SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strifewater_rat (Back to overview)

StrifeWater RAT

Actor(s): MosesStaff

There is no description at this point.

References
2023-01-26SecureworksSecureWorks' Counter Threat Unit Research Team
@online{team:20230126:abrahams:8f8b2e6, author = {SecureWorks' Counter Threat Unit Research Team}, title = {{Abraham's Ax Likely Linked to Moses Staff}}, date = {2023-01-26}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff}, language = {English}, urldate = {2023-03-29} } Abraham's Ax Likely Linked to Moses Staff
StrifeWater RAT
2022-02-15FortinetRotem Sde-Or
@online{sdeor:20220215:guard:196af7f, author = {Rotem Sde-Or}, title = {{Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months}}, date = {2022-02-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard}, language = {English}, urldate = {2022-03-02} } Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months
StrifeWater RAT MosesStaff
2022-02-01CybereasonTom Fakterman
@online{fakterman:20220201:strifewater:a2694c3, author = {Tom Fakterman}, title = {{StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations}}, date = {2022-02-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations}, language = {English}, urldate = {2022-02-02} } StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations
StrifeWater RAT MosesStaff
Yara Rules
[TLP:WHITE] win_strifewater_rat_auto (20230407 | Detects win.strifewater_rat.)
rule win_strifewater_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.strifewater_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c70022000000 e8???????? 488b07 3b58f4 0f8f83000000 8958f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c70022000000         | lea                 edx, [0x7778e]
            //   e8????????           |                     
            //   488b07               | jmp                 0x13f0
            //   3b58f4               | dec                 eax
            //   0f8f83000000         | mov                 edx, dword ptr [eax + 0x28]
            //   8958f0               | dec                 eax

        $sequence_1 = { 488bf9 488d0526780300 488901 488b4918 ff15???????? 90 488b4f10 }
            // n = 7, score = 100
            //   488bf9               | mov                 edi, ecx
            //   488d0526780300       | dec                 ecx
            //   488901               | mov                 esi, eax
            //   488b4918             | mov                 ebp, edx
            //   ff15????????         |                     
            //   90                   | dec                 esp
            //   488b4f10             | lea                 ecx, [0x23610]

        $sequence_2 = { 488d8d70060000 e8???????? 897d90 488d5590 488d8da0050000 ff15???????? 488d85a0050000 }
            // n = 7, score = 100
            //   488d8d70060000       | add                 dword ptr [ecx], eax
            //   e8????????           |                     
            //   897d90               | jmp                 0x772
            //   488d5590             | dec                 esp
            //   488d8da0050000       | mov                 edx, ecx
            //   ff15????????         |                     
            //   488d85a0050000       | dec                 eax

        $sequence_3 = { 4885c0 7509 488d156a800700 eb0d 488b5028 4885d2 7504 }
            // n = 7, score = 100
            //   4885c0               | dec                 eax
            //   7509                 | lea                 ecx, [esp + 0x28]
            //   488d156a800700       | int3                
            //   eb0d                 | dec                 eax
            //   488b5028             | mov                 edi, dword ptr [esp + 0x70]
            //   4885d2               | dec                 eax
            //   7504                 | lea                 edx, [0x6f2c4]

        $sequence_4 = { ff15???????? 488bd8 ebdd 4533ff 418bdf 4c8d0d1e96faff 4885db }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bd8               | dec                 eax
            //   ebdd                 | lea                 ecx, [esp + 0x58]
            //   4533ff               | dec                 eax
            //   418bdf               | lea                 ecx, [esp + 0x58]
            //   4c8d0d1e96faff       | nop                 
            //   4885db               | inc                 ecx

        $sequence_5 = { 7212 48ffc2 458bc6 488b8d90010000 e8???????? 48c785a80100000f000000 4c89bda0010000 }
            // n = 7, score = 100
            //   7212                 | dec                 eax
            //   48ffc2               | sub                 esp, 0x20
            //   458bc6               | dec                 eax
            //   488b8d90010000       | lea                 eax, [0x546bf]
            //   e8????????           |                     
            //   48c785a80100000f000000     | dec    eax
            //   4c89bda0010000       | mov                 edi, ecx

        $sequence_6 = { 488bcf e8???????? 4c63f0 418bde 81e3ff000080 7d0a ffcb }
            // n = 7, score = 100
            //   488bcf               | lea                 ecx, [0x68ab1]
            //   e8????????           |                     
            //   4c63f0               | dec                 eax
            //   418bde               | mov                 dword ptr [ebx], ecx
            //   81e3ff000080         | dec                 eax
            //   7d0a                 | lea                 edx, [ebx + 8]
            //   ffcb                 | inc                 eax

        $sequence_7 = { 7407 8bc8 e8???????? 4c897dc0 44897dc8 e9???????? }
            // n = 6, score = 100
            //   7407                 | dec                 eax
            //   8bc8                 | inc                 edx
            //   e8????????           |                     
            //   4c897dc0             | inc                 ecx
            //   44897dc8             | mov                 eax, 1
            //   e9????????           |                     

        $sequence_8 = { 448d4601 83e53f 4c89442448 498bd5 48c1e506 48c1fa06 4c8d1d7b400400 }
            // n = 7, score = 100
            //   448d4601             | dec                 eax
            //   83e53f               | mov                 dword ptr [ebp - 0x58], eax
            //   4c89442448           | or                  dword ptr [ebp - 0x80], 0xffffffff
            //   498bd5               | dec                 eax
            //   48c1e506             | lea                 eax, [0x86dff]
            //   48c1fa06             | xor                 esi, esi
            //   4c8d1d7b400400       | mov                 dword ptr [esp + 0x28], ebx

        $sequence_9 = { 4c03fb 4885ff 7f80 488b5c2430 488bc6 488b742438 488b7c2440 }
            // n = 7, score = 100
            //   4c03fb               | dec                 eax
            //   4885ff               | mov                 dword ptr [ebp - 8], eax
            //   7f80                 | xor                 esi, esi
            //   488b5c2430           | dec                 eax
            //   488bc6               | mov                 ebx, edx
            //   488b742438           | test                byte ptr [ecx + 0x70], 2
            //   488b7c2440           | dec                 eax

    condition:
        7 of them and filesize < 1552384
}
Download all Yara Rules