ACEHASH (Malware Family)

ACEHASH

Actor(s): APT41

VTCollection

ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References

2020-05-21 ⋅ ESET Research ⋅ Martin Smolár, Mathieu Tartare
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell

2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON

Yara Rules

[TLP:WHITE] win_acehash_auto (20260504 | Detects win.acehash.)

rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c3 488d1dbdad0300 89471c 488d3dd7ad0300 418b4b18 4983c310 e8???????? }
            // n = 7, score = 200
            //   33c3                 | inc                 ecx
            //   488d1dbdad0300       | mov                 ecx, ecx
            //   89471c               | shr                 ecx, 4
            //   488d3dd7ad0300       | inc                 ebp
            //   418b4b18             | mov                 eax, dword ptr [ebx + 8]
            //   4983c310             | shl                 ecx, 0xc
            //   e8????????           |                     

        $sequence_1 = { 488bc1 48c1f805 488d1554fe0d00 83e11f 486bc958 488b04c2 80640808fe }
            // n = 7, score = 200
            //   488bc1               | dec                 ebp
            //   48c1f805             | lea                 edx, [eax + 1]
            //   488d1554fe0d00       | dec                 ebp
            //   83e11f               | lea                 ecx, [eax + 2]
            //   486bc958             | dec                 ecx
            //   488b04c2             | mov                 eax, 0xfffffffe
            //   80640808fe           | dec                 ecx

        $sequence_2 = { c3 4885d2 74f1 4885c9 }
            // n = 4, score = 200
            //   c3                   | dec                 esp
            //   4885d2               | arpl                bx, di
            //   74f1                 | inc                 esp
            //   4885c9               | mov                 dword ptr [esp + 0x28], esp

        $sequence_3 = { 0bc2 c1e008 0bc8 33d2 41894bfc 453bc2 72b7 }
            // n = 7, score = 200
            //   0bc2                 | movzx               edx, byte ptr [ecx + 4]
            //   c1e008               | inc                 ecx
            //   0bc8                 | shl                 ecx, 8
            //   33d2                 | inc                 ecx
            //   41894bfc             | shl                 edx, 8
            //   453bc2               | dec                 eax
            //   72b7                 | mov                 dword ptr [esp + 0x10], esi

        $sequence_4 = { 418bc2 c1e808 0fb6c8 410fb6c2 4133948900040000 41331481 8b4518 }
            // n = 7, score = 200
            //   418bc2               | dec                 eax
            //   c1e808               | inc                 ebx
            //   0fb6c8               | inc                 ecx
            //   410fb6c2             | cmp                 byte ptr [eax + ebx], 0
            //   4133948900040000     | jne                 0x172c
            //   41331481             | mov                 eax, ebx
            //   8b4518               | dec                 eax

        $sequence_5 = { 4c8b4c2440 8b7c2420 3b7c242c 7d25 4c8b442458 4c8b542470 448b5c2424 }
            // n = 7, score = 200
            //   4c8b4c2440           | jne                 0x106b
            //   8b7c2420             | dec                 ecx
            //   3b7c242c             | dec                 eax
            //   7d25                 | dec                 eax
            //   4c8b442458           | cmp                 ecx, dword ptr [ebx + 0x10]
            //   4c8b542470           | jge                 0x105d
            //   448b5c2424           | dec                 eax

        $sequence_6 = { 397ddc 746c 4c8d153b94fdff 4b8b84eaa0511100 f644300848 741e ba0a000000 }
            // n = 7, score = 200
            //   397ddc               | movsx               edi, word ptr [eax + 2]
            //   746c                 | dec                 eax
            //   4c8d153b94fdff       | mov                 dword ptr [esp + 0x28], eax
            //   4b8b84eaa0511100     | mov                 dword ptr [esp + 0x20], edi
            //   f644300848           | dec                 eax
            //   741e                 | add                 eax, 0xb0
            //   ba0a000000           | inc                 edx

        $sequence_7 = { 488905???????? ff15???????? 488d15493b0300 483305???????? 488bcb }
            // n = 5, score = 200
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15493b0300       | inc                 edx
            //   483305????????       |                     
            //   488bcb               | xor                 edx, dword ptr [esi + eax*4 + 0x3ff10]

        $sequence_8 = { 488d0de90a0300 e8???????? 83f8ff 750a b80c00e00c 4883c428 c3 }
            // n = 7, score = 200
            //   488d0de90a0300       | mov                 dword ptr [esp + 0x70], ebp
            //   e8????????           |                     
            //   83f8ff               | mov                 dword ptr [esp + 0x34], ebp
            //   750a                 | mov                 edi, ebp
            //   b80c00e00c           | mov                 dword ptr [esp + 0x20], ebp
            //   4883c428             | cmp                 cx, si
            //   c3                   | dec                 esp

        $sequence_9 = { 8bd3 498bce 4889442420 e8???????? 4c8d3df4110300 4c8d6738 4c8d0569130300 }
            // n = 7, score = 200
            //   8bd3                 | inc                 esp
            //   498bce               | movzx               ebp, al
            //   4889442420           | mov                 eax, ecx
            //   e8????????           |                     
            //   4c8d3df4110300       | shr                 eax, 0x10
            //   4c8d6738             | movzx               edx, al
            //   4c8d0569130300       | shr                 eax, 0x18

    condition:
        7 of them and filesize < 2318336
}

[TLP:WHITE] win_acehash_w0 (20191207 | No description)

rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}

Download all Yara Rules

ACEHASH Propose Change

References

Yara Rules

ACEHASH