SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8455010000 0fb61438 440fb607 458be5 8bc2 418bf0 83e23f }
            // n = 7, score = 200
            //   0f8455010000         | mov                 eax, ecx
            //   0fb61438             | inc                 esp
            //   440fb607             | mov                 ecx, ecx
            //   458be5               | mov                 dword ptr [ebp + 0x28], eax
            //   8bc2                 | mov                 dword ptr [ebp - 0x10], eax
            //   418bf0               | mov                 eax, ecx
            //   83e23f               | and                 eax, 1

        $sequence_1 = { 5e 5d c3 488d4c2454 33d2 41b8b4110000 44897c2450 }
            // n = 7, score = 200
            //   5e                   | mov                 eax, 0xce00004
            //   5d                   | mov                 eax, 0xce00003
            //   c3                   | mov                 eax, ebx
            //   488d4c2454           | jmp                 0x6de
            //   33d2                 | dec                 eax
            //   41b8b4110000         | lea                 ecx, [0x315cb]
            //   44897c2450           | inc                 ecx

        $sequence_2 = { 488b45df 418b9489a0e90300 438b8cb9a0f10300 41338cb9a0ed0300 41338cb1a0e50300 41338c81a0f10300 33ca }
            // n = 7, score = 200
            //   488b45df             | mov                 edx, 0x10
            //   418b9489a0e90300     | dec                 esp
            //   438b8cb9a0f10300     | mov                 dword ptr [esp + 0xa8], esi
            //   41338cb9a0ed0300     | dec                 esp
            //   41338cb1a0e50300     | mov                 dword ptr [esp + 0xa0], edi
            //   41338c81a0f10300     | dec                 esp
            //   33ca                 | mov                 dword ptr [esp + 0xb0], ebp

        $sequence_3 = { 488d4c2420 498bf0 488bda e8???????? 85c0 756d }
            // n = 6, score = 200
            //   488d4c2420           | mov                 ecx, edi
            //   498bf0               | inc                 ecx
            //   488bda               | inc                 esp
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   756d                 | je                  0xaa3

        $sequence_4 = { e8???????? 8b4324 448b4b1c 448b4320 8b5318 488d0df5360300 89442420 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4324               | mov                 eax, dword ptr [esi + edx*8 + 0x47810]
            //   448b4b1c             | shr                 eax, 0x10
            //   448b4320             | movzx               ecx, al
            //   8b5318               | inc                 ecx
            //   488d0df5360300       | mov                 eax, ebx
            //   89442420             | dec                 esp

        $sequence_5 = { 488d4f28 48894f38 488d4740 48894750 488d4748 48894758 488d4760 }
            // n = 7, score = 200
            //   488d4f28             | dec                 eax
            //   48894f38             | mov                 ebx, dword ptr [esp + 0x40]
            //   488d4740             | dec                 esp
            //   48894750             | mov                 esi, dword ptr [esp + 0x58]
            //   488d4748             | jb                  0x1d9b
            //   48894758             | movzx               eax, byte ptr [ebx + 7]
            //   488d4760             | dec                 eax

        $sequence_6 = { c1ef10 400fb6c7 488b7c2440 4133948770b10400 410fb6c5 4c8b6c2410 4133948770a90400 }
            // n = 7, score = 200
            //   c1ef10               | inc                 esp
            //   400fb6c7             | or                  edx, eax
            //   488b7c2440           | movzx               eax, byte ptr [ecx + 5]
            //   4133948770b10400     | inc                 esp
            //   410fb6c5             | or                  ebx, eax
            //   4c8b6c2410           | movzx               eax, byte ptr [ecx + 6]
            //   4133948770a90400     | inc                 ecx

        $sequence_7 = { 74eb 4585c0 7416 4183f810 7410 b804000000 488b5c2430 }
            // n = 7, score = 200
            //   74eb                 | mov                 eax, 0x10
            //   4585c0               | dec                 eax
            //   7416                 | add                 esp, 0x20
            //   4183f810             | pop                 ebx
            //   7410                 | ret                 
            //   b804000000           | dec                 eax
            //   488b5c2430           | test                ebx, ebx

        $sequence_8 = { 0f85f3000000 488d0dfcdc0200 33d2 41b800080000 ff15???????? 488bd8 4885c0 }
            // n = 7, score = 200
            //   0f85f3000000         | shr                 eax, 0x18
            //   488d0dfcdc0200       | mov                 byte ptr [ebx + 4], al
            //   33d2                 | inc                 ebp
            //   41b800080000         | xor                 eax, dword ptr [edi + eax*4 + 0x4a970]
            //   ff15????????         |                     
            //   488bd8               | inc                 ebp
            //   4885c0               | xor                 eax, dword ptr [esi + 8]

        $sequence_9 = { 4103ca 894c2434 488b4c2468 e8???????? 4863f8 897c243c 413bfd }
            // n = 7, score = 200
            //   4103ca               | dec                 eax
            //   894c2434             | arpl                word ptr [eax + 4], dx
            //   488b4c2468           | dec                 eax
            //   e8????????           |                     
            //   4863f8               | add                 ecx, 0xb0
            //   897c243c             | inc                 edx
            //   413bfd               | dec                 ecx

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules