SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 }
            // n = 7, score = 300
            //   8bf8                 | dec                 eax
            //   8d5101               | lea                 ebx, [0xb1b]
            //   8a01                 | push                ecx
            //   41                   | push                eax
            //   84c0                 | push                0
            //   75f9                 | push                0xfde9
            //   57                   | call                ebx

        $sequence_1 = { 51 50 6a00 68e9fd0000 ffd3 }
            // n = 5, score = 300
            //   51                   | or                  edx, 0xffffffff
            //   50                   | dec                 eax
            //   6a00                 | mov                 ecx, edi
            //   68e9fd0000           | dec                 eax
            //   ffd3                 | mov                 ecx, edi

        $sequence_2 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 }
            // n = 6, score = 300
            //   8bec                 | dec                 eax
            //   81ec48040000         | lea                 ebx, [0x7d99]
            //   a1????????           |                     
            //   33c5                 | dec                 eax
            //   8945f8               | lea                 edx, [esp + 0x20]
            //   53                   | dec                 eax

        $sequence_3 = { 6a06 8d90c4e10110 5f 668b02 8d5202 }
            // n = 5, score = 200
            //   6a06                 | mov                 ecx, edi
            //   8d90c4e10110         | mov                 eax, edi
            //   5f                   | mov                 dword ptr [ebp - 0x1c], ecx
            //   668b02               | cmp                 dword ptr [eax + 0x1001e1c0], ebx
            //   8d5202               | push                eax

        $sequence_4 = { 8d430c 2bce 51 56 50 e8???????? 8bc3 }
            // n = 7, score = 200
            //   8d430c               | mov                 al, byte ptr [ecx]
            //   2bce                 | inc                 ecx
            //   51                   | test                al, al
            //   56                   | jne                 3
            //   50                   | push                edi
            //   e8????????           |                     
            //   8bc3                 | add                 esp, 8

        $sequence_5 = { e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 8945e4 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c40c               | mov                 word ptr [eax + 0x6c], cx
            //   6b45e430             | mov                 eax, dword ptr [ebp + 8]
            //   8945e0               | mov                 word ptr [eax + 0x172], cx
            //   8d80d0e10110         | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [esi + 0x21c], eax

        $sequence_6 = { 0fb6c0 eb17 81fa00010000 7313 8a87bce10110 }
            // n = 5, score = 200
            //   0fb6c0               | pop                 edi
            //   eb17                 | lea                 ecx, [esi + 0xc]
            //   81fa00010000         | push                6
            //   7313                 | lea                 edx, [eax + 0x1001e1c4]
            //   8a87bce10110         | pop                 edi

        $sequence_7 = { 6800100000 ffd6 ebf7 55 8bec }
            // n = 5, score = 200
            //   6800100000           | jle                 0x79
            //   ffd6                 | cmp                 edx, 0x20
            //   ebf7                 | jb                  0x61
            //   55                   | cmp                 edx, -1
            //   8bec                 | je                  0x72

        $sequence_8 = { e8???????? 83c40c e8???????? 99 b907000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c40c               | push                eax
            //   e8????????           |                     
            //   99                   | call                ebx
            //   b907000000           | push                0x800

        $sequence_9 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | lea                 eax, [eax + 0x1001e1d0]
            //   89861c020000         | mov                 eax, edi
            //   8b45e0               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8d4e0c               | cmp                 dword ptr [eax + 0x1001e1c0], ebx
            //   6a06                 | je                  0xf9
            //   8d90c4e10110         | pop                 ecx

        $sequence_10 = { 680c400000 8d84243c050000 6a00 50 e8???????? }
            // n = 5, score = 200
            //   680c400000           | xor                 ecx, ecx
            //   8d84243c050000       | test                edx, edx
            //   6a00                 | jle                 0x74
            //   50                   | cmp                 edx, 0x20
            //   e8????????           |                     

        $sequence_11 = { 83faff 7479 33c9 85d2 7e73 83fa20 7256 }
            // n = 7, score = 200
            //   83faff               | push                ecx
            //   7479                 | push                eax
            //   33c9                 | push                0
            //   85d2                 | push                0xfde9
            //   7e73                 | call                ebx
            //   83fa20               | push                ebp
            //   7256                 | mov                 ebp, esp

        $sequence_12 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 }
            // n = 7, score = 200
            //   8b4508               | mov                 ax, word ptr [edx]
            //   c700????????         |                     
            //   8b4508               | lea                 edx, [edx + 2]
            //   898850030000         | push                edi
            //   8b4508               | xor                 edi, edi
            //   59                   | mov                 ecx, edi
            //   c74048b8e40110       | mov                 eax, edi

        $sequence_13 = { 83c408 83faff 0f84a5010000 33c9 }
            // n = 4, score = 200
            //   83c408               | sub                 esp, 0x448
            //   83faff               | xor                 eax, ebp
            //   0f84a5010000         | mov                 dword ptr [ebp - 8], eax
            //   33c9                 | push                ebx

        $sequence_14 = { 8bcf 8bc7 894de4 3998c0e10110 0f84ea000000 }
            // n = 5, score = 200
            //   8bcf                 | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   8bc7                 | mov                 dword ptr [ebp - 0x20], eax
            //   894de4               | lea                 eax, [eax + 0x1001e1d0]
            //   3998c0e10110         | mov                 dword ptr [ebp - 0x1c], eax
            //   0f84ea000000         | cmp                 byte ptr [eax], 0

        $sequence_15 = { 7515 8b45fc 817848b8e40110 7409 ff7048 e8???????? 59 }
            // n = 7, score = 200
            //   7515                 | je                  0xe
            //   8b45fc               | cmp                 dword ptr [ebp - 0x718], 0x123482
            //   817848b8e40110       | je                  0x3b
            //   7409                 | mov                 eax, dword ptr [ebp - 0x720]
            //   ff7048               | je                  0x5d
            //   e8????????           |                     
            //   59                   | mov                 dword ptr [ebp - 0x470], eax

        $sequence_16 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 }
            // n = 7, score = 200
            //   c74048b8e40110       | dec                 ebx
            //   8b4508               | jne                 0x18
            //   6689486c             | mov                 eax, dword ptr [ebp - 4]
            //   8b4508               | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   66898872010000       | pop                 ecx
            //   8b4508               | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   83a04c03000000       | mov                 eax, dword ptr [ebp + 8]

        $sequence_17 = { ff15???????? 8d9424dc000000 56 8d8424e0080000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8d9424dc000000       | add                 esp, 0xc
            //   56                   | cdq                 
            //   8d8424e0080000       | mov                 ecx, 7

        $sequence_18 = { 837a1000 7455 8d85fcf7ffff 50 8b8df8f3ffff 83c114 51 }
            // n = 7, score = 100
            //   837a1000             | idiv                ecx
            //   7455                 | add                 esp, 0xc
            //   8d85fcf7ffff         | cdq                 
            //   50                   | mov                 ecx, 7
            //   8b8df8f3ffff         | idiv                ecx
            //   83c114               | mov                 edx, dword ptr [ecx + 0xc]
            //   51                   | push                edx

        $sequence_19 = { 52 89842491020000 e8???????? 8d842495020000 50 e8???????? 8d6c0025 }
            // n = 7, score = 100
            //   52                   | mov                 ecx, 7
            //   89842491020000       | idiv                ecx
            //   e8????????           |                     
            //   8d842495020000       | add                 esp, 0xc
            //   50                   | cdq                 
            //   e8????????           |                     
            //   8d6c0025             | mov                 ecx, 7

        $sequence_20 = { 898850030000 8b4508 59 c7404810740110 8b4508 6689486c }
            // n = 6, score = 100
            //   898850030000         | push                ebx
            //   8b4508               | mov                 edi, eax
            //   59                   | lea                 edx, [ecx + 1]
            //   c7404810740110       | mov                 al, byte ptr [ecx]
            //   8b4508               | inc                 ecx
            //   6689486c             | test                al, al

        $sequence_21 = { e8???????? 85c0 0f8497020000 51 6a04 8d45d8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [ebp - 8], eax
            //   0f8497020000         | push                ebx
            //   51                   | sub                 esp, 0x448
            //   6a04                 | xor                 eax, ebp
            //   8d45d8               | mov                 dword ptr [ebp - 8], eax

        $sequence_22 = { e8???????? 8d47fd e9???????? 4533c9 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8d47fd               | dec                 ecx
            //   e9????????           |                     
            //   4533c9               | mov                 edi, esp

        $sequence_23 = { 03048dc8887100 50 ff15???????? 5d c3 }
            // n = 5, score = 100
            //   03048dc8887100       | call                edi
            //   50                   | mov                 dword ptr [ebp - 0xc794], 0
            //   ff15????????         |                     
            //   5d                   | lea                 ecx, [ebp - 0xc794]
            //   c3                   | add                 esp, 0xc

        $sequence_24 = { 660fd645bc ffd7 68???????? 50 ffd3 6800080000 898564f2ffff }
            // n = 7, score = 100
            //   660fd645bc           | push                ebx
            //   ffd7                 | push                ebp
            //   68????????           |                     
            //   50                   | mov                 ebp, esp
            //   ffd3                 | sub                 esp, 0x448
            //   6800080000           | xor                 eax, ebp
            //   898564f2ffff         | mov                 dword ptr [ebp - 8], eax

        $sequence_25 = { 745b a1???????? 898590fbffff 8b8d90fbffff 898db8fbffff 83bdb8fbffff00 }
            // n = 6, score = 100
            //   745b                 | push                0
            //   a1????????           |                     
            //   898590fbffff         | mov                 edx, dword ptr [ebp - 0x66c]
            //   8b8d90fbffff         | push                edx
            //   898db8fbffff         | mov                 dword ptr [ebp - 0x694], eax
            //   83bdb8fbffff00       | cmp                 dword ptr [edx + 0x10], 0

        $sequence_26 = { 6a00 8b9594f9ffff 52 ff15???????? 89856cf9ffff }
            // n = 5, score = 100
            //   6a00                 | mov                 ecx, 7
            //   8b9594f9ffff         | add                 esp, 0xc
            //   52                   | cdq                 
            //   ff15????????         |                     
            //   89856cf9ffff         | mov                 ecx, 7

        $sequence_27 = { 53 56 8d84247c020000 57 }
            // n = 4, score = 100
            //   53                   | mov                 dword ptr [ebp - 0xc28], ebx
            //   56                   | call                ebx
            //   8d84247c020000       | mov                 esi, eax
            //   57                   | call                ebx

        $sequence_28 = { 8b442404 81ec08020000 85c0 53 }
            // n = 4, score = 100
            //   8b442404             | call                dword ptr [ebp - 0x68]
            //   81ec08020000         | mov                 dword ptr [ebp - 0x34], eax
            //   85c0                 | test                eax, eax
            //   53                   | mov                 edi, ecx

        $sequence_29 = { 89442440 e8???????? 85c0 0f84b9010000 bf04000000 488d542440 4d8bcd }
            // n = 7, score = 100
            //   89442440             | repne scasb         al, byte ptr es:[edi]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f84b9010000         | not                 ecx
            //   bf04000000           | lea                 eax, [edi - 3]
            //   488d542440           | inc                 ebp
            //   4d8bcd               | xor                 ecx, ecx

        $sequence_30 = { 6a03 6a00 6a01 6800000080 56 89442430 }
            // n = 6, score = 100
            //   6a03                 | add                 esp, 0xc
            //   6a00                 | cdq                 
            //   6a01                 | mov                 ecx, 7
            //   6800000080           | idiv                ecx
            //   56                   | add                 esp, 0xc
            //   89442430             | cdq                 

        $sequence_31 = { 488d542420 488d4c2428 ff15???????? 488d542430 488d4c2420 }
            // n = 5, score = 100
            //   488d542420           | dec                 eax
            //   488d4c2428           | mov                 dword ptr [esp + 0x140], eax
            //   ff15????????         |                     
            //   488d542430           | dec                 eax
            //   488d4c2420           | mov                 ebx, dword ptr [ecx]

        $sequence_32 = { 50 e8???????? 83c42c 5f eb26 8d4508 8db61ca84100 }
            // n = 7, score = 100
            //   50                   | mov                 eax, dword ptr [esp + 4]
            //   e8????????           |                     
            //   83c42c               | sub                 esp, 0x208
            //   5f                   | test                eax, eax
            //   eb26                 | push                ebx
            //   8d4508               | push                ebx
            //   8db61ca84100         | push                esi

        $sequence_33 = { 894c2444 488bcd ff15???????? 85c0 }
            // n = 4, score = 100
            //   894c2444             | mov                 edi, 4
            //   488bcd               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 edx, [esp + 0x40]

        $sequence_34 = { 50 e8???????? c745e4271a16ab 83c424 }
            // n = 4, score = 100
            //   50                   | mov                 ebp, esp
            //   e8????????           |                     
            //   c745e4271a16ab       | sub                 esp, 0x448
            //   83c424               | xor                 eax, ebp

        $sequence_35 = { 488bce e8???????? 4883c9ff 33c0 498bfc f2ae 48f7d1 }
            // n = 7, score = 100
            //   488bce               | mov                 ebx, edi
            //   e8????????           |                     
            //   4883c9ff             | dec                 eax
            //   33c0                 | mov                 ecx, esi
            //   498bfc               | dec                 eax
            //   f2ae                 | or                  ecx, 0xffffffff
            //   48f7d1               | xor                 eax, eax

        $sequence_36 = { 6a00 6a04 6a00 50 ff5598 8945cc 85c0 }
            // n = 7, score = 100
            //   6a00                 | jne                 3
            //   6a04                 | push                edi
            //   6a00                 | push                eax
            //   50                   | mov                 dword ptr [ebp - 0x1c], 0xab161a27
            //   ff5598               | add                 esp, 0x24
            //   8945cc               | test                eax, eax
            //   85c0                 | je                  0x29d

        $sequence_37 = { 85c0 740c 81bde8f8ffff82341200 742d 8b85e0f8ffff }
            // n = 5, score = 100
            //   85c0                 | ret                 
            //   740c                 | push                2
            //   81bde8f8ffff82341200     | movzx    eax, word ptr [ebp - 0x2b94]
            //   742d                 | add                 eax, 0x1a
            //   8b85e0f8ffff         | push                eax

        $sequence_38 = { 83caff 488bcf ff15???????? 488bcf ff15???????? 488d1d997d0000 }
            // n = 6, score = 100
            //   83caff               | dec                 ebp
            //   488bcf               | mov                 ecx, ebp
            //   ff15????????         |                     
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   488d1d997d0000       | xor                 eax, esp

        $sequence_39 = { 8b542420 8d4c2414 51 52 e8???????? 83c408 85c0 }
            // n = 7, score = 100
            //   8b542420             | lea                 eax, [esp + 0x27c]
            //   8d4c2414             | push                edi
            //   51                   | lea                 edx, [esp + 0xdc]
            //   52                   | push                esi
            //   e8????????           |                     
            //   83c408               | lea                 eax, [esp + 0x8e0]
            //   85c0                 | push                3

        $sequence_40 = { 6a02 0fb7856cd4ffff 83c01a 50 }
            // n = 4, score = 100
            //   6a02                 | cdq                 
            //   0fb7856cd4ffff       | mov                 ecx, 7
            //   83c01a               | add                 esp, 0xc
            //   50                   | cdq                 

        $sequence_41 = { 488b05???????? 4833c4 4889842440010000 488b19 }
            // n = 4, score = 100
            //   488b05????????       |                     
            //   4833c4               | mov                 dword ptr [esp + 0x40], eax
            //   4889842440010000     | test                eax, eax
            //   488b19               | je                  0x1c1

        $sequence_42 = { 8b510c 52 ff15???????? 8b45fc c7400c00000000 8b4dfc }
            // n = 6, score = 100
            //   8b510c               | push                0x400c
            //   52                   | lea                 eax, [esp + 0x53c]
            //   ff15????????         |                     
            //   8b45fc               | push                0
            //   c7400c00000000       | push                eax
            //   8b4dfc               | push                eax

        $sequence_43 = { ffc3 83fb02 0f82e5feffff 418bdf e9???????? }
            // n = 5, score = 100
            //   ffc3                 | inc                 ebx
            //   83fb02               | cmp                 ebx, 2
            //   0f82e5feffff         | jb                  0xfffffeeb
            //   418bdf               | inc                 ecx
            //   e9????????           |                     

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules