YARA rules for RedLeaves
4 rules · scoped to tool · back to RedLeaves
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule REDLEAVES_DroppedFile_ImplantLoader_Starburn {
meta:
description = "Detects the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT"
author = "USG"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
true_positive = "7f8a867a8302fe58039a6db254d335ae" // StarBurn.dll
id = "976f42b1-58c9-554b-97e6-130a657507e2"
strings:
$XOR_Loop = {32 0c 3a 83 c2 02 88 0e 83 fa 08 [4-14] 32 0c 3a 83 c2 02 88 0e 83 fa 10} // Deobfuscation loop
condition:
any of them
}
rule REDLEAVES_CoreImplant_UniqueStrings {
meta:
description = "Strings identifying the core REDLEAVES RAT in its deobfuscated state"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
author = "USG"
date = "2018-12-20"
modified = "2024-04-17"
id = "fd4d4804-f7d9-549d-8f63-5f409d6180f9"
strings:
$unique2 = "RedLeavesSCMDSimulatorMutex" nocase wide ascii
$unique4 = "red_autumnal_leaves_dllmain.dll" wide ascii
$unique7 = "\\NamePipe_MoreWindows" wide ascii
condition:
not uint32(0) == 0x66676572 // not regf (registry hives)
and any of them
}
rule PLUGX_RedLeaves {
meta:
author = "US-CERT Code Analysis Team"
date = "03.04.2017"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
incident = "10118538"
date = "2017-04-03"
MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"
MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"
MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"
MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"
MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"
description = "Detects specific RedLeaves and PlugX binaries"
id = "ede8ad8f-31cf-5314-9777-bddd60e499f2"
strings:
$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }
$s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb"
$s2 = "d:\\work\\plug4.0(shellcode)"
$s3 = "\\shellcode\\shellcode\\XSetting.h"
$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }
$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }
$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }
$s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 }
$s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 }
$s9 = "RedLeavesCMDSimulatorMutex"
condition:
$s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9
}
rule MAL_RedLeaves_Apr18_1 {
meta:
description = "Detects RedLeaves malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
date = "2018-05-01"
hash1 = "f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b"
hash2 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
hash3 = "d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1"
id = "578b40d7-6818-56d5-92ce-535141c0aa8e"
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or
pe.imphash() == "566a7a4ef613a797389b570f8b4f79df"
)
}