SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alphanc (Back to overview)

AlphaNC

Actor(s): Lazarus Group


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
Yara Rules
[TLP:WHITE] win_alphanc_auto (20230407 | Detects win.alphanc.)
rule win_alphanc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.alphanc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 85ff 897c242c 750a 683a0a0000 e9???????? f644242060 }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   897c242c             | mov                 dword ptr [esp + 0x2c], edi
            //   750a                 | jne                 0xc
            //   683a0a0000           | push                0xa3a
            //   e9????????           |                     
            //   f644242060           | test                byte ptr [esp + 0x20], 0x60

        $sequence_1 = { 8d1480 c1e203 895604 8b475c 668b88cc020000 8b90c4020000 03d1 }
            // n = 7, score = 100
            //   8d1480               | lea                 edx, [eax + eax*4]
            //   c1e203               | shl                 edx, 3
            //   895604               | mov                 dword ptr [esi + 4], edx
            //   8b475c               | mov                 eax, dword ptr [edi + 0x5c]
            //   668b88cc020000       | mov                 cx, word ptr [eax + 0x2cc]
            //   8b90c4020000         | mov                 edx, dword ptr [eax + 0x2c4]
            //   03d1                 | add                 edx, ecx

        $sequence_2 = { be01000000 3bde 7e0c 807c2bfe3d 7505 be02000000 8b442434 }
            // n = 7, score = 100
            //   be01000000           | mov                 esi, 1
            //   3bde                 | cmp                 ebx, esi
            //   7e0c                 | jle                 0xe
            //   807c2bfe3d           | cmp                 byte ptr [ebx + ebp - 2], 0x3d
            //   7505                 | jne                 7
            //   be02000000           | mov                 esi, 2
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]

        $sequence_3 = { e8???????? 3bc5 89442420 7520 68ff050000 68???????? 6a41 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   3bc5                 | cmp                 eax, ebp
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   7520                 | jne                 0x22
            //   68ff050000           | push                0x5ff
            //   68????????           |                     
            //   6a41                 | push                0x41

        $sequence_4 = { 8b81e4000000 85c0 7419 50 e8???????? 8b95c0000000 83c404 }
            // n = 7, score = 100
            //   8b81e4000000         | mov                 eax, dword ptr [ecx + 0xe4]
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b95c0000000         | mov                 edx, dword ptr [ebp + 0xc0]
            //   83c404               | add                 esp, 4

        $sequence_5 = { f7de 1bf6 a1???????? 81e600e0ffff 8b0d???????? 81c600200000 8b1d???????? }
            // n = 7, score = 100
            //   f7de                 | neg                 esi
            //   1bf6                 | sbb                 esi, esi
            //   a1????????           |                     
            //   81e600e0ffff         | and                 esi, 0xffffe000
            //   8b0d????????         |                     
            //   81c600200000         | add                 esi, 0x2000
            //   8b1d????????         |                     

        $sequence_6 = { 68???????? 55 e8???????? 8d1440 83c404 c1e202 52 }
            // n = 7, score = 100
            //   68????????           |                     
            //   55                   | push                ebp
            //   e8????????           |                     
            //   8d1440               | lea                 edx, [eax + eax*2]
            //   83c404               | add                 esp, 4
            //   c1e202               | shl                 edx, 2
            //   52                   | push                edx

        $sequence_7 = { e8???????? 83c418 85c0 0f8e6cfeffff 85f6 7e30 8b4704 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   0f8e6cfeffff         | jle                 0xfffffe72
            //   85f6                 | test                esi, esi
            //   7e30                 | jle                 0x32
            //   8b4704               | mov                 eax, dword ptr [edi + 4]

        $sequence_8 = { 8d542410 8d44241c 52 50 51 56 e8???????? }
            // n = 7, score = 100
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_9 = { 8b6e04 89442438 8b4708 83c408 3be8 896c2410 7f24 }
            // n = 7, score = 100
            //   8b6e04               | mov                 ebp, dword ptr [esi + 4]
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   83c408               | add                 esp, 8
            //   3be8                 | cmp                 ebp, eax
            //   896c2410             | mov                 dword ptr [esp + 0x10], ebp
            //   7f24                 | jg                  0x26

    condition:
        7 of them and filesize < 2015232
}
Download all Yara Rules