SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20230715 | Detects win.acehash.)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e810 0fb6d0 438b848270a90400 4133849270b50400 0fb6d1 410fb6c9 4133849270b10400 }
            // n = 7, score = 200
            //   c1e810               | mov                 edi, 0x80
            //   0fb6d0               | nop                 word ptr [eax + eax]
            //   438b848270a90400     | dec                 eax
            //   4133849270b50400     | lea                 edx, [esp + 0x20]
            //   0fb6d1               | dec                 eax
            //   410fb6c9             | lea                 ecx, [esp + 0x20]
            //   4133849270b10400     | dec                 ebp

        $sequence_1 = { 43381c2f 75f7 4c896c2448 bd6c660000 41bb6c680000 395814 0f8494030000 }
            // n = 7, score = 200
            //   43381c2f             | dec                 eax
            //   75f7                 | mov                 dword ptr [esp + 0x18], edi
            //   4c896c2448           | inc                 ecx
            //   bd6c660000           | push                edi
            //   41bb6c680000         | dec                 eax
            //   395814               | add                 esp, 0x28
            //   0f8494030000         | ret                 

        $sequence_2 = { 488d8481a0e90300 c1eb18 c1ee10 c1ef08 448955f7 488945d7 41c1ee10 }
            // n = 7, score = 200
            //   488d8481a0e90300     | dec                 ecx
            //   c1eb18               | dec                 ecx
            //   c1ee10               | inc                 eax
            //   c1ef08               | inc                 ecx
            //   448955f7             | mov                 byte ptr [eax - 1], al
            //   488945d7             | inc                 edx
            //   41c1ee10             | cmp                 byte ptr [ecx + esi], 0

        $sequence_3 = { c745a700000000 48c745ef02000000 440bd8 0fb6450a 41c1e308 440bd8 0fb6450c }
            // n = 7, score = 200
            //   c745a700000000       | shr                 eax, 0x10
            //   48c745ef02000000     | movzx               edx, al
            //   440bd8               | inc                 ecx
            //   0fb6450a             | mov                 eax, ebp
            //   41c1e308             | inc                 ebp
            //   440bd8               | mov                 eax, dword ptr [edi + edx*4 + 0x4b170]
            //   0fb6450c             | shr                 eax, 0x18

        $sequence_4 = { 83e13f 8b948e10f80300 33948610fa0300 418bc0 }
            // n = 4, score = 200
            //   83e13f               | lea                 ecx, [0xffff509a]
            //   8b948e10f80300       | dec                 eax
            //   33948610fa0300       | xor                 edx, dword ptr [ecx + eax*8 + 0x389b0]
            //   418bc0               | inc                 edx

        $sequence_5 = { 0fb64103 41c1e208 440bd0 0fb64105 440bd8 0fb64106 41c1e308 }
            // n = 7, score = 200
            //   0fb64103             | add                 ecx, ebx
            //   41c1e208             | inc                 edx
            //   440bd0               | lea                 eax, [ebx + ebx*2]
            //   0fb64105             | rol                 eax, 9
            //   440bd8               | inc                 ecx
            //   0fb64106             | mov                 dword ptr [ebp - 8], eax
            //   41c1e308             | cmp                 esi, 0x14

        $sequence_6 = { 488d0de8030300 4883c204 48c1fa02 482bd3 e8???????? 448b4608 488bd6 }
            // n = 7, score = 200
            //   488d0de8030300       | test                eax, eax
            //   4883c204             | jle                 0xcf
            //   48c1fa02             | nop                 word ptr [eax + eax]
            //   482bd3               | inc                 ecx
            //   e8????????           |                     
            //   448b4608             | mov                 eax, dword ptr [esi + edi*4]
            //   488bd6               | dec                 ecx

        $sequence_7 = { 8bf9 e8???????? 4885c0 7509 488d05b3890f00 eb04 4883c014 }
            // n = 7, score = 200
            //   8bf9                 | xor                 edx, eax
            //   e8????????           |                     
            //   4885c0               | mov                 edx, ebx
            //   7509                 | inc                 ecx
            //   488d05b3890f00       | xor                 edx, ebp
            //   eb04                 | xor                 ecx, ecx
            //   4883c014             | inc                 ecx

        $sequence_8 = { c1c205 448bc8 4533cc 8bca 33d6 41d3c1 8bc8 }
            // n = 7, score = 200
            //   c1c205               | ret                 
            //   448bc8               | dec                 eax
            //   4533cc               | mov                 dword ptr [esp + 0x30], ebx
            //   8bca                 | inc                 ecx
            //   33d6                 | mov                 eax, edx
            //   41d3c1               | mov                 eax, 4
            //   8bc8                 | dec                 eax

        $sequence_9 = { 498b4638 488d0db4060300 440fbf441802 488d3418 488beb 488bd6 }
            // n = 6, score = 200
            //   498b4638             | inc                 esp
            //   488d0db4060300       | movzx               ecx, al
            //   440fbf441802         | shr                 eax, 0x18
            //   488d3418             | inc                 esp
            //   488beb               | movzx               esi, al
            //   488bd6               | mov                 eax, ecx

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules