SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alphanc (Back to overview)

AlphaNC

Actor(s): Lazarus Group


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
Yara Rules
[TLP:WHITE] win_alphanc_auto (20211008 | Detects win.alphanc.)
rule win_alphanc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.alphanc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 e8???????? 8bf8 83c40c 85ff 744d 8b4704 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c40c               | add                 esp, 0xc
            //   85ff                 | test                edi, edi
            //   744d                 | je                  0x4f
            //   8b4704               | mov                 eax, dword ptr [edi + 4]

        $sequence_1 = { 8b4504 83c004 8bf8 40 50 56 89442434 }
            // n = 7, score = 100
            //   8b4504               | mov                 eax, dword ptr [ebp + 4]
            //   83c004               | add                 eax, 4
            //   8bf8                 | mov                 edi, eax
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   56                   | push                esi
            //   89442434             | mov                 dword ptr [esp + 0x34], eax

        $sequence_2 = { e8???????? 83c40c 8bf0 85f6 0f8ef7020000 8b5c2410 c7454400000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f8ef7020000         | jle                 0x2fd
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   c7454400000000       | mov                 dword ptr [ebp + 0x44], 0

        $sequence_3 = { 0bf1 eb05 bf01000000 6a08 68???????? 8d542448 53 }
            // n = 7, score = 100
            //   0bf1                 | or                  esi, ecx
            //   eb05                 | jmp                 7
            //   bf01000000           | mov                 edi, 1
            //   6a08                 | push                8
            //   68????????           |                     
            //   8d542448             | lea                 edx, dword ptr [esp + 0x48]
            //   53                   | push                ebx

        $sequence_4 = { e8???????? 8d442408 c744240000000000 50 e8???????? 8b442474 83c404 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d442408             | lea                 eax, dword ptr [esp + 8]
            //   c744240000000000     | mov                 dword ptr [esp], 0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b442474             | mov                 eax, dword ptr [esp + 0x74]
            //   83c404               | add                 esp, 4

        $sequence_5 = { b84c000000 e8???????? 8b4514 53 56 57 8b7804 }
            // n = 7, score = 100
            //   b84c000000           | mov                 eax, 0x4c
            //   e8????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7804               | mov                 edi, dword ptr [eax + 4]

        $sequence_6 = { c3 8b4f14 8b542470 51 8b4c2478 55 52 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   8b542470             | mov                 edx, dword ptr [esp + 0x70]
            //   51                   | push                ecx
            //   8b4c2478             | mov                 ecx, dword ptr [esp + 0x78]
            //   55                   | push                ebp
            //   52                   | push                edx

        $sequence_7 = { 8b0d???????? 6a01 50 56 e8???????? 3d3b290000 741f }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   6a01                 | push                1
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   3d3b290000           | cmp                 eax, 0x293b
            //   741f                 | je                  0x21

        $sequence_8 = { c68424d402000071 e8???????? 83c40c 85c0 7550 6866f59b2f e8???????? }
            // n = 7, score = 100
            //   c68424d402000071     | mov                 byte ptr [esp + 0x2d4], 0x71
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7550                 | jne                 0x52
            //   6866f59b2f           | push                0x2f9bf566
            //   e8????????           |                     

        $sequence_9 = { 8b5558 8b442434 898268010000 8b7558 8b542430 50 899674010000 }
            // n = 7, score = 100
            //   8b5558               | mov                 edx, dword ptr [ebp + 0x58]
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   898268010000         | mov                 dword ptr [edx + 0x168], eax
            //   8b7558               | mov                 esi, dword ptr [ebp + 0x58]
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   50                   | push                eax
            //   899674010000         | mov                 dword ptr [esi + 0x174], edx

    condition:
        7 of them and filesize < 2015232
}
Download all Yara Rules