Alreay (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.alreay (Back to overview)

Alreay

Actor(s): Lazarus Group

VTCollection

Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.

It uses either RC4 or DES for encryption of its configuration, which is stored in the registry.

It sends detailed information about the victim's environment, like computer name, Windows version,
system locale, and network configuration.

It supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.

It comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).

Alreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.

References

2017-04-03 ⋅ Kaspersky Labs ⋅ GReAT
Lazarus under the Hood
Alreay DYEPACK

2017-04-03 ⋅ Kaspersky Labs ⋅ GReAT
Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group

Yara Rules

[TLP:WHITE] win_alreay_auto (20260504 | Detects win.alreay.)

rule win_alreay_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.alreay."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895f2c 8b8608870000 8bd5 3bd0 7528 8b960c870000 8bc3 }
            // n = 7, score = 200
            //   895f2c               | mov                 dword ptr [edi + 0x2c], ebx
            //   8b8608870000         | mov                 eax, dword ptr [esi + 0x8708]
            //   8bd5                 | mov                 edx, ebp
            //   3bd0                 | cmp                 edx, eax
            //   7528                 | jne                 0x2a
            //   8b960c870000         | mov                 edx, dword ptr [esi + 0x870c]
            //   8bc3                 | mov                 eax, ebx

        $sequence_1 = { 8b442404 8b88e4010000 85c9 746c 8b4c2408 85c9 7564 }
            // n = 7, score = 200
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8b88e4010000         | mov                 ecx, dword ptr [eax + 0x1e4]
            //   85c9                 | test                ecx, ecx
            //   746c                 | je                  0x6e
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   85c9                 | test                ecx, ecx
            //   7564                 | jne                 0x66

        $sequence_2 = { 51 52 e8???????? 8bf0 83c40c 85f6 755a }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   755a                 | jne                 0x5c

        $sequence_3 = { 8d842430010000 51 8b4c242c 23f0 56 51 ff15???????? }
            // n = 7, score = 200
            //   8d842430010000       | lea                 eax, [esp + 0x130]
            //   51                   | push                ecx
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   23f0                 | and                 esi, eax
            //   56                   | push                esi
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_4 = { eb38 b90b000000 bf???????? 8bf3 33c0 66f3a7 750a }
            // n = 7, score = 200
            //   eb38                 | jmp                 0x3a
            //   b90b000000           | mov                 ecx, 0xb
            //   bf????????           |                     
            //   8bf3                 | mov                 esi, ebx
            //   33c0                 | xor                 eax, eax
            //   66f3a7               | repe cmpsd          dword ptr [esi], dword ptr es:[edi]
            //   750a                 | jne                 0xc

        $sequence_5 = { 8bdd c1eb16 c1e50a 0bdd 8b6c2428 895c241c 8bd8 }
            // n = 7, score = 200
            //   8bdd                 | mov                 ebx, ebp
            //   c1eb16               | shr                 ebx, 0x16
            //   c1e50a               | shl                 ebp, 0xa
            //   0bdd                 | or                  ebx, ebp
            //   8b6c2428             | mov                 ebp, dword ptr [esp + 0x28]
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   8bd8                 | mov                 ebx, eax

        $sequence_6 = { ff15???????? 83c404 b800edffff 5f 5e 5d 5b }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   b800edffff           | mov                 eax, 0xffffed00
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx

        $sequence_7 = { c3 8b742418 56 e8???????? 8b4d4c 83c404 8901 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b4d4c               | mov                 ecx, dword ptr [ebp + 0x4c]
            //   83c404               | add                 esp, 4
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_8 = { 8b4c2460 89442404 89442408 8b442464 50 8d542408 51 }
            // n = 7, score = 200
            //   8b4c2460             | mov                 ecx, dword ptr [esp + 0x60]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   8b442464             | mov                 eax, dword ptr [esp + 0x64]
            //   50                   | push                eax
            //   8d542408             | lea                 edx, [esp + 8]
            //   51                   | push                ecx

        $sequence_9 = { 8b4804 51 50 e8???????? 83c40c 85c0 7508 }
            // n = 7, score = 200
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa

    condition:
        7 of them and filesize < 1867776
}

Download all Yara Rules

Alreay Propose Change

References

Yara Rules

Alreay