SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20211008 | Detects win.acehash.)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b742440 488bc3 488b5c2430 4883c420 5f c3 488d0d5d520300 }
            // n = 7, score = 200
            //   488b742440           | dec                 eax
            //   488bc3               | mov                 dword ptr [esp + 0x60], eax
            //   488b5c2430           | dec                 ecx
            //   4883c420             | mov                 ecx, dword ptr [edi]
            //   5f                   | dec                 eax
            //   c3                   | cmp                 ebp, eax
            //   488d0d5d520300       | je                  0x1c0

        $sequence_1 = { 74ef 0fb64105 440fb65904 48895c2410 41c1e308 4889742418 488d35d129ffff }
            // n = 7, score = 200
            //   74ef                 | xor                 edx, eax
            //   0fb64105             | mov                 dword ptr [eax], ecx
            //   440fb65904           | xor                 eax, eax
            //   48895c2410           | dec                 eax
            //   41c1e308             | mov                 dword ptr [ebx], eax
            //   4889742418           | dec                 eax
            //   488d35d129ffff       | mov                 eax, dword ptr [esp + 0x40]

        $sequence_2 = { 83e201 4c896b38 03d2 e8???????? 894308 85c0 7977 }
            // n = 7, score = 200
            //   83e201               | movzx               eax, dh
            //   4c896b38             | inc                 ecx
            //   03d2                 | mov                 ebx, dword ptr [eax + eax*4 + 0x3e5a0]
            //   e8????????           |                     
            //   894308               | inc                 ebx
            //   85c0                 | xor                 ebx, dword ptr [eax + ebx*4 + 0x3e5a0]
            //   7977                 | mov                 eax, ecx

        $sequence_3 = { 7446 4d3bc8 0f8d27fdffff 48630a 488b442438 488b4038 }
            // n = 6, score = 200
            //   7446                 | jmp                 0x142b
            //   4d3bc8               | mov                 eax, ebx
            //   0f8d27fdffff         | jmp                 0x142d
            //   48630a               | dec                 eax
            //   488b442438           | lea                 ecx, dword ptr [0x315cb]
            //   488b4038             | jmp                 0x1438

        $sequence_4 = { 48895c2410 418b980c100000 44335904 48896c2418 4889742420 418bb008100000 48897c2428 }
            // n = 7, score = 200
            //   48895c2410           | cwde                
            //   418b980c100000       | dec                 eax
            //   44335904             | lea                 ebp, dword ptr [0x34b8d]
            //   48896c2418           | mov                 edx, 0x55
            //   4889742420           | dec                 eax
            //   418bb008100000       | add                 eax, eax
            //   48897c2428           | dec                 eax

        $sequence_5 = { e8???????? 8bd8 85c0 0f8582000000 8d147f 488d4d80 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bd8                 | inc                 ecx
            //   85c0                 | movups              xmmword ptr [edx + 0x70], xmm1
            //   0f8582000000         | movaps              xmm1, xmmword ptr [esp + 0x70]
            //   8d147f               | inc                 ecx
            //   488d4d80             | movups              xmmword ptr [edx + 0x60], xmm0
            //   e8????????           |                     

        $sequence_6 = { 482bd3 e8???????? 33db 663b5e02 7d4f 48897c2430 }
            // n = 6, score = 200
            //   482bd3               | dec                 esp
            //   e8????????           |                     
            //   33db                 | lea                 edx, dword ptr [0xfffd943b]
            //   663b5e02             | dec                 ebx
            //   7d4f                 | mov                 eax, dword ptr [edx + ebp*8 + 0x1151a0]
            //   48897c2430           | test                byte ptr [eax + esi + 8], 0x48

        $sequence_7 = { e8???????? 488d15776a0500 488d4de7 e8???????? cc 488d1526350300 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d15776a0500       | or                  eax, ebx
            //   488d4de7             | or                  ecx, eax
            //   e8????????           |                     
            //   cc                   | movzx               eax, byte ptr [edx + 3]
            //   488d1526350300       | shl                 ecx, 8
            //   e8????????           |                     

        $sequence_8 = { 488d15353b0300 483305???????? 488bcb 488905???????? ff15???????? 488d152f3b0300 483305???????? }
            // n = 7, score = 200
            //   488d15353b0300       | inc                 ecx
            //   483305????????       |                     
            //   488bcb               | cmp                 dword ptr [edi], 0x66676572
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d152f3b0300       | je                  0x1088
            //   483305????????       |                     

        $sequence_9 = { 7508 33c0 4883c420 5b c3 4883c9ff 660f1f440000 }
            // n = 7, score = 200
            //   7508                 | add                 ebp, 8
            //   33c0                 | dec                 ecx
            //   4883c420             | add                 edi, 8
            //   5b                   | mov                 dword ptr [esp + 0x68], eax
            //   c3                   | dec                 esp
            //   4883c9ff             | mov                 edi, edx
            //   660f1f440000         | je                  0x151e

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules