SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 81ec48040000 a1???????? 33c5 8945f8 53 }
            // n = 7, score = 200
            //   55                   | xor                 ebx, ebx
            //   8bec                 | dec                 eax
            //   81ec48040000         | mov                 dword ptr [esp + 0x20], edx
            //   a1????????           |                     
            //   33c5                 | dec                 eax
            //   8945f8               | mov                 ecx, edi
            //   53                   | dec                 ecx

        $sequence_1 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 }
            // n = 7, score = 200
            //   8bf8                 | mov                 esi, eax
            //   8d5101               | inc                 ecx
            //   8a01                 | mov                 edi, edi
            //   41                   | dec                 esp
            //   84c0                 | mov                 esp, eax
            //   75f9                 | dec                 eax
            //   57                   | test                esi, esi

        $sequence_2 = { 51 50 6a00 68e9fd0000 ffd3 }
            // n = 5, score = 200
            //   51                   | sub                 edi, edx
            //   50                   | inc                 ebp
            //   6a00                 | xor                 edi, edi
            //   68e9fd0000           | lea                 ecx, [edx + 2]
            //   ffd3                 | dec                 eax

        $sequence_3 = { e8???????? 83c40c e8???????? 99 b907000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c40c               | inc                 ecx
            //   e8????????           |                     
            //   99                   | test                al, al
            //   b907000000           | jne                 0

        $sequence_4 = { c1e91f 03d1 6bd21a 2bfa }
            // n = 4, score = 100
            //   c1e91f               | mov                 ecx, edi
            //   03d1                 | shr                 eax, cl
            //   6bd21a               | dec                 eax
            //   2bfa                 | sub                 esp, 0x20

        $sequence_5 = { 898560f2ffff 8d8570f2ffff 6a00 50 }
            // n = 4, score = 100
            //   898560f2ffff         | push                ebx
            //   8d8570f2ffff         | push                ecx
            //   6a00                 | push                eax
            //   50                   | push                0

        $sequence_6 = { 8bf7 c744242400010000 8b4c2414 8b5c241c 8a06 81e1ff000000 }
            // n = 6, score = 100
            //   8bf7                 | lea                 esi, [edi + 0x10]
            //   c744242400010000     | call                dword ptr [ebp - 0xc28]
            //   8b4c2414             | push                eax
            //   8b5c241c             | call                dword ptr [ebp - 0xc24]
            //   8a06                 | add                 esp, 0xc
            //   81e1ff000000         | cdq                 

        $sequence_7 = { 8d44247c 50 e8???????? 03f8 83c408 }
            // n = 5, score = 100
            //   8d44247c             | add                 esp, 0xc
            //   50                   | cdq                 
            //   e8????????           |                     
            //   03f8                 | mov                 ecx, 7
            //   83c408               | idiv                ecx

        $sequence_8 = { ff15???????? 03742428 83d700 3bfb 72ac 7704 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   03742428             | jmp                 0x3d
            //   83d700               | lea                 eax, [ebp - 0xc20]
            //   3bfb                 | xorps               xmm0, xmm0
            //   72ac                 | push                eax
            //   7704                 | mov                 dword ptr [ebp - 0xda0], eax

        $sequence_9 = { 69cf60ea0000 51 ffd0 e9???????? ff442418 68???????? }
            // n = 6, score = 100
            //   69cf60ea0000         | sub                 esp, 0x448
            //   51                   | xor                 eax, ebp
            //   ffd0                 | mov                 dword ptr [ebp - 8], eax
            //   e9????????           |                     
            //   ff442418             | push                ebx
            //   68????????           |                     

        $sequence_10 = { 83e103 03dd f3a4 8b742410 }
            // n = 4, score = 100
            //   83e103               | add                 esi, dword ptr [esp + 0x28]
            //   03dd                 | adc                 edi, 0
            //   f3a4                 | cmp                 edi, ebx
            //   8b742410             | jb                  0xffffffb0

        $sequence_11 = { 3bd9 0f835ffbffff 03f3 03d3 83fb1f 0f8715040000 ff249d34e87000 }
            // n = 7, score = 100
            //   3bd9                 | idiv                ecx
            //   0f835ffbffff         | and                 ecx, 3
            //   03f3                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   03d3                 | lea                 eax, [ebp - 0x148]
            //   83fb1f               | mov                 dword ptr [ebp - 0x870], eax
            //   0f8715040000         | mov                 ecx, dword ptr [ebp - 0x870]
            //   ff249d34e87000       | mov                 dword ptr [ebp - 0x8bc], ecx

        $sequence_12 = { 803d????????55 488d3dbf870000 0f85b9faffff 660f1f840000000000 418bc6 418bcf d3e8 }
            // n = 7, score = 100
            //   803d????????55       |                     
            //   488d3dbf870000       | mov                 ecx, ebx
            //   0f85b9faffff         | dec                 eax
            //   660f1f840000000000     | lea    edx, [0xe9e2]
            //   418bc6               | dec                 eax
            //   418bcf               | lea                 ecx, [esp + 0x20]
            //   d3e8                 | dec                 eax

        $sequence_13 = { 8a02 888564f8ffff 838554f8ffff01 80bd64f8ffff00 75e2 8b8d54f8ffff 2b8df4f7ffff }
            // n = 7, score = 100
            //   8a02                 | mov                 edx, dword ptr [ebp - 0x870]
            //   888564f8ffff         | cmp                 dword ptr [ebp - 4], 0
            //   838554f8ffff01       | je                  0x2e
            //   80bd64f8ffff00       | mov                 eax, dword ptr [ebp - 4]
            //   75e2                 | push                eax
            //   8b8d54f8ffff         | je                  0x24f
            //   2b8df4f7ffff         | mov                 edx, dword ptr [ebp - 0xc34]

        $sequence_14 = { 837dfc00 742c 68???????? 8b45fc 50 }
            // n = 5, score = 100
            //   837dfc00             | jb                  0x61
            //   742c                 | pop                 ebp
            //   68????????           |                     
            //   8b45fc               | ret                 
            //   50                   | mov                 esi, eax

        $sequence_15 = { 4889542420 488b15???????? 488bcf e8???????? e9???????? 4c8b05???????? 498d5106 }
            // n = 7, score = 100
            //   4889542420           | lea                 ebx, [0x2233]
            //   488b15????????       |                     
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   4c8b05????????       |                     
            //   498d5106             | lea                 edi, [0x87bf]

        $sequence_16 = { 0f108405f4bfffff 660fefc1 0f118405f4bfffff 83c020 3bc6 7cd1 3bc2 }
            // n = 7, score = 100
            //   0f108405f4bfffff     | mov                 ebp, esp
            //   660fefc1             | sub                 esp, 0x448
            //   0f118405f4bfffff     | xor                 eax, ebp
            //   83c020               | mov                 dword ptr [ebp - 8], eax
            //   3bc6                 | push                ebx
            //   7cd1                 | mov                 edi, eax
            //   3bc2                 | lea                 edx, [ecx + 1]

        $sequence_17 = { 83e103 f3a4 8d85b8feffff 898590f7ffff 8b8d90f7ffff 898d44f7ffff 8b9590f7ffff }
            // n = 7, score = 100
            //   83e103               | lea                 ecx, [ebp - 0xc74c]
            //   f3a4                 | cmp                 edx, -1
            //   8d85b8feffff         | je                  0x85
            //   898590f7ffff         | xor                 eax, eax
            //   8b8d90f7ffff         | test                edx, edx
            //   898d44f7ffff         | jle                 0x7c
            //   8b9590f7ffff         | cmp                 edx, 0x20

        $sequence_18 = { e8???????? 85c0 7433 6a00 8b9568ddffff 52 8b0d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, 7
            //   7433                 | idiv                ecx
            //   6a00                 | add                 esp, 0xc
            //   8b9568ddffff         | cdq                 
            //   52                   | mov                 ecx, 7
            //   8b0d????????         |                     

        $sequence_19 = { 85c0 5f 753d ff15???????? 8b0d???????? 6a01 }
            // n = 6, score = 100
            //   85c0                 | lea                 eax, [ebp - 0xd90]
            //   5f                   | push                0
            //   753d                 | push                eax
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   6a01                 | je                  0x97

        $sequence_20 = { 81c2???????? e8???????? 83c404 85c0 0f8427040000 8b4608 8d8db438ffff }
            // n = 7, score = 100
            //   81c2????????         |                     
            //   e8????????           |                     
            //   83c404               | sub                 esp, 0x448
            //   85c0                 | xor                 eax, ebp
            //   0f8427040000         | mov                 dword ptr [ebp - 8], eax
            //   8b4608               | push                ebx
            //   8d8db438ffff         | push                ebp

        $sequence_21 = { 81c4a40c0000 c3 8b0d???????? 8b15???????? 6a01 6890190000 }
            // n = 6, score = 100
            //   81c4a40c0000         | mov                 ecx, 7
            //   c3                   | add                 esp, 0xc
            //   8b0d????????         |                     
            //   8b15????????         |                     
            //   6a01                 | cdq                 
            //   6890190000           | mov                 ecx, 7

        $sequence_22 = { e8???????? 8bd0 83c408 83faff 747d 33c9 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bd0                 | mov                 al, byte ptr [ecx]
            //   83c408               | inc                 ecx
            //   83faff               | test                al, al
            //   747d                 | jne                 0
            //   33c9                 | push                edi

        $sequence_23 = { 83faff 0f847c000000 33c0 85d2 7e76 83fa20 7256 }
            // n = 7, score = 100
            //   83faff               | mov                 ebp, esp
            //   0f847c000000         | sub                 esp, 0x448
            //   33c0                 | xor                 eax, ebp
            //   85d2                 | mov                 dword ptr [ebp - 8], eax
            //   7e76                 | push                ebx
            //   83fa20               | movups              xmm0, xmmword ptr [ebp + eax - 0x400c]
            //   7256                 | pxor                xmm0, xmm1

        $sequence_24 = { 8bc8 b8f1197605 f7e9 c1fa05 8bc2 }
            // n = 5, score = 100
            //   8bc8                 | jne                 0xfffffac6
            //   b8f1197605           | nop                 word ptr [eax + eax]
            //   f7e9                 | inc                 ecx
            //   c1fa05               | mov                 eax, esi
            //   8bc2                 | inc                 ecx

        $sequence_25 = { 899590f8ffff 8b8590f8ffff 898540f8ffff 8b8d68f8ffff }
            // n = 4, score = 100
            //   899590f8ffff         | cdq                 
            //   8b8590f8ffff         | mov                 ecx, 7
            //   898540f8ffff         | add                 esp, 0xc
            //   8b8d68f8ffff         | cdq                 

        $sequence_26 = { 48895c2408 57 4883ec20 488d1d33220000 }
            // n = 4, score = 100
            //   48895c2408           | jne                 0xffffffe1
            //   57                   | dec                 eax
            //   4883ec20             | lea                 edx, [esp + 0x20]
            //   488d1d33220000       | dec                 eax

        $sequence_27 = { ff15???????? 33c0 8dbe14020000 6689845de8fbffff 3807 0f847f000000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   33c0                 | push                ecx
            //   8dbe14020000         | push                eax
            //   6689845de8fbffff     | push                0
            //   3807                 | push                0xfde9
            //   0f847f000000         | call                ebx

        $sequence_28 = { eb4b e8???????? eb44 8d4b0c 51 }
            // n = 5, score = 100
            //   eb4b                 | add                 esp, 0xc
            //   e8????????           |                     
            //   eb44                 | cdq                 
            //   8d4b0c               | mov                 ecx, 7
            //   51                   | idiv                ecx

        $sequence_29 = { 68???????? ff15???????? 85c0 0f8433f9ffff }
            // n = 4, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | push                ebp
            //   0f8433f9ffff         | mov                 ebp, esp

        $sequence_30 = { 0f8449020000 8b95ccf3ffff 81c2e80e0000 52 68???????? 8d85d0fbffff 50 }
            // n = 7, score = 100
            //   0f8449020000         | lea                 eax, [ebp - 0x22c]
            //   8b95ccf3ffff         | sub                 esi, edi
            //   81c2e80e0000         | add                 esp, 0xc
            //   52                   | cdq                 
            //   68????????           |                     
            //   8d85d0fbffff         | mov                 ecx, 7
            //   50                   | add                 esp, 0xc

        $sequence_31 = { 488b05???????? 4833c4 4889842450030000 488d4c2440 488d153b940000 41b810030000 e8???????? }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   4889842450030000     | xor                 eax, esp
            //   488d4c2440           | dec                 eax
            //   488d153b940000       | mov                 dword ptr [esp + 0x350], eax
            //   41b810030000         | dec                 eax
            //   e8????????           |                     

        $sequence_32 = { eb3b 8d85e0f3ffff 0f57c0 50 }
            // n = 4, score = 100
            //   eb3b                 | mov                 ebp, esp
            //   8d85e0f3ffff         | sub                 esp, 0x448
            //   0f57c0               | xor                 eax, ebp
            //   50                   | mov                 dword ptr [ebp - 8], eax

        $sequence_33 = { 75df 488d542420 488bcb ff15???????? 488d15e2e90000 488d4c2420 }
            // n = 6, score = 100
            //   75df                 | lea                 ecx, [esp + 0x40]
            //   488d542420           | dec                 eax
            //   488bcb               | lea                 edx, [0x943b]
            //   ff15????????         |                     
            //   488d15e2e90000       | inc                 ecx
            //   488d4c2420           | mov                 eax, 0x310

        $sequence_34 = { 8bcf 50 e8???????? 85c0 0f848c000000 }
            // n = 5, score = 100
            //   8bcf                 | sub                 esp, 0x448
            //   50                   | xor                 eax, ebp
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [ebp - 8], eax
            //   0f848c000000         | push                ebx

        $sequence_35 = { 4883ec20 c705????????01000000 488d3d35a40000 488d1d56a40000 b9e8030000 ff15???????? 4533db }
            // n = 7, score = 100
            //   4883ec20             | mov                 dword ptr [esp + 8], ebx
            //   c705????????01000000     |     
            //   488d3d35a40000       | push                edi
            //   488d1d56a40000       | dec                 eax
            //   b9e8030000           | sub                 esp, 0x20
            //   ff15????????         |                     
            //   4533db               | dec                 eax

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules