 4d8be1 33c0 498be8 4c8d0dd796faff 4c8bea f04f0fb1bcf170f40a00 }
            // n = 6, score = 100
            //   4d8be1               | dec                 eax
            //   33c0                 | mov                 dword ptr [eax], ebx
            //   498be8               | dec                 eax
            //   4c8d0dd796faff       | mov                 eax, dword ptr [edi + 0x38]
            //   4c8bea               | dec                 eax
            //   f04f0fb1bcf170f40a00     | mov    dword ptr [eax], ebx

        $sequence_6 = { 33c9 48890a 48894a08 488d4808 e8???????? 488d05711c0400 488903 }
            // n = 7, score = 100
            //   33c9                 | int3                
            //   48890a               | dec                 eax
            //   48894a08             | lea                 ecx, [esp + 0x28]
            //   488d4808             | dec                 eax
            //   e8????????           |                     
            //   488d05711c0400       | lea                 edx, [0x8dd32]
            //   488903               | dec                 eax

        $sequence_7 = { 488d1537e4ffff 488d4d00 e8???????? 488bd8 488d8d90010000 e8???????? 488d056c0d0900 }
            // n = 7, score = 100
            //   488d1537e4ffff       | mov                 ecx, dword ptr [eax + 0x90]
            //   488d4d00             | je                  0x582
            //   e8????????           |                     
            //   488bd8               | inc                 cx
            //   488d8d90010000       | cmp                 ecx, eax
            //   e8????????           |                     
            //   488d056c0d0900       | ja                  0x305

        $sequence_8 = { 488bf1 48894c2458 4533ff 44897c2444 0fb705???????? 6689442440 8a05???????? }
            // n = 7, score = 100
            //   488bf1               | dec                 eax
            //   48894c2458           | lea                 eax, [0x7dc44]
            //   4533ff               | dec                 eax
            //   44897c2444           | mov                 dword ptr [ebx], eax
            //   0fb705????????       |                     
            //   6689442440           | inc                 eax
            //   8a05????????         |                     

        $sequence_9 = { 488d1526f00500 488d4c2440 e8???????? cc ff15???????? 0fb7d0 488d4c2460 }
            // n = 7, score = 100
            //   488d1526f00500       | lea                 edx, [0x5f2c1]
            //   488d4c2440           | dec                 eax
            //   e8????????           |                     
            //   cc                   | lea                 ecx, [ebp + 0x20]
            //   ff15????????         |                     
            //   0fb7d0               | int3                
            //   488d4c2460           | cmovle              edx, eax

    condition:
        7 of them and filesize < 1552384
}
Download all Yara Rules