Home/Andariel/YARA rules
YARA

YARA rules for Andariel

102 rules · scoped to actor · back to Andariel
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

YARA rules

2 of 102
direct
MAL_APT_NK_WIN_Tiger_RAT_Auto
Detects the Tiger RAT variant used by Andariel
author CISA.gov license see source repo
view YARA rule 
rule MAL_APT_NK_WIN_Tiger_RAT_Auto {
   meta:
      author = "CISA.gov"
      description = "Detects the Tiger RAT variant used by Andariel"
      reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
      date = "2024-07-25"
      score = 75
      id = "4579af62-52be-5f5f-a577-16ec50297c05"
   strings:
      $sequence_0 = { 33 c0 89 44 24 38 89 44 24 30 44 8b cf 45 33 c0 }
      // n = 5, score = 200
      //   33c0                 | jmp                 5
      //   89442438             | dec                 eax
      //   89442430             | mov                 eax, ecx
      //   448bcf               | movzx               eax, byte ptr [eax]
      //   4533c0               | dec                 eax

      $sequence_1 = { 41 b9 01 00 00 00 48 8b d6 48 8b cb e8 ?? ?? ?? ?? }
      // n = 4, score = 200
      //   41b901000000         | dec                 eax
      //   488bd6                | mov                 eax, dword ptr [ecx]
      //   488bcb               | jmp                 8
      //   e8????????           |                     

      $sequence_2 = { 48 81 ec 90 05 00 00 8b 01 89 85 c8 04 00 00 8b 41 04 }
      // n = 4, score = 200
      //   4881ec90050000       | test                eax, eax
      //   8b01                 | jns                 0x16
      //   8985c8040000         | dec                 eax
      //   8b4104               | mov                 eax, dword ptr [ecx]

      $sequence_3 = { 48 8b 01 ff 10 48 8b 4f 08 4c 8d 4c 24 30 }
      // n = 4, score = 200
      //   488b01               | mov                 edx, esi
      //   ff10                 | dec                 eax
      //   488b4f08             | mov                 ecx, ebx
      //   4c8d4c2430           | inc                 ecx

      $sequence_4 = { 48 8b 01 ff 10 48 8b 4e 18 48 8b 01 }
      // n = 4, score = 200
      //   488b01               | dec                 eax
      //   ff10                 | cmp                 dword ptr [ecx + 0x18], 0x10
      //   488b4e18             | dec                 eax
      //   488b01               | sub                 esp, 0x590

      $sequence_5 = { 48 81 ec a0 00 00 00 33 c0 48 8b d9 48 8d 4c 24 32 }
      // n = 4, score = 200
      //   4881eca0000000       | mov                 eax, dword ptr [ecx]
      //   33c0                 | mov                 dword ptr [ebp + 0x4c8], eax
      //   488bd9               | mov                 eax, dword ptr [ecx + 4]
      //   488d4c2432           | mov                 dword ptr [ebp + 0x4d0], eax

      $sequence_6 = { 48 8b 01 eb 03 48 8b c1 0f b6 00 }
      // n = 4, score = 200
      //   488b01               | inc                 ecx
      //   eb03                 | mov                 ebx, dword ptr [ebp + ebp]
      //   488bc1               | inc                 ecx
      //   0fb600               | movups              xmmword ptr [edi], xmm0

      $sequence_7 = { 48 8b 01 8b 10 89 51 24 44 8b 41 24 45 85 c0 }
      // n = 5, score = 200
      //   488b01               | sub                 esp, 0x30
      //   8b10                 | dec                 ecx
      //   895124               | mov                 ebx, eax
      //   448b4124             | dec                 eax
      //   4585c0               | mov                 ecx, eax

      $sequence_8 = { 4c 8d 0d 31 eb 00 00 c1 e9 18 c1 e8 08 41 bf 00 00 00 80 }
      // n = 4, score = 100
      //   4c8d0d31eb0000       | jne                 0x1e6
      //   c1e918               | dec                 eax
      //   c1e808               | lea                 ecx, [0xbda0]
      //   41bf00000080         | dec                 esp

      $sequence_9 = { 48 8b d8 48 85 c0 75 2d ff 15 ?? ?? ?? ?? 83 f8 57 0f 85 e0 01 00 00 48 8d 0d a0 bd 00 00 }
      // n = 7, score = 100
      //   488bd8               | dec                 eax
      //   4885c0               | mov                 ebx, eax
      //   752d                 | dec                 eax
      //   ff15????????         |                     
      //   83f857               | test                eax, eax
      //   0f85e0010000         | jne                 0x2f
      //   488d0da0bd0000       | cmp                  eax, 0x57

      $sequence_10 = { 75 d4 48 8d 1d 7f 6c 01 00 48 8b 4b f8 48 85 c9 74 0b }
      // n = 5, score = 100
      //   75d4                 | lea                 ecx, [0xeb31]
      //   488d1d7f6c0100       | shr                 ecx, 0x18
      //   488b4bf8             | shr                 eax, 8
      //   4885c9               | inc                 ecx
      //   740b                 | mov                 edi, 0x80000000

      $sequence_11 = { 0f 85 d9 00 00 00 48 8d 15 d0 c9 00 00 41 b8 10 20 01 00 48 8b cd e8 ?? ?? ?? ?? eb 6b b9 f4 ff ff ff }
      // n = 7, score = 100
      //   0f85d9000000         | jne                 0xffffffd6
      //   488d15d0c90000       | dec                 eax
      //   41b810200100         | lea                 ebx, [0x16c7f]
      //   488bcd               | dec                 eax
      //   e8????????           |                     
      //   eb6b                 | mov                 ecx, dword ptr [ebx - 8]
      //   b9f4ffffff           | dec                 eax

      $sequence_12 = { 48 89 0d ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 8d 05 ae 61 00 00 48 89 05 ?? ?? ?? ?? 48 8d 05 a0 55 00 00 48 89 05 ?? ?? ?? ?? }
      // n = 6, score = 100
      //    48890d????????       |                     
      //   488905????????       |                     
      //   488d05ae610000       | test                ecx, ecx
      //   488905????????       |                     
      //   488d05a0550000       | je                  0x10
      //   488905????????       |                     

      $sequence_13 = { 8b cf e8 ?? ?? ?? ?? 48 8b 7c 24 48 85 c0 0f 84 40 03 00 00 48 8d 05 60 25 01 00 }
      // n = 6, score = 100
      //   8bcf                  | mov                 eax, 0x12010
      //   e8????????           |                     
      //   488b7c2448           | dec                 eax
      //   85c0                 | mov                 ecx, ebp
      //   0f8440030000         | jmp                 0x83
      //   488d0560250100       | mov                 ecx, 0xfffffff4

      $sequence_14 = { ff 15 ?? ?? ?? ?? 8b 05 ?? ?? ?? ?? 23 05 ?? ?? ?? ?? ba 02 00 00 00 33 c9 89 05 ?? ?? ?? ?? 8b 05 ?? ?? ?? ?? }
      // n = 7, score = 100
      //   ff15????????         |                     
      //   8b05????????         |                     
      //   2305????????         |                     
      //   ba02000000           | dec                 eax
      //   33c9                 | lea                 eax, [0x61ae]
      //   8905????????         |                     
      //   8b05????????         |                     

      $sequence_15 = { 48 83 ec 30 49 8b d8 e8 ?? ?? ?? ?? 48 8b c8 48 85 c0 }
   // n = 5, score = 100
   //   4883ec30             | jne                 0xdf
   //   498bd8               | dec                 eax
   //   e8????????           |                     
   //   488bc8               | lea                 edx, [0xc9d0]
   //   4885c0               | inc                 ecx
   condition:
      filesize < 600KB and 7 of them
}
direct
MAL_APT_NK_WIN_DTrack_Auto
Detects DTrack variant used by Andariel
author CISA.gov license see source repo
view YARA rule 
rule MAL_APT_NK_WIN_DTrack_Auto {
   meta:
      author = "CISA.gov"
      description = "Detects DTrack variant used by Andariel"
      reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
      date = "2024-07-25"
      score = 75
      id = "1b40c685-beba-50fa-b484-c1526577cb23"
   strings:
      $sequence_0 = { 52 8b 45 08 50 e8 ?? ?? ?? ?? 83 c4 14 8b 4d 10 51 }
      // n = 7, score = 400
      //   52                   | push                edx
      //   8b4508               | mov                 eax, dword ptr [ebp + 8]
      //   50                   | push                eax
      //   e8????????           |                     
      //   83c414               | add                 esp, 0x14
      //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
      //   51                   | push                ecx

      $sequence_1 = { 3a 41 01 75 23 83 85 4c f6 ff ff 02 83 85 50 f6 ff ff 02 80 bd 4a f6 ff ff 00 75 ae c7 85 44 f6 ff ff 00 00 00 00 }
      // n = 7, score = 300
      //   3a4101               | cmp                 al, byte ptr [ecx + 1]
      //    7523                 | jne                 0x25
      //   83854cf6ffff02       | add                 dword ptr [ebp - 0x9b4], 2
      //   838550f6ffff02       | add                 dword ptr [ebp - 0x9b0], 2
      //   80bd4af6ffff00       | cmp                 byte ptr [ebp - 0x9b6], 0
      //   75ae                 | jne                 0xffffffb0
      //   c78544f6ffff00000000     | mov     dword ptr [ebp - 0x9bc], 0

      $sequence_2 = { 50 ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 04 50 }
      // n = 7, score = 300
      //   50                   | push                eax
      //   ff15????????         |                     
      //   a3????????           |                     
      //   68????????           |                     
      //   e8????????           |                     
      //   83c404               | add                 esp, 4
      //   50                   | push                eax

      $sequence_3 = { 8d 8d d4 fa ff ff 51 e8 ?? ?? ?? ?? 83 c4 08 8b 15 ?? ?? ?? ?? }
      // n = 5, score = 300
      //   8d8dd4faffff         | lea                 ecx, [ebp - 0x52c]
      //   51                   | push                ecx
      //   e8????????           |                     
      //   83c408               | add                 esp, 8
      //   8b15????????         |                     

      $sequence_4 = { 88 55 f5 6a 5c 8b 45 0c 50 e8 ?? ?? ?? ?? }
      // n = 5, score = 300
      //   8855f5               | mov                 byte ptr [ebp - 0xb], dl
      //   6a5c                 | push                0x5c
      //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
      //   50                   | push                eax
      //   e8????????           |                     

      $sequence_5 = { 51 e8 ?? ?? ?? ?? 83 c4 10 8b 55 8c 52 }
      // n = 5, score = 300
      //   51                   | push                ecx
      //   e8????????           |                     
      //   83c410               | add                 esp, 0x10
      //   8b558c                | mov                 edx, dword ptr [ebp - 0x74]
      //   52                   | push                edx

      $sequence_6 = { 8b 4d 0c 51 68 ?? ?? ?? ?? 8d 95 60 ea ff ff 52 e8 ?? ?? ?? ?? }
      // n = 6, score = 300
      //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
      //   51                   | push                ecx
      //   68????????           |                     
      //   8d9560eaffff         | lea                 edx, [ebp - 0x15a0]
      //   52                   | push                edx
      //   e8????????           |                     

      $sequence_7 = { 83 c0 01 89 45 f4 83 7d f4 20 7d 2c 8b 4d f8 }
      // n = 5, score = 300
      //   83c001               | add                 eax, 1
      //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
      //   837df420             | cmp                 dword ptr [ebp - 0xc], 0x20
      //   7d2c                 | jge                 0x2e
      //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

      $sequence_8 = { 83 c0 01 89 85 6c f6 ff ff 8b 8d 70 f6 ff ff 8a 11 }
      // n = 4, score = 300
      //   83c001               | add                 eax, 1
      //   89856cf6ffff         | mov                 dword ptr [ebp - 0x994], eax
      //   8b8d70f6ffff         | mov                 ecx, dword ptr [ebp - 0x990]
      //   8a11                 | mov                 dl, byte ptr [ecx]

      $sequence_9 = { 03 55 f0 0f b6 02 0f b6 4d f7 33 c1 0f b6 55 fc 33 c2 }
      // n = 6, score = 200
      //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
      //   0fb602               | movzx               eax, byte ptr [edx]
      //   0fb64df7             | movzx               ecx, byte ptr [ebp - 9]
      //   33c1                 | xor                 eax, ecx
      //    0fb655fc             | movzx               edx, byte ptr [ebp - 4]
      //   33c2                 | xor                 eax, edx

      $sequence_10 = { d1 e9 89 4d f8 8b 55 18 89 55 fc c7 45 f0 00 00 00 00 }
      // n = 5, score = 200
      //   d1e9                 | shr                 ecx, 1
      //   894df8               | mov                 dword ptr [ebp - 8], ecx
      //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
      //   8955fc               | mov                 dword ptr [ebp - 4], edx
      //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0

      $sequence_11 = { 8b 4d f0 3b 4d 10 0f 8d 90 00 00 00 8b 55 08 03 55 f0 0f b6 02 }
      // n = 6, score = 200
      //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
      //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
      //   0f8d90000000         | jge                 0x96
      //   8b5508               | mov                 edx, dword ptr [ebp + 8]
      //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
      //   0fb602               | movzx               eax, byte ptr [edx]

      $sequence_12 = { 89 4d 14 8b 45 f8 c1 e0 18 8b 4d fc c1 e9 08 0b c1 }
      // n = 6, score = 200
      //   894d14               | mov                 dword ptr [ebp + 0x14], ecx
      //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
      //   c1e018               | shl                 eax, 0x18
      //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
      //   c1e908               | shr                 ecx, 8
      //   0bc1                 | or                  eax, ecx

      $sequence_13 = { 0b c1 89 45 18 8b 55 14 89 55 f8 }
      // n = 4, score = 200
      //   0bc1                 | or                  eax, ecx
      //   894518               | mov                 dword ptr [ebp + 0x18], eax
      //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
      //   8955f8               | mov                 dword ptr [ebp - 8], edx

      $sequence_14 = { 8b 55 14 89 55 f8 8b 45 18 89 45 fc e9 ?? ?? ?? ?? 8b e5 }
   // n = 6, score = 200
   //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
   //   8955f8               | mov                 dword ptr [ebp - 8], edx
   //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
   //   8945fc               | mov                 dword ptr [ebp - 4], eax
   //   e9????????           |                     
   //   8be5                 | mov                 esp, ebp
   condition:
      filesize < 1700KB and 7 of them
}
Showing 101-102 of 102
Prev 3 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin