SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acehash (Back to overview)

ACEHASH

Actor(s): APT41


ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
Yara Rules
[TLP:WHITE] win_acehash_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_acehash_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb654246b 448be0 b901000000 4432649f1a e8???????? 448be8 44326c9f1b }
            // n = 7, score = 200
            //   0fb654246b           | inc                 esp
            //   448be0               | mov                 ecx, eax
            //   b901000000           | inc                 esp
            //   4432649f1a           | mov                 eax, ebx
            //   e8????????           |                     
            //   448be8               | inc                 ecx
            //   44326c9f1b           | mov                 edx, esi

        $sequence_1 = { 5e 5d c3 488d4c2454 33d2 41b8b4110000 44897c2450 }
            // n = 7, score = 200
            //   5e                   | sar                 eax, 5
            //   5d                   | dec                 eax
            //   c3                   | imul                edx, edx, 0x58
            //   488d4c2454           | dec                 ecx
            //   33d2                 | add                 edx, dword ptr [edx + eax*8]
            //   41b8b4110000         | test                byte ptr [edx + 0x38], 0x80
            //   44897c2450           | je                  0x123

        $sequence_2 = { 488b742420 488b6c2418 418919 488b5c2410 41897908 488b3c24 45895104 }
            // n = 7, score = 200
            //   488b742420           | sar                 edx, 2
            //   488b6c2418           | mov                 dword ptr [esp + 0x20], eax
            //   418919               | dec                 eax
            //   488b5c2410           | sub                 edx, ebp
            //   41897908             | dec                 ecx
            //   488b3c24             | sub                 edx, dword ptr [esi + 0x38]
            //   45895104             | dec                 eax

        $sequence_3 = { 4183fc04 751c 41ffc6 48ffc7 443b742444 0f8455010000 0fb61438 }
            // n = 7, score = 200
            //   4183fc04             | dec                 eax
            //   751c                 | add                 ecx, 4
            //   41ffc6               | dec                 ecx
            //   48ffc7               | add                 ecx, esi
            //   443b742444           | or                  dword ptr [ebx + 0xc], 4
            //   0f8455010000         | dec                 esp
            //   0fb61438             | mov                 esi, dword ptr [esp + 0x50]

        $sequence_4 = { 4585f6 7e2d 488d5d0f 488d7dff 498bf6 66660f1f840000000000 488bd7 }
            // n = 7, score = 200
            //   4585f6               | xor                 ecx, esp
            //   7e2d                 | dec                 eax
            //   488d5d0f             | mov                 edi, dword ptr [esp + 0xc0]
            //   488d7dff             | cmp                 edx, dword ptr [esp + 0x28]
            //   498bf6               | jge                 0x108b
            //   66660f1f840000000000     | dec    eax
            //   488bd7               | mov                 eax, dword ptr [esp + 0x60]

        $sequence_5 = { 6683ff01 0f8e04010000 0fbfc7 b901000000 8d048504000000 4863d0 }
            // n = 6, score = 200
            //   6683ff01             | dec                 ebp
            //   0f8e04010000         | add                 edi, esi
            //   0fbfc7               | je                  0x13c4
            //   b901000000           | dec                 ebp
            //   8d048504000000       | test                esi, esi
            //   4863d0               | je                  0x1344

        $sequence_6 = { 418b9489000c0000 c1e810 0fb6c0 4133948100080000 8bc7 }
            // n = 5, score = 200
            //   418b9489000c0000     | inc                 esp
            //   c1e810               | sub                 eax, dword ptr [esi + eax*4 + 0x3e1a0]
            //   0fb6c0               | inc                 ebp
            //   4133948100080000     | xor                 edx, eax
            //   8bc7                 | inc                 ebp

        $sequence_7 = { 44895b08 488b5d7f 4885db 741f 8b559f 4c8d4587 488d4d87 }
            // n = 7, score = 200
            //   44895b08             | test                byte ptr [esp + eax + 8], 0x40
            //   488b5d7f             | je                  0x1386
            //   4885db               | inc                 ecx
            //   741f                 | cmp                 byte ptr [esi], 0x1a
            //   8b559f               | dec                 eax
            //   4c8d4587             | mov                 eax, dword ptr [esp + 0x50]
            //   488d4d87             | dec                 eax

        $sequence_8 = { 4b8b8ceaa0511100 48ffc3 88443139 83fa03 7511 8a03 }
            // n = 6, score = 200
            //   4b8b8ceaa0511100     | inc                 esp
            //   48ffc3               | sub                 dword ptr [edi + 0x24], esi
            //   88443139             | inc                 esp
            //   83fa03               | sub                 dword ptr [edi + 0x20], esi
            //   7511                 | dec                 eax
            //   8a03                 | mov                 eax, dword ptr [edi + 0x38]

        $sequence_9 = { 450fb6c1 eb14 410fb6d4 83e107 48c1ea03 d2e0 084415e0 }
            // n = 7, score = 200
            //   450fb6c1             | dec                 eax
            //   eb14                 | mov                 esi, dword ptr [esp + 0x40]
            //   410fb6d4             | dec                 eax
            //   83e107               | mov                 edi, dword ptr [esp + 0x48]
            //   48c1ea03             | xor                 eax, eax
            //   d2e0                 | dec                 eax
            //   084415e0             | add                 esp, 0x20

    condition:
        7 of them and filesize < 2318336
}
[TLP:WHITE] win_acehash_w0   (20191207 | No description)
rule win_acehash_w0 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
        $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
        $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
        $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
        $b5 = { (45 | 4D) (31 | 33) C0 BA 01 00 00 00 [10-16] FF 5? 28 [0-1] (84 | 85) C0 }
    condition:
        (4 of ($b*))
}
Download all Yara Rules