SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20210616 | Detects win.bankshot.)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.bankshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 }
            // n = 7, score = 300
            //   8bf8                 | mov                 edi, eax
            //   8d5101               | lea                 edx, dword ptr [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   57                   | push                edi

        $sequence_1 = { 81ec48040000 a1???????? 33c5 8945f8 53 }
            // n = 5, score = 300
            //   81ec48040000         | sub                 esp, 0x448
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   53                   | push                ebx

        $sequence_2 = { 51 50 6a00 68e9fd0000 ffd3 }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   68e9fd0000           | push                0xfde9
            //   ffd3                 | call                ebx

        $sequence_3 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89861c020000         | mov                 dword ptr [esi + 0x21c], eax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8d4e0c               | lea                 ecx, dword ptr [esi + 0xc]
            //   6a06                 | push                6
            //   8d90c4e10110         | lea                 edx, dword ptr [eax + 0x1001e1c4]

        $sequence_4 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 }
            // n = 7, score = 200
            //   c74048b8e40110       | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6689486c             | mov                 word ptr [eax + 0x6c], cx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   66898872010000       | mov                 word ptr [eax + 0x172], cx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83a04c03000000       | and                 dword ptr [eax + 0x34c], 0

        $sequence_5 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6b45e430             | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d80d0e10110         | lea                 eax, dword ptr [eax + 0x1001e1d0]

        $sequence_6 = { 8b85c0baffff 85c0 740d 50 ffd7 }
            // n = 5, score = 200
            //   8b85c0baffff         | xor                 eax, ebp
            //   85c0                 | mov                 dword ptr [ebp - 8], eax
            //   740d                 | push                ebx
            //   50                   | mov                 ebp, esp
            //   ffd7                 | sub                 esp, 0x448

        $sequence_7 = { 8d80d0e10110 8945e4 803800 8bc8 }
            // n = 4, score = 200
            //   8d80d0e10110         | lea                 eax, dword ptr [eax + 0x1001e1d0]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   803800               | cmp                 byte ptr [eax], 0
            //   8bc8                 | mov                 ecx, eax

        $sequence_8 = { 8d90c4e10110 5f 668b02 8d5202 }
            // n = 4, score = 200
            //   8d90c4e10110         | lea                 edx, dword ptr [eax + 0x1001e1c4]
            //   5f                   | pop                 edi
            //   668b02               | mov                 ax, word ptr [edx]
            //   8d5202               | lea                 edx, dword ptr [edx + 2]

        $sequence_9 = { 50 6a14 e8???????? 83c40c }
            // n = 4, score = 200
            //   50                   | xor                 eax, ebp
            //   6a14                 | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     
            //   83c40c               | push                ebx

        $sequence_10 = { 817848b8e40110 7409 ff7048 e8???????? 59 c70701000000 8bcf }
            // n = 7, score = 200
            //   817848b8e40110       | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   7409                 | je                  0xb
            //   ff7048               | push                dword ptr [eax + 0x48]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c70701000000         | mov                 dword ptr [edi], 1
            //   8bcf                 | mov                 ecx, edi

        $sequence_11 = { 83c40c e8???????? 99 b907000000 f7f9 }
            // n = 5, score = 200
            //   83c40c               | dec                 eax
            //   e8????????           |                     
            //   99                   | mov                 dword ptr [ebp + 0x3a0], eax
            //   b907000000           | xor                 esi, esi
            //   f7f9                 | dec                 esp

        $sequence_12 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8bcf                 | mov                 ecx, edi
            //   8bc7                 | mov                 eax, edi
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   3998c0e10110         | cmp                 dword ptr [eax + 0x1001e1c0], ebx

        $sequence_13 = { 6828050000 57 50 e8???????? 83c40c 39bdecbfffff }
            // n = 6, score = 200
            //   6828050000           | mov                 dword ptr [ebp - 8], eax
            //   57                   | push                ebx
            //   50                   | push                ebp
            //   e8????????           |                     
            //   83c40c               | mov                 ebp, esp
            //   39bdecbfffff         | sub                 esp, 0x448

        $sequence_14 = { 83c404 85c0 0f8475030000 8b1d???????? 0f1f440000 }
            // n = 5, score = 200
            //   83c404               | mov                 byte ptr [esp + 0x5f], 0x9f
            //   85c0                 | mov                 byte ptr [esp + 0x61], 0x5b
            //   0f8475030000         | mov                 edi, eax
            //   8b1d????????         |                     
            //   0f1f440000           | lea                 edx, dword ptr [ecx + 1]

        $sequence_15 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c700????????         |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   898850030000         | mov                 dword ptr [eax + 0x350], ecx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   59                   | pop                 ecx
            //   c74048b8e40110       | mov                 dword ptr [eax + 0x48], 0x1001e4b8

        $sequence_16 = { 8bb5b8fbffff c1e902 f3a5 8bca 8d9314020000 83e103 f3a4 }
            // n = 7, score = 200
            //   8bb5b8fbffff         | mov                 al, byte ptr [ecx]
            //   c1e902               | inc                 ecx
            //   f3a5                 | test                al, al
            //   8bca                 | jne                 0
            //   8d9314020000         | push                edi
            //   83e103               | sub                 esp, 0x448
            //   f3a4                 | xor                 eax, ebp

        $sequence_17 = { 8b4508 dd00 ebc6 c745e078410110 e9???????? c745e080410110 }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e078410110       | mov                 dword ptr [ebp - 0x20], 0x10014178
            //   e9????????           |                     
            //   c745e080410110       | mov                 dword ptr [ebp - 0x20], 0x10014180

        $sequence_18 = { 6a7f 6a00 8d8d7dffffff 51 e8???????? 83c40c }
            // n = 6, score = 100
            //   6a7f                 | add                 esp, 0xc
            //   6a00                 | cdq                 
            //   8d8d7dffffff         | mov                 ecx, 7
            //   51                   | add                 esp, 0xc
            //   e8????????           |                     
            //   83c40c               | cdq                 

        $sequence_19 = { 894c2444 c644241851 c6442419f0 c644241af4 c644241b89 c644241c60 c644241d77 }
            // n = 7, score = 100
            //   894c2444             | lea                 ecx, dword ptr [ebp - 0x30]
            //   c644241851           | inc                 ecx
            //   c6442419f0           | mov                 ecx, 0x44
            //   c644241af4           | shr                 ecx, 0x1f
            //   c644241b89           | add                 edx, ecx
            //   c644241c60           | imul                edx, edx, 0x1a
            //   c644241d77           | sub                 esi, edx

        $sequence_20 = { 0f84b6fbffff 6800040000 8d8424bc0c0000 6a00 50 e8???????? }
            // n = 6, score = 100
            //   0f84b6fbffff         | je                  0xfffffbbc
            //   6800040000           | push                0x400
            //   8d8424bc0c0000       | lea                 eax, dword ptr [esp + 0xcbc]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_21 = { 7508 83ee01 8b45e4 79e3 8b45f4 }
            // n = 5, score = 100
            //   7508                 | jne                 0xa
            //   83ee01               | sub                 esi, 1
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   79e3                 | jns                 0xffffffe5
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_22 = { 8b9554f8ffff 8a02 888564f8ffff 838554f8ffff01 80bd64f8ffff00 75e2 }
            // n = 6, score = 100
            //   8b9554f8ffff         | push                edi
            //   8a02                 | push                eax
            //   888564f8ffff         | add                 esp, 0xc
            //   838554f8ffff01       | cmp                 dword ptr [ebp - 0x4014], edi
            //   80bd64f8ffff00       | mov                 eax, dword ptr [ebp - 0x4540]
            //   75e2                 | test                eax, eax

        $sequence_23 = { f644241810 7437 8b0e 8b94246c020000 }
            // n = 4, score = 100
            //   f644241810           | add                 esp, 0xc
            //   7437                 | cdq                 
            //   8b0e                 | mov                 ecx, 7
            //   8b94246c020000       | add                 esp, 0xc

        $sequence_24 = { 488d0d0f7f0000 4533c9 48c744243000000000 4d63fd }
            // n = 4, score = 100
            //   488d0d0f7f0000       | mov                 ecx, ebx
            //   4533c9               | dec                 eax
            //   48c744243000000000     | lea    edx, dword ptr [0xe4de]
            //   4d63fd               | dec                 eax

        $sequence_25 = { 8d8dc4f6ffff 51 6a00 6a00 6800000008 }
            // n = 5, score = 100
            //   8d8dc4f6ffff         | je                  0x11
            //   51                   | push                eax
            //   6a00                 | call                edi
            //   6a00                 | push                eax
            //   6800000008           | push                0x14

        $sequence_26 = { 488985a0030000 33f6 4c8bf9 4d8be8 4c89442448 }
            // n = 5, score = 100
            //   488985a0030000       | lea                 ecx, dword ptr [esp + 0x20]
            //   33f6                 | cmp                 byte ptr [esp + 0x20], 0
            //   4c8bf9               | jne                 0xffffffe1
            //   4d8be8               | dec                 eax
            //   4c89442448           | lea                 edx, dword ptr [esp + 0x20]

        $sequence_27 = { ff15???????? 41b94a000000 488d1575510000 458d41e4 488d4dc0 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   41b94a000000         | mov                 eax, 0x14f8b589
            //   488d1575510000       | inc                 ecx
            //   458d41e4             | imul                esp
            //   488d4dc0             | inc                 ecx

        $sequence_28 = { 4183c541 ff15???????? 448be0 b889b5f814 41f7ec }
            // n = 5, score = 100
            //   4183c541             | inc                 ecx
            //   ff15????????         |                     
            //   448be0               | add                 ebp, 0x41
            //   b889b5f814           | inc                 esp
            //   41f7ec               | mov                 esp, eax

        $sequence_29 = { 83c404 8d4c0042 51 6a40 ff15???????? }
            // n = 5, score = 100
            //   83c404               | add                 esp, 0xc
            //   8d4c0042             | cdq                 
            //   51                   | mov                 ecx, 7
            //   6a40                 | idiv                ecx
            //   ff15????????         |                     

        $sequence_30 = { 8be5 5d c20c00 8d8380000000 }
            // n = 4, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   8d8380000000         | lea                 eax, dword ptr [ebx + 0x80]

        $sequence_31 = { 83fbff 750e ff15???????? 5b 81c434020000 c3 }
            // n = 6, score = 100
            //   83fbff               | imul                eax, eax, 0x3c
            //   750e                 | cmp                 eax, ecx
            //   ff15????????         |                     
            //   5b                   | jg                  0x92
            //   81c434020000         | dec                 eax
            //   c3                   | mov                 ecx, ebp

        $sequence_32 = { b8e4160000 e8???????? 55 33ed }
            // n = 4, score = 100
            //   b8e4160000           | test                eax, eax
            //   e8????????           |                     
            //   55                   | inc                 ebp
            //   33ed                 | cmove               ebp, edi

        $sequence_33 = { 8b8dd8feffff 83c101 898dd8feffff 8b95e4feffff }
            // n = 4, score = 100
            //   8b8dd8feffff         | add                 esp, 0xc
            //   83c101               | add                 esp, 0x18
            //   898dd8feffff         | mov                 dword ptr [ebp - 0x424], 0x103
            //   8b95e4feffff         | lea                 eax, dword ptr [ebp - 0x424]

        $sequence_34 = { 99 f7b9e81b0000 8b45f4 0390ec1b0000 }
            // n = 4, score = 100
            //   99                   | mov                 ecx, 7
            //   f7b9e81b0000         | idiv                ecx
            //   8b45f4               | add                 esp, 0xc
            //   0390ec1b0000         | cdq                 

        $sequence_35 = { 81ec5c060000 8b0d???????? a1???????? 8b15???????? 894c2404 33c9 89442400 }
            // n = 7, score = 100
            //   81ec5c060000         | cdq                 
            //   8b0d????????         |                     
            //   a1????????           |                     
            //   8b15????????         |                     
            //   894c2404             | mov                 ecx, 7
            //   33c9                 | add                 esp, 0xc
            //   89442400             | cdq                 

        $sequence_36 = { 488bcb ff15???????? 488d15dee40000 488d4c2420 488905???????? ff15???????? 807c242000 }
            // n = 7, score = 100
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   488d15dee40000       | lea                 ecx, dword ptr [ebp - 0x40]
            //   488d4c2420           | cmp                 eax, ecx
            //   488905????????       |                     
            //   ff15????????         |                     
            //   807c242000           | jg                  0x92

        $sequence_37 = { 81bd78f8ffff04010000 7302 eb05 e8???????? }
            // n = 4, score = 100
            //   81bd78f8ffff04010000     | mov    ecx, 7
            //   7302                 | add                 esp, 0xc
            //   eb05                 | cdq                 
            //   e8????????           |                     

        $sequence_38 = { eb1e 837df861 7c08 837df87a 7f02 }
            // n = 5, score = 100
            //   eb1e                 | mov                 ecx, 7
            //   837df861             | idiv                ecx
            //   7c08                 | mov                 edx, dword ptr [ebp - 0x7ac]
            //   837df87a             | mov                 al, byte ptr [edx]
            //   7f02                 | mov                 byte ptr [ebp - 0x79c], al

        $sequence_39 = { c1e91f 03d1 6bd21a 2bf2 }
            // n = 4, score = 100
            //   c1e91f               | dec                 eax
            //   03d1                 | lea                 ecx, dword ptr [esp + 0x20]
            //   6bd21a               | dec                 eax
            //   2bf2                 | lea                 ecx, dword ptr [0x7f0f]

        $sequence_40 = { 488d15b5540000 458d41ca 488d4dd0 ff15???????? 41b944000000 }
            // n = 5, score = 100
            //   488d15b5540000       | dec                 eax
            //   458d41ca             | mov                 ecx, ebx
            //   488d4dd0             | dec                 eax
            //   ff15????????         |                     
            //   41b944000000         | lea                 edx, dword ptr [0xf1de]

        $sequence_41 = { 0f848e000000 6a00 6a00 6a00 68???????? 85c0 6a00 }
            // n = 7, score = 100
            //   0f848e000000         | mov                 ecx, 7
            //   6a00                 | idiv                ecx
            //   6a00                 | mov                 dword ptr [esp + 0x44], ecx
            //   6a00                 | mov                 byte ptr [esp + 0x18], 0x51
            //   68????????           |                     
            //   85c0                 | mov                 byte ptr [esp + 0x19], 0xf0
            //   6a00                 | mov                 byte ptr [esp + 0x1a], 0xf4

        $sequence_42 = { 68???????? 56 89853cf7ffff ff15???????? 68???????? 56 }
            // n = 6, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   89853cf7ffff         | mov                 dword ptr [ebp - 0x8c4], eax
            //   ff15????????         |                     
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_43 = { 0305???????? 3bc1 0f8f8a000000 f605????????04 745d 33d2 488d44246c }
            // n = 7, score = 100
            //   0305????????         |                     
            //   3bc1                 | mov                 ecx, 0x4a
            //   0f8f8a000000         | dec                 eax
            //   f605????????04       |                     
            //   745d                 | lea                 edx, dword ptr [0x5175]
            //   33d2                 | inc                 ebp
            //   488d44246c           | lea                 eax, dword ptr [ecx - 0x1c]

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules