Unidentified 103 (FIN8) (Malware Family)

Unidentified 103 (FIN8)

aka: Ragnar Loader, Sardonic

VTCollection

A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.

References

2025-03-04 ⋅ Github (prodaft) ⋅ PRODAFT
Ragnar Loader Indicators of Compromise (IOC)
Unidentified 103 (FIN8)

2023-07-18 ⋅ Symantec ⋅ Threat Hunter Team
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
BlackCat Unidentified 103 (FIN8)

2022-01-19 ⋅ AlienVault OTX ⋅ SVThreatIntel
White Rabbit Ransomware: Propagation, Exploitation, and Indicators of Compromise
Unidentified 103 (FIN8)

Yara Rules

[TLP:WHITE] win_unidentified_103_auto (20260504 | Detects win.unidentified_103.)

rule win_unidentified_103_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_103."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442470 c744243008000000 c744243400000000 89442418 8b44246c 89442414 8d442430 }
            // n = 7, score = 100
            //   8b442470             | movzx               edx, byte ptr [eax]
            //   c744243008000000     | add                 eax, 1
            //   c744243400000000     | add                 ecx, 1
            //   89442418             | mov                 byte ptr [ecx - 1], dl
            //   8b44246c             | mov                 eax, dword ptr [esp + 0x70]
            //   89442414             | lea                 ecx, [edi + 4]
            //   8d442430             | add                 ebx, eax

        $sequence_1 = { 8bbc2444010000 897c241c 8bbc2440010000 897c2418 }
            // n = 4, score = 100
            //   8bbc2444010000       | mov                 dword ptr [eax + 0x18], edi
            //   897c241c             | mov                 edi, dword ptr [esp + 0x148]
            //   8bbc2440010000       | mov                 dword ptr [eax + 0x1c], edi
            //   897c2418             | mov                 edi, dword ptr [esp + 0x144]

        $sequence_2 = { 8b742460 8b7c2464 896c2410 8b442440 }
            // n = 4, score = 100
            //   8b742460             | mov                 edi, dword ptr [esp + 0x64]
            //   8b7c2464             | mov                 dword ptr [esp + 0xc], ebp
            //   896c2410             | mov                 ebp, dword ptr [esp + 0x68]
            //   8b442440             | mov                 esi, dword ptr [esp + 0x60]

        $sequence_3 = { c744240401000000 c7042402000000 ff9424ec010000 83ec0c 8906 83f8ff }
            // n = 6, score = 100
            //   c744240401000000     | test                eax, eax
            //   c7042402000000       | mov                 dword ptr [esp + 4], 1
            //   ff9424ec010000       | mov                 dword ptr [esp], 0x400
            //   83ec0c               | call                eax
            //   8906                 | sub                 esp, 0xc
            //   83f8ff               | mov                 ebx, eax

        $sequence_4 = { 85c0 75e2 8b3c24 89f2 }
            // n = 4, score = 100
            //   85c0                 | jne                 0xffffffe1
            //   75e2                 | mov                 edx, dword ptr [ebp]
            //   8b3c24               | mov                 eax, dword ptr [edx + 0x28]
            //   89f2                 | test                eax, eax

        $sequence_5 = { e8???????? 31c0 c78424ec05000063686370 c78424f005000020363530 c78424f405000030310a00 83c001 803c0300 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   31c0                 | mov                 eax, edx
            //   c78424ec05000063686370     | shl    eax, 5
            //   c78424f005000020363530     | sub    eax, edx
            //   c78424f405000030310a00     | sub    ebx, eax
            //   83c001               | shr                 edi, 1
            //   803c0300             | lea                 esi, [eax + edi*8]

        $sequence_6 = { 897828 8bbc2458010000 89782c 8bbc245c010000 897830 8bbc2480010000 897834 }
            // n = 7, score = 100
            //   897828               | mov                 edi, dword ptr [esp + 0x154]
            //   8bbc2458010000       | mov                 dword ptr [eax + 0x28], edi
            //   89782c               | mov                 edi, dword ptr [esp + 0x158]
            //   8bbc245c010000       | mov                 dword ptr [eax + 0x2c], edi
            //   897830               | mov                 dword ptr [eax + 0x20], edi
            //   8bbc2480010000       | mov                 edi, dword ptr [esp + 0x154]
            //   897834               | mov                 dword ptr [eax + 0xc], esi

        $sequence_7 = { 396a04 75e2 8b4210 85c0 7514 8b07 8b5f3c }
            // n = 7, score = 100
            //   396a04               | je                  0x12
            //   75e2                 | mov                 eax, esi
            //   8b4210               | xor                 edx, edx
            //   85c0                 | div                 ebx
            //   7514                 | test                edx, edx
            //   8b07                 | jne                 0xffffffd9
            //   8b5f3c               | cmp                 dword ptr [esp + 0x2c], ebx

        $sequence_8 = { 891c24 89442404 e8???????? 83c420 89f8 5b 5e }
            // n = 7, score = 100
            //   891c24               | mov                 dword ptr [esp + 4], eax
            //   89442404             | mov                 dword ptr [esp + 0xf6], 0x7262694c
            //   e8????????           |                     
            //   83c420               | mov                 dword ptr [esp + 0xfa], 0x41797261
            //   89f8                 | mov                 dword ptr [esp], ebx
            //   5b                   | mov                 dword ptr [esp + 0xc2], 0x65657246
            //   5e                   | mov                 dword ptr [esp], ebx

        $sequence_9 = { 89742404 892c24 89c2 80ce02 81e300000004 0f45c2 8d54241c }
            // n = 7, score = 100
            //   89742404             | mov                 eax, dword ptr [esp + eax + 0xbcc]
            //   892c24               | mov                 eax, dword ptr [eax]
            //   89c2                 | mov                 dword ptr [esp], eax
            //   80ce02               | mov                 eax, dword ptr [esp + 0x110]
            //   81e300000004         | mov                 dword ptr [esp + 4], esi
            //   0f45c2               | mov                 dword ptr [esp], eax
            //   8d54241c             | mov                 eax, dword ptr [esp + 0x64]

    condition:
        7 of them and filesize < 188416
}

Download all Yara Rules

Unidentified 103 (FIN8) Propose Change

References

Yara Rules

Unidentified 103 (FIN8)