SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20221125 | Detects win.acehash.)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4183e007 410fb6d1 458ae5 418ac8 48c1ea03 d2e0 }
            // n = 6, score = 200
            //   4183e007             | test                esi, esi
            //   410fb6d1             | je                  0x15c
            //   458ae5               | dec                 eax
            //   418ac8               | lea                 ebx, [0x3adbd]
            //   48c1ea03             | mov                 dword ptr [edi + 0x1c], eax
            //   d2e0                 | dec                 eax

        $sequence_1 = { e8???????? 8bf0 85c0 7514 8bd7 488bcb }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8bf0                 | imul                edx, ebx
            //   85c0                 | inc                 esp
            //   7514                 | sub                 ebx, dword ptr [esi + 0x14]
            //   8bd7                 | inc                 esp
            //   488bcb               | xor                 ebx, edx

        $sequence_2 = { 443b4304 7cec 410fbae40d 7345 394b0c 7520 394b10 }
            // n = 7, score = 200
            //   443b4304             | mov                 ebx, dword ptr [esp + 0x210]
            //   7cec                 | xor                 eax, eax
            //   410fbae40d           | dec                 eax
            //   7345                 | mov                 ecx, ebp
            //   394b0c               | dec                 esp
            //   7520                 | lea                 eax, [esi + 0x200]
            //   394b10               | dec                 eax

        $sequence_3 = { 8b7108 448b6104 488bd9 488d7a08 41bd08000000 4c8d35483bffff }
            // n = 6, score = 200
            //   8b7108               | inc                 ecx
            //   448b6104             | movzx               eax, cl
            //   488bd9               | inc                 esp
            //   488d7a08             | xor                 eax, dword ptr [ebx + ecx*4 + 0x800]
            //   41bd08000000         | inc                 ecx
            //   4c8d35483bffff       | mov                 eax, ecx

        $sequence_4 = { 448b0f 4863c3 488d0d33060300 488d148504000000 448bc3 492b5638 }
            // n = 6, score = 200
            //   448b0f               | mov                 edi, dword ptr [edi + esi*8]
            //   4863c3               | cmp                 dword ptr [ebx + edi + 0xc], 0
            //   488d0d33060300       | dec                 esp
            //   488d148504000000     | lea                 edi, [0x30b67]
            //   448bc3               | nop                 dword ptr [eax]
            //   492b5638             | cmp                 bp, 1

        $sequence_5 = { 0fb64513 488d0dda2dffff 42339481a0ed0300 42339489a0e50300 339481a0e50300 488b4dbf 8b45af }
            // n = 7, score = 200
            //   0fb64513             | dec                 eax
            //   488d0dda2dffff       | or                  ecx, eax
            //   42339481a0ed0300     | dec                 eax
            //   42339489a0e50300     | xor                 edx, ecx
            //   339481a0e50300       | dec                 ebx
            //   488b4dbf             | mov                 dword ptr [eax + esi], ecx
            //   8b45af               | dec                 ebx

        $sequence_6 = { 74f4 4d85c0 74ef 0fb64105 440fb65904 48895c2410 41c1e308 }
            // n = 7, score = 200
            //   74f4                 | lea                 eax, [0xf8574]
            //   4d85c0               | mov                 al, byte ptr [ecx + ebx + 0x18]
            //   74ef                 | inc                 edx
            //   0fb64105             | mov                 byte ptr [ecx + eax + 0x10fe30], al
            //   440fb65904           | inc                 edx
            //   48895c2410           | jmp                 0xc42
            //   41c1e308             | mov                 dword ptr [esp + 0x20], edi

        $sequence_7 = { 0fb647fd 448b47f8 0fb657f9 4833d0 0fb64ffe 0fb64309 4833d0 }
            // n = 7, score = 200
            //   0fb647fd             | jb                  0x1b14
            //   448b47f8             | dec                 eax
            //   0fb657f9             | movsx               eax, word ptr [esi + 0x48]
            //   4833d0               | dec                 eax
            //   0fb64ffe             | lea                 ecx, [edi + 1]
            //   0fb64309             | dec                 eax
            //   4833d0               | lea                 edx, [esp + 0x30]

        $sequence_8 = { 4c8d0df7801000 4f8b0cc1 eb07 4c8d0dd2010300 488bd6 488d0dd8010300 482b5738 }
            // n = 7, score = 200
            //   4c8d0df7801000       | cmp                 edx, eax
            //   4f8b0cc1             | jl                  0xe62
            //   eb07                 | xor                 eax, eax
            //   4c8d0dd2010300       | dec                 eax
            //   488bd6               | add                 esp, 0x28
            //   488d0dd8010300       | ret                 
            //   482b5738             | jg                  0xe9d

        $sequence_9 = { 488d0d160a0300 8bd3 e8???????? 498b4638 488d0db4090300 440fbf441802 488d3418 }
            // n = 7, score = 200
            //   488d0d160a0300       | dec                 esp
            //   8bd3                 | cmove               ecx, ecx
            //   e8????????           |                     
            //   498b4638             | dec                 ecx
            //   488d0db4090300       | sub                 edx, edx
            //   440fbf441802         | dec                 esp
            //   488d3418             | lea                 ecx, [0x102aed]

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules