SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20220516 | Detects win.acehash.)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.acehash."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 750d 833d????????01 0f8404010000 81fffc000000 0f8463010000 488d2db1830f00 41bf14030000 }
            // n = 7, score = 200
            //   750d                 | dec                 eax
            //   833d????????01       |                     
            //   0f8404010000         | mov                 ecx, dword ptr [edi + 0xc]
            //   81fffc000000         | inc                 ebp
            //   0f8463010000         | xor                 eax, eax
            //   488d2db1830f00       | test                eax, eax
            //   41bf14030000         | jne                 0x18be

        $sequence_1 = { e8???????? 33c0 488b9c24b0080000 488bac24a8080000 488b8c2490080000 4833cc e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   33c0                 | mov                 ecx, dword ptr [eax]
            //   488b9c24b0080000     | dec                 eax
            //   488bac24a8080000     | mov                 edi, eax
            //   488b8c2490080000     | dec                 esp
            //   4833cc               | mov                 eax, dword ptr [ebx]
            //   e8????????           |                     

        $sequence_2 = { 488b4318 48894718 488b4320 488b5c2430 48894720 488d05e5460300 488907 }
            // n = 7, score = 200
            //   488b4318             | lea                 eax, [0x338f3]
            //   48894718             | dec                 eax
            //   488b4320             | lea                 edx, [ecx + 0x18]
            //   488b5c2430           | nop                 
            //   48894720             | dec                 eax
            //   488d05e5460300       | mov                 eax, dword ptr [edi]
            //   488907               | dec                 eax

        $sequence_3 = { 410fb6420d 894c2428 410fb64a0c c1e108 0bc8 410fb6420e c1e108 }
            // n = 7, score = 200
            //   410fb6420d           | inc                 ebp
            //   894c2428             | xor                 ebp, dword ptr [esp + 0x18]
            //   410fb64a0c           | inc                 ecx
            //   c1e108               | movzx               eax, bl
            //   0bc8                 | inc                 ebp
            //   410fb6420e           | xor                 ebp, dword ptr [edi + eax*4 + 0x4a570]
            //   c1e108               | inc                 ecx

        $sequence_4 = { 33cb 41338cb1a0f10300 8bc1 894d03 440fb67d03 c1e818 894db3 }
            // n = 7, score = 200
            //   33cb                 | sub                 edx, dword ptr [esi + 0x38]
            //   41338cb1a0f10300     | inc                 esp
            //   8bc1                 | mov                 ecx, dword ptr [edi]
            //   894d03               | dec                 eax
            //   440fb67d03           | arpl                bx, ax
            //   c1e818               | dec                 eax
            //   894db3               | lea                 edx, [esi + 4]

        $sequence_5 = { 83fa08 7d06 b803000000 c3 41b880000000 8bc2 413bd0 }
            // n = 7, score = 200
            //   83fa08               | add                 eax, dword ptr [esi + eax*4 + 0x3e1a0]
            //   7d06                 | inc                 ebp
            //   b803000000           | xor                 edx, eax
            //   c3                   | inc                 ebp
            //   41b880000000         | sub                 ecx, edx
            //   8bc2                 | inc                 ecx
            //   413bd0               | rol                 ecx, cl

        $sequence_6 = { 4833c8 8b4704 45339c8ea0c80300 4933c1 4533c8 4933c4 4933c0 }
            // n = 7, score = 200
            //   4833c8               | mov                 ecx, esi
            //   8b4704               | mov                 edx, dword ptr [esp + 0x34]
            //   45339c8ea0c80300     | dec                 eax
            //   4933c1               | mov                 ecx, esi
            //   4533c8               | add                 edx, 0x1000
            //   4933c4               | dec                 eax
            //   4933c0               | mov                 ecx, esi

        $sequence_7 = { 410fb6c2 44335704 4433848b00080000 44038483000c0000 4533c8 4885f6 }
            // n = 6, score = 200
            //   410fb6c2             | lea                 eax, [0x34a94]
            //   44335704             | dec                 eax
            //   4433848b00080000     | mov                 dword ptr [ecx], eax
            //   44038483000c0000     | dec                 eax
            //   4533c8               | lea                 eax, [0x34a92]
            //   4885f6               | dec                 eax

        $sequence_8 = { 790e 4c8d35ca430e00 41f7dd 4983ee60 395d93 7504 }
            // n = 6, score = 200
            //   790e                 | jne                 0x1091
            //   4c8d35ca430e00       | mov                 eax, esi
            //   41f7dd               | movzx               ecx, byte ptr [ebx]
            //   4983ee60             | inc                 edx
            //   395d93               | movsx               eax, byte ptr [ecx + edx + 0x110990]
            //   7504                 | test                eax, eax

        $sequence_9 = { eb21 4b8b8ceaa0511100 8a443108 a840 7508 0c02 }
            // n = 6, score = 200
            //   eb21                 | movzx               ecx, al
            //   4b8b8ceaa0511100     | mov                 eax, edi
            //   8a443108             | inc                 ebp
            //   a840                 | xor                 eax, dword ptr [edi + ecx*4 + 0x4b570]
            //   7508                 | inc                 ecx
            //   0c02                 | mov                 eax, ebp

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules