SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alphanc (Back to overview)

AlphaNC

Actor(s): Lazarus Group


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
Yara Rules
[TLP:WHITE] win_alphanc_auto (20230715 | Detects win.alphanc.)
rule win_alphanc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.alphanc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bf???????? 8db574fdffff 33c0 f3a7 753c 6a01 6a01 }
            // n = 7, score = 100
            //   bf????????           |                     
            //   8db574fdffff         | lea                 esi, [ebp - 0x28c]
            //   33c0                 | xor                 eax, eax
            //   f3a7                 | repe cmpsd          dword ptr [esi], dword ptr es:[edi]
            //   753c                 | jne                 0x3e
            //   6a01                 | push                1
            //   6a01                 | push                1

        $sequence_1 = { 8d4630 c7869000000001000000 8906 e8???????? 894650 e8???????? 894644 }
            // n = 7, score = 100
            //   8d4630               | lea                 eax, [esi + 0x30]
            //   c7869000000001000000     | mov    dword ptr [esi + 0x90], 1
            //   8906                 | mov                 dword ptr [esi], eax
            //   e8????????           |                     
            //   894650               | mov                 dword ptr [esi + 0x50], eax
            //   e8????????           |                     
            //   894644               | mov                 dword ptr [esi + 0x44], eax

        $sequence_2 = { f7d1 c1ea1f c1e91f 23d1 0be8 f7da 896c2420 }
            // n = 7, score = 100
            //   f7d1                 | not                 ecx
            //   c1ea1f               | shr                 edx, 0x1f
            //   c1e91f               | shr                 ecx, 0x1f
            //   23d1                 | and                 edx, ecx
            //   0be8                 | or                  ebp, eax
            //   f7da                 | neg                 edx
            //   896c2420             | mov                 dword ptr [esp + 0x20], ebp

        $sequence_3 = { f6c340 89442410 894c240c 751d 51 8d4e10 51 }
            // n = 7, score = 100
            //   f6c340               | test                bl, 0x40
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   751d                 | jne                 0x1f
            //   51                   | push                ecx
            //   8d4e10               | lea                 ecx, [esi + 0x10]
            //   51                   | push                ecx

        $sequence_4 = { 8b8600010000 b901000000 f6c408 7550 8b5608 813a01030000 7f45 }
            // n = 7, score = 100
            //   8b8600010000         | mov                 eax, dword ptr [esi + 0x100]
            //   b901000000           | mov                 ecx, 1
            //   f6c408               | test                ah, 8
            //   7550                 | jne                 0x52
            //   8b5608               | mov                 edx, dword ptr [esi + 8]
            //   813a01030000         | cmp                 dword ptr [edx], 0x301
            //   7f45                 | jg                  0x47

        $sequence_5 = { 5d 5b 81c47c010000 c3 5f 5e 5d }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   81c47c010000         | add                 esp, 0x17c
            //   c3                   | ret                 
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_6 = { e8???????? 56 68???????? 8d4c2444 6a10 51 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   56                   | push                esi
            //   68????????           |                     
            //   8d4c2444             | lea                 ecx, [esp + 0x44]
            //   6a10                 | push                0x10
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { c744242400000000 f7e1 8b7c2424 8bda c1eb07 85ff 741b }
            // n = 7, score = 100
            //   c744242400000000     | mov                 dword ptr [esp + 0x24], 0
            //   f7e1                 | mul                 ecx
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   8bda                 | mov                 ebx, edx
            //   c1eb07               | shr                 ebx, 7
            //   85ff                 | test                edi, edi
            //   741b                 | je                  0x1d

        $sequence_8 = { 8b4e20 894c2420 e8???????? 3bc5 894654 0f84a4070000 8b5608 }
            // n = 7, score = 100
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   e8????????           |                     
            //   3bc5                 | cmp                 eax, ebp
            //   894654               | mov                 dword ptr [esi + 0x54], eax
            //   0f84a4070000         | je                  0x7aa
            //   8b5608               | mov                 edx, dword ptr [esi + 8]

        $sequence_9 = { c3 57 b925000000 33c0 8bfe f3ab 8d4630 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   57                   | push                edi
            //   b925000000           | mov                 ecx, 0x25
            //   33c0                 | xor                 eax, eax
            //   8bfe                 | mov                 edi, esi
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d4630               | lea                 eax, [esi + 0x30]

    condition:
        7 of them and filesize < 2015232
}
Download all Yara Rules