SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 483394c1b0a10300 420fb644c475 483394c1b0910300 0fb644dc72 483394c1b0a90300 420fb644dc77 }
            // n = 6, score = 200
            //   483394c1b0a10300     | dec                 eax
            //   420fb644c475         | arpl                cx, ax
            //   483394c1b0910300     | inc                 ecx
            //   0fb644dc72           | mov                 ecx, dword ptr [eax + eax*4 + 0x7890]
            //   483394c1b0a90300     | dec                 ecx
            //   420fb644dc77         | add                 ecx, eax

        $sequence_1 = { 4c8d0d4a2afeff 83e21f 48c1f805 486bd258 490394c1a0511100 eb07 }
            // n = 6, score = 200
            //   4c8d0d4a2afeff       | dec                 eax
            //   83e21f               | arpl                ax, dx
            //   48c1f805             | inc                 ecx
            //   486bd258             | movsx               ebx, word ptr [edi + 0x1006]
            //   490394c1a0511100     | mov                 ecx, 1
            //   eb07                 | lea                 eax, [ebx*4 + 4]

        $sequence_2 = { 8b47fc 4233948610fe0300 4133c1 448bc0 8bc8 4433da }
            // n = 6, score = 200
            //   8b47fc               | inc                 ecx
            //   4233948610fe0300     | movzx               eax, cl
            //   4133c1               | inc                 esp
            //   448bc0               | add                 eax, dword ptr [esi + ecx*4 + 0x3dda0]
            //   8bc8                 | mov                 ecx, dword ptr [ebx + 0x70]
            //   4433da               | inc                 esp

        $sequence_3 = { 41338c93a0f10300 8b55ab 44894da7 41334d00 }
            // n = 4, score = 200
            //   41338c93a0f10300     | xor                 edx, ebx
            //   8b55ab               | inc                 ecx
            //   44894da7             | mov                 dword ptr [edi - 0x400], eax
            //   41334d00             | movzx               edx, byte ptr [ebp + 5]

        $sequence_4 = { 488905???????? 4885c0 7507 b81a000000 eb23 488d0de3a40f00 48890c03 }
            // n = 7, score = 200
            //   488905????????       |                     
            //   4885c0               | inc                 esp
            //   7507                 | sub                 eax, esi
            //   b81a000000           | dec                 eax
            //   eb23                 | mov                 ecx, dword ptr [ecx + eax*8]
            //   488d0de3a40f00       | dec                 eax
            //   48890c03             | lea                 edx, [ebp + 0xe0]

        $sequence_5 = { 41ffc7 43339486a0f10300 4c8b45cf 44897da7 433394aea0f10300 43339486a0ed0300 41891481 }
            // n = 7, score = 200
            //   41ffc7               | inc                 esp
            //   43339486a0f10300     | mov                 edx, edx
            //   4c8b45cf             | dec                 esp
            //   44897da7             | mov                 ecx, ecx
            //   433394aea0f10300     | dec                 eax
            //   43339486a0ed0300     | test                ecx, ecx
            //   41891481             | jne                 0x91c

        $sequence_6 = { 85c0 0f8979010000 8bd6 488bcf 48896c2460 41f7de e8???????? }
            // n = 7, score = 200
            //   85c0                 | mov                 esp, eax
            //   0f8979010000         | dec                 eax
            //   8bd6                 | mov                 dword ptr [esp + 0x40], eax
            //   488bcf               | mov                 ecx, 1
            //   48896c2460           | movzx               edx, byte ptr [edi + ebx*4 + 2]
            //   41f7de               | mov                 ecx, 1
            //   e8????????           |                     

        $sequence_7 = { 418bd4 33c9 e8???????? 418bd4 b901000000 0fb6f0 e8???????? }
            // n = 7, score = 200
            //   418bd4               | mov                 edi, eax
            //   33c9                 | dec                 eax
            //   e8????????           |                     
            //   418bd4               | mov                 ebx, edx
            //   b901000000           | dec                 esp
            //   0fb6f0               | mov                 ecx, ecx
            //   e8????????           |                     

        $sequence_8 = { 458b7e18 4585ff 0f8496000000 41837e1400 0f848b000000 48895c2440 418b5e20 }
            // n = 7, score = 200
            //   458b7e18             | mov                 ecx, 0x6b6e
            //   4585ff               | dec                 ebx
            //   0f8496000000         | lea                 eax, [eax + esi]
            //   41837e1400           | mov                 ebx, esi
            //   0f848b000000         | mov                 dword ptr [esp + 0x24], esi
            //   48895c2440           | mov                 dword ptr [esp + 0x50], esi
            //   418b5e20             | dec                 eax

        $sequence_9 = { 468d0ccd08000000 488bcf e8???????? 8b6c2450 488b442468 488b4c2438 ff4014 }
            // n = 7, score = 200
            //   468d0ccd08000000     | lea                 eax, [0xee951]
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   8b6c2450             | cmp                 dword ptr [edi - 0x10], eax
            //   488b442468           | je                  0x1136
            //   488b4c2438           | dec                 eax
            //   ff4014               | mov                 ecx, dword ptr [edi]

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules