SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20230125 | Detects win.acehash.)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7520 394b10 7e3b 488d4314 0f1f8000000000 fe00 752c }
            // n = 7, score = 200
            //   7520                 | inc                 ecx
            //   394b10               | cmp                 byte ptr [edi + eax], bl
            //   7e3b                 | jne                 0x1497
            //   488d4314             | inc                 ebp
            //   0f1f8000000000       | test                ah, ah
            //   fe00                 | je                  0x1497
            //   752c                 | inc                 ecx

        $sequence_1 = { 418bfa 41890c80 0fb645f7 c1ef08 4d8dac83a0e90300 400fb6c7 418b8c83a0e50300 }
            // n = 7, score = 200
            //   418bfa               | mov                 ebx, dword ptr [esp + 0x30]
            //   41890c80             | dec                 eax
            //   0fb645f7             | mov                 esi, dword ptr [esp + 0x38]
            //   c1ef08               | dec                 eax
            //   4d8dac83a0e90300     | add                 esp, 0x20
            //   400fb6c7             | dec                 eax
            //   418b8c83a0e50300     | sub                 edx, ebx

        $sequence_2 = { 48634804 8d9120ffffff 895419fc 4889bbc8000000 4889bbd0000000 4889bbb0000000 4889bbb8000000 }
            // n = 7, score = 200
            //   48634804             | mov                 eax, ebx
            //   8d9120ffffff         | dec                 esp
            //   895419fc             | mov                 ebp, dword ptr [esp + 0x130]
            //   4889bbc8000000       | dec                 eax
            //   4889bbd0000000       | mov                 ecx, dword ptr [ebp - 0x69]
            //   4889bbb0000000       | inc                 esp
            //   4889bbb8000000       | lea                 esp, [eax + 3]

        $sequence_3 = { 740f 4585c0 740a b804000000 e9???????? 4183fa10 7416 }
            // n = 7, score = 200
            //   740f                 | jbe                 0x20d
            //   4585c0               | je                  0x6d
            //   740a                 | dec                 eax
            //   b804000000           | test                ebx, ebx
            //   e9????????           |                     
            //   4183fa10             | je                  0x4b
            //   7416                 | lock dec            dword ptr [ebx]

        $sequence_4 = { 4883ec20 488bda 498bf8 488bd1 4885c9 7510 b810000000 }
            // n = 7, score = 200
            //   4883ec20             | dec                 eax
            //   488bda               | lea                 edx, [0x33b8f]
            //   498bf8               | dec                 eax
            //   488bd1               | mov                 ecx, ebx
            //   4885c9               | dec                 eax
            //   7510                 | mov                 ecx, eax
            //   b810000000           | mov                 dword ptr [esp + 0x78], eax

        $sequence_5 = { e8???????? 90 488b4310 48634804 488d05f9490300 4889441910 488b4310 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   90                   | cmp                 eax, ebp
            //   488b4310             | je                  0x29a
            //   48634804             | inc                 edi
            //   488d05f9490300       | dec                 eax
            //   4889441910           | add                 ebx, 4
            //   488b4310             | dec                 eax

        $sequence_6 = { 8bd8 85c0 0f853c030000 4c8b4e10 488b542438 498b4c2410 4d8bc7 }
            // n = 7, score = 200
            //   8bd8                 | mov                 eax, esi
            //   85c0                 | inc                 ecx
            //   0f853c030000         | sub                 esi, edx
            //   4c8b4e10             | test                eax, eax
            //   488b542438           | je                  0xc35
            //   498b4c2410           | inc                 ecx
            //   4d8bc7               | add                 ecx, edx

        $sequence_7 = { 488bd9 49c743e00f000000 4533c0 4d8943d8 }
            // n = 4, score = 200
            //   488bd9               | inc                 ecx
            //   49c743e00f000000     | mov                 eax, edx
            //   4533c0               | shr                 eax, 0x18
            //   4d8943d8             | inc                 ebp

        $sequence_8 = { 458b8489000c0000 0fb6c0 4533848100080000 8bc7 c1e818 0fb6c8 }
            // n = 6, score = 200
            //   458b8489000c0000     | dec                 esp
            //   0fb6c0               | mov                 ecx, ecx
            //   4533848100080000     | mov                 ebx, eax
            //   8bc7                 | test                eax, eax
            //   c1e818               | jne                 0xa78
            //   0fb6c8               | dec                 esp

        $sequence_9 = { 66660f1f840000000000 410fb64301 4983c308 48ffc9 4288441fea 410fb643f8 4288441feb }
            // n = 7, score = 200
            //   66660f1f840000000000     | inc    edx
            //   410fb64301           | jmp                 0x6f0
            //   4983c308             | mov                 edx, edi
            //   48ffc9               | mov                 dword ptr [esp + 0x20], edx
            //   4288441fea           | cmp                 edx, 0x101
            //   410fb643f8           | inc                 cx
            //   4288441feb           | inc                 dword ptr [esp + 2]

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules