SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wm_rat (Back to overview)

WmRAT

Actor(s): HAZY TIGER

VTCollection    

According to Proofpoint, WmRAT is a remote access trojan (RAT) written in C++ that uses sockets for communications and has standard RAT functionality. The RAT can gather basic host information, upload or download files, take screenshots, get geolocation data of the target machine, enumerate directories and files, and run arbitrary commands via cmd or PowerShell. The malware also generates a number of junk threads, potentially to mislead researchers or responders investigating the samples.

References
2025-06-04ThreatrayAbdallah Elshinbary, Jonas Wagner, Konstantin Klinger, Nick Attfield
The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two
AlmondRAT AlmondRAT Artra Downloader BDarkRAT Havoc KiwiStealer KugelBlitz MiyaRAT ORPCBackdoor WmRAT ZxxZ
2025-05-28EclecticIQAlon Gal, Arda Büyükkaya
Pakistan Telecommunication Company (PTCL) Targeted by Bitter APT During Heightened Regional Conflict
WmRAT
2024-12-17ProofpointDavid Galazin, Konstantin Klinger, Nick Attfield, Pim Trouerbach
Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs
MiyaRAT WmRAT HAZY TIGER
Yara Rules
[TLP:WHITE] win_wm_rat_auto (20260504 | Detects win.wm_rat.)
rule win_wm_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.wm_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wm_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442410 50 e8???????? 83c404 6a64 ffd6 }
            // n = 6, score = 100
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6a64                 | push                0x64
            //   ffd6                 | call                esi

        $sequence_1 = { 50 ffd6 83c40c 8d8c24d4110000 51 b9???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   83c40c               | add                 esp, 0xc
            //   8d8c24d4110000       | lea                 ecx, [esp + 0x11d4]
            //   51                   | push                ecx
            //   b9????????           |                     

        $sequence_2 = { 8d8c24600d0000 e9???????? 8b4c2424 51 ff15???????? 8b3d???????? 89442424 }
            // n = 7, score = 100
            //   8d8c24600d0000       | lea                 ecx, [esp + 0xd60]
            //   e9????????           |                     
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   89442424             | mov                 dword ptr [esp + 0x24], eax

        $sequence_3 = { 50 8d8424a43d0000 64a300000000 33db 68???????? 8d8c24b83d0000 899c24b03d0000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8424a43d0000       | lea                 eax, [esp + 0x3da4]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   33db                 | xor                 ebx, ebx
            //   68????????           |                     
            //   8d8c24b83d0000       | lea                 ecx, [esp + 0x3db8]
            //   899c24b03d0000       | mov                 dword ptr [esp + 0x3db0], ebx

        $sequence_4 = { b9???????? ff15???????? 8d9424d4120000 52 b9???????? ff15???????? 83ec1c }
            // n = 7, score = 100
            //   b9????????           |                     
            //   ff15????????         |                     
            //   8d9424d4120000       | lea                 edx, [esp + 0x12d4]
            //   52                   | push                edx
            //   b9????????           |                     
            //   ff15????????         |                     
            //   83ec1c               | sub                 esp, 0x1c

        $sequence_5 = { 8944242c 89442414 a1???????? c744240c00000000 c744241801000000 c744241c06000000 7305 }
            // n = 7, score = 100
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   a1????????           |                     
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   c744241c06000000     | mov                 dword ptr [esp + 0x1c], 6
            //   7305                 | jae                 7

        $sequence_6 = { 8d44242c 50 e8???????? 83c40c ff15???????? 33c9 68ac010000 }
            // n = 7, score = 100
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   68ac010000           | push                0x1ac

        $sequence_7 = { 52 50 ffd1 8d7c2428 8bf0 e8???????? 8d7c2424 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   50                   | push                eax
            //   ffd1                 | call                ecx
            //   8d7c2428             | lea                 edi, [esp + 0x28]
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8d7c2424             | lea                 edi, [esp + 0x24]

        $sequence_8 = { 8b15???????? a1???????? 8b0d???????? 03c2 8b15???????? 89442414 db442414 }
            // n = 7, score = 100
            //   8b15????????         |                     
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   03c2                 | add                 eax, edx
            //   8b15????????         |                     
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   db442414             | fild                dword ptr [esp + 0x14]

        $sequence_9 = { e8???????? 8d542408 c684247401000002 8b4c242c 52 e8???????? c684247401000004 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d542408             | lea                 edx, [esp + 8]
            //   c684247401000002     | mov                 byte ptr [esp + 0x174], 2
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   52                   | push                edx
            //   e8????????           |                     
            //   c684247401000004     | mov                 byte ptr [esp + 0x174], 4

    condition:
        7 of them and filesize < 258048
}
Download all Yara Rules