SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20210616 | Detects win.acehash.)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 400fb6c7 488b7c2440 4133948770b10400 410fb6c5 4c8b6c2410 4133948770a90400 4c8b3c24 }
            // n = 7, score = 200
            //   400fb6c7             | arpl                dx, bx
            //   488b7c2440           | dec                 esp
            //   4133948770b10400     | mov                 esi, ecx
            //   410fb6c5             | dec                 eax
            //   4c8b6c2410           | lea                 ecx, dword ptr [0x30986]
            //   4133948770a90400     | mov                 edx, ebx
            //   4c8b3c24             | dec                 ecx

        $sequence_1 = { 0bc8 49ffc0 413bd3 7505 }
            // n = 4, score = 200
            //   0bc8                 | movzx               eax, byte ptr [ecx + 3]
            //   49ffc0               | shl                 ecx, 8
            //   413bd3               | or                  ecx, eax
            //   7505                 | or                  ecx, eax

        $sequence_2 = { 488d8481a0e90300 c1eb18 c1ee10 c1ef08 448955f7 488945d7 41c1ee10 }
            // n = 7, score = 200
            //   488d8481a0e90300     | mov                 ecx, dword ptr [edi + 0xc]
            //   c1eb18               | inc                 ebp
            //   c1ee10               | xor                 eax, eax
            //   c1ef08               | jne                 0x38f
            //   448955f7             | dec                 esp
            //   488945d7             | lea                 esi, dword ptr [0xf779a]
            //   41c1ee10             | dec                 eax

        $sequence_3 = { ffc6 4983c508 41c1c308 418d041b 418945f4 428d045b c1c009 }
            // n = 7, score = 200
            //   ffc6                 | xor                 edx, dword ptr [ecx + eax*4 + 0x3e9a0]
            //   4983c508             | dec                 esp
            //   41c1c308             | mov                 eax, dword ptr [ebp - 0x29]
            //   418d041b             | dec                 eax
            //   418945f4             | mov                 edi, dword ptr [ebp - 0x31]
            //   428d045b             | inc                 edx
            //   c1c009               | xor                 edx, dword ptr [ecx + eax*4 + 0x3e9a0]

        $sequence_4 = { 488b6c2440 4883c420 5e c3 83fa18 7410 b803000000 }
            // n = 7, score = 200
            //   488b6c2440           | mov                 ecx, dword ptr [edi + 0x3c]
            //   4883c420             | dec                 eax
            //   5e                   | mov                 edx, dword ptr [ebp - 0x28]
            //   c3                   | dec                 eax
            //   83fa18               | mov                 ecx, dword ptr [edi + 0xc]
            //   7410                 | inc                 ebp
            //   b803000000           | xor                 eax, eax

        $sequence_5 = { 420fb644ddf6 483394c1b0890300 0fb644ddf4 483394c1b0990300 0fb644fdf3 483394c1b0a10300 }
            // n = 6, score = 200
            //   420fb644ddf6         | mov                 edx, ebx
            //   483394c1b0890300     | dec                 ecx
            //   0fb644ddf4           | mov                 ecx, esi
            //   483394c1b0990300     | test                eax, eax
            //   0fb644fdf3           | dec                 esp
            //   483394c1b0a10300     | lea                 eax, dword ptr [0x2886d]

        $sequence_6 = { c1e810 0fb6d0 418bc1 458bac97709d0400 c1e818 }
            // n = 5, score = 200
            //   c1e810               | inc                 esp
            //   0fb6d0               | lea                 eax, dword ptr [edx - 0xe0]
            //   418bc1               | inc                 esp
            //   458bac97709d0400     | mov                 dword ptr [edx + ecx - 0xe4], eax
            //   c1e818               | dec                 eax

        $sequence_7 = { 418b9118100000 418b891c100000 4c8b2424 488b6c2418 33c6 488b742420 }
            // n = 6, score = 200
            //   418b9118100000       | dec                 ebx
            //   418b891c100000       | lea                 eax, dword ptr [esp]
            //   4c8b2424             | dec                 eax
            //   488b6c2418           | lea                 edx, dword ptr [0x30be5]
            //   33c6                 | dec                 eax
            //   488b742420           | mov                 ecx, edi

        $sequence_8 = { 493394c0b0b90300 0fb644f477 493394c0b0810300 420fb644e476 493394c0b0890300 0fb644fc72 493394c0b0a90300 }
            // n = 7, score = 200
            //   493394c0b0b90300     | mov                 eax, edx
            //   0fb644f477           | shl                 edx, 0x10
            //   493394c0b0810300     | and                 eax, 0xff00
            //   420fb644e476         | and                 ecx, 0xfc000
            //   493394c0b0890300     | and                 eax, 0xfc0
            //   0fb644fc72           | shl                 edx, 6
            //   493394c0b0a90300     | or                  ecx, eax

        $sequence_9 = { 498b4c2408 4d8bc7 ff15???????? 8bd8 85c0 }
            // n = 5, score = 200
            //   498b4c2408           | inc                 esp
            //   4d8bc7               | xor                 eax, dword ptr [ebx + ecx*4 + 0x800]
            //   ff15????????         |                     
            //   8bd8                 | inc                 esp
            //   85c0                 | add                 eax, dword ptr [ebx + eax*4 + 0xc00]

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules