SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b0d???????? 51 8b0d???????? e8???????? }
            // n = 4, score = 200
            //   8b0d????????         |                     
            //   51                   | dec                 ebx
            //   8b0d????????         |                     
            //   e8????????           |                     

        $sequence_1 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   57                   | lea                 ecx, [ecx + 2]
            //   33ff                 | lock xadd           dword ptr [eax], ebx
            //   8bcf                 | dec                 ebx
            //   8bc7                 | jne                 0x1f
            //   894de4               | mov                 eax, dword ptr [ebp - 4]
            //   3998c0e10110         | cmp                 dword ptr [eax + 0x48], 0x1001e4b8

        $sequence_2 = { e8???????? 83c404 e8???????? 99 f7fe }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c404               | push                0x100001
            //   e8????????           |                     
            //   99                   | push                0x12c
            //   f7fe                 | mov                 eax, dword ptr [esi + 0xc]

        $sequence_3 = { 6801001000 ff15???????? 85c0 7441 6a00 50 ff15???????? }
            // n = 7, score = 200
            //   6801001000           | sbb                 ecx, ecx
            //   ff15????????         |                     
            //   85c0                 | and                 ecx, 0x803000
            //   7441                 | push                ecx
            //   6a00                 | lea                 ecx, [ebp - 0x2c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_4 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | and                 dword ptr [eax + 0x34c], 0
            //   89861c020000         | mov                 eax, dword ptr [ebp - 4]
            //   8b45e0               | mov                 eax, dword ptr [eax + 0x48]
            //   8d4e0c               | lock xadd           dword ptr [eax], ebx
            //   6a06                 | dec                 ebx
            //   8d90c4e10110         | jne                 0x1c

        $sequence_5 = { 53 6aff 56 6a00 ff15???????? }
            // n = 5, score = 200
            //   53                   | je                  0x4d
            //   6aff                 | mov                 eax, dword ptr [esi + 0xc]
            //   56                   | test                eax, eax
            //   6a00                 | je                  0x11
            //   ff15????????         |                     

        $sequence_6 = { 50 8913 ff15???????? 56 ff15???????? 8bc7 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8913                 | mov                 ebx, eax
            //   ff15????????         |                     
            //   56                   | push                ebx
            //   ff15????????         |                     
            //   8bc7                 | push                1

        $sequence_7 = { e8???????? 83c40c e8???????? 99 b907000000 f7f9 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c40c               | pop                 ecx
            //   e8????????           |                     
            //   99                   | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   b907000000           | lea                 edx, [eax + 0x1001e1c4]
            //   f7f9                 | pop                 edi

        $sequence_8 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 8945e4 }
            // n = 7, score = 200
            //   50                   | jne                 0x1c
            //   e8????????           |                     
            //   83c40c               | mov                 eax, dword ptr [ebp - 4]
            //   6b45e430             | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8945e0               | add                 esp, 0xc
            //   8d80d0e10110         | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   8945e4               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_9 = { 817848b8e40110 7409 ff7048 e8???????? 59 }
            // n = 5, score = 200
            //   817848b8e40110       | or                  byte ptr [esi + edx + 0x19], al
            //   7409                 | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   ff7048               | mov                 dword ptr [ebp - 0x20], eax
            //   e8????????           |                     
            //   59                   | lea                 eax, [eax + 0x1001e1d0]

        $sequence_10 = { c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 }
            // n = 6, score = 200
            //   c700????????         |                     
            //   8b4508               | mov                 al, byte ptr [edi + 0x1001e1bc]
            //   898850030000         | test                ebx, ebx
            //   8b4508               | jne                 9
            //   59                   | mov                 dword ptr [esi + 0x34], 0x10017b0c
            //   c74048b8e40110       | push                edi

        $sequence_11 = { 5b c3 ff15???????? 5f 5e b801000000 }
            // n = 6, score = 200
            //   5b                   | push                eax
            //   c3                   | push                ebx
            //   ff15????????         |                     
            //   5f                   | push                1
            //   5e                   | push                0x100001
            //   b801000000           | test                eax, eax

        $sequence_12 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 }
            // n = 7, score = 200
            //   c74048b8e40110       | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4508               | lea                 eax, [eax + 0x1001e1d0]
            //   6689486c             | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4508               | cmp                 byte ptr [eax], 0
            //   66898872010000       | mov                 ecx, eax
            //   8b4508               | je                  0x48
            //   83a04c03000000       | mov                 al, byte ptr [ecx + 1]

        $sequence_13 = { 7418 6a08 68???????? 56 e8???????? 83c40c 85c0 }
            // n = 7, score = 200
            //   7418                 | lea                 eax, [esp + 0x381c]
            //   6a08                 | push                eax
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | mov                 ecx, dword ptr [ebp - 8]
            //   85c0                 | mov                 edi, eax

        $sequence_14 = { 8a87bce10110 08441619 42 0fb64101 3bd0 76e5 83c102 }
            // n = 7, score = 200
            //   8a87bce10110         | lea                 edx, [eax + 0x1001e1c4]
            //   08441619             | pop                 edi
            //   42                   | mov                 ax, word ptr [edx]
            //   0fb64101             | lea                 edx, [edx + 2]
            //   3bd0                 | mov                 word ptr [ecx], ax
            //   76e5                 | push                edi
            //   83c102               | xor                 edi, edi

        $sequence_15 = { 6a06 8d90c4e10110 5f 668b02 8d5202 }
            // n = 5, score = 200
            //   6a06                 | mov                 eax, dword ptr [ebp + 8]
            //   8d90c4e10110         | pop                 ecx
            //   5f                   | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   668b02               | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8d5202               | je                  0x12

        $sequence_16 = { ff15???????? 8b460c 8b3d???????? 85c0 740a 50 ffd7 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8b460c               | test                eax, eax
            //   8b3d????????         |                     
            //   85c0                 | je                  0x28
            //   740a                 | push                8
            //   50                   | push                0x100001
            //   ffd7                 | test                eax, eax

        $sequence_17 = { e8???????? 83c404 8bd8 53 6a01 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c404               | push                8
            //   8bd8                 | lea                 eax, [esp + 0x10cc]
            //   53                   | mov                 dword ptr [esp + 0x20], 0
            //   6a01                 | je                  0x1a

        $sequence_18 = { 3d00040000 0f8712010000 c684056cf7ffff00 81bd64f7ffff09303b00 0f85fa000000 }
            // n = 5, score = 100
            //   3d00040000           | dec                 eax
            //   0f8712010000         | mov                 ecx, dword ptr [esp + 0x140]
            //   c684056cf7ffff00     | dec                 eax
            //   81bd64f7ffff09303b00     | xor    ecx, esp
            //   0f85fa000000         | dec                 eax

        $sequence_19 = { 8b8544f8ffff 8985dcf7ffff 8b8d2cf8ffff 8a11 88956ef8ffff }
            // n = 5, score = 100
            //   8b8544f8ffff         | add                 esp, 0xc
            //   8985dcf7ffff         | cdq                 
            //   8b8d2cf8ffff         | mov                 ecx, 7
            //   8a11                 | add                 esp, 0xc
            //   88956ef8ffff         | cdq                 

        $sequence_20 = { 33d2 41b803010000 4088b580010000 e8???????? 8d563a 488bcb ff15???????? }
            // n = 7, score = 100
            //   33d2                 | cmp                 dword ptr [ebx + 4], eax
            //   41b803010000         | jg                  0xffffff74
            //   4088b580010000       | mov                 eax, 1
            //   e8????????           |                     
            //   8d563a               | xor                 edx, edx
            //   488bcb               | inc                 ecx
            //   ff15????????         |                     

        $sequence_21 = { ff74240c 8d84241c380000 50 56 }
            // n = 4, score = 100
            //   ff74240c             | mov                 dword ptr [ebp - 0xd98], eax
            //   8d84241c380000       | lea                 edx, [ecx + 1]
            //   50                   | mov                 dword ptr [ebx], 0
            //   56                   | lea                 eax, [esi + 0x2050]

        $sequence_22 = { 7410 33d2 ff15???????? 83f8ff 7510 488bcd }
            // n = 6, score = 100
            //   7410                 | mov                 eax, 0x103
            //   33d2                 | inc                 eax
            //   ff15????????         |                     
            //   83f8ff               | mov                 byte ptr [ebp + 0x180], dh
            //   7510                 | lea                 edx, [esi + 0x3a]
            //   488bcd               | dec                 eax

        $sequence_23 = { 89742420 eb08 c744242000000000 68???????? ff15???????? 85c0 }
            // n = 6, score = 100
            //   89742420             | add                 esp, 0x150
            //   eb08                 | push                eax
            //   c744242000000000     | call                ebx
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | lea                 ecx, [ebp - 0x54]

        $sequence_24 = { 750e 0fb744243a 394304 0f8f6bffffff b801000000 }
            // n = 5, score = 100
            //   750e                 | mov                 ecx, ebp
            //   0fb744243a           | dec                 eax
            //   394304               | mov                 ecx, eax
            //   0f8f6bffffff         | jne                 0x10
            //   b801000000           | movzx               eax, word ptr [esp + 0x3a]

        $sequence_25 = { 8b4df8 8bf8 85ff 75d3 }
            // n = 4, score = 100
            //   8b4df8               | push                eax
            //   8bf8                 | call                dword ptr [ebp - 0x34]
            //   85ff                 | push                0xf24
            //   75d3                 | test                eax, eax

        $sequence_26 = { 68???????? 53 89459c ffd7 }
            // n = 4, score = 100
            //   68????????           |                     
            //   53                   | je                  0x54
            //   89459c               | cmp                 eax, 0x400
            //   ffd7                 | ja                  0x142

        $sequence_27 = { 894c2420 ff15???????? 488bc8 ff15???????? eb07 }
            // n = 5, score = 100
            //   894c2420             | dec                 eax
            //   ff15????????         |                     
            //   488bc8               | mov                 ecx, ebp
            //   ff15????????         |                     
            //   eb07                 | dec                 eax

        $sequence_28 = { 4d8bc6 ba5c341200 498bcd e8???????? e9???????? 488bc8 ff15???????? }
            // n = 7, score = 100
            //   4d8bc6               | dec                 ebp
            //   ba5c341200           | mov                 eax, esi
            //   498bcd               | mov                 edx, 0x12345c
            //   e8????????           |                     
            //   e9????????           |                     
            //   488bc8               | dec                 ecx
            //   ff15????????         |                     

        $sequence_29 = { 6bc03c 0305???????? 3bc2 7f13 8b05???????? 6bc03c 0305???????? }
            // n = 7, score = 100
            //   6bc03c               | test                eax, eax
            //   0305????????         |                     
            //   3bc2                 | jne                 0x2d9
            //   7f13                 | inc                 esp
            //   8b05????????         |                     
            //   6bc03c               | lea                 ecx, [eax + 0x68]
            //   0305????????         |                     

        $sequence_30 = { 51 8d95f4fdffff 52 8b4d0c e8???????? }
            // n = 5, score = 100
            //   51                   | mov                 byte ptr [ebp - 0x792], dl
            //   8d95f4fdffff         | jle                 0x14
            //   52                   | xor                 eax, eax
            //   8b4d0c               | jmp                 0x3f
            //   e8????????           |                     

        $sequence_31 = { 68???????? 50 ffd3 8d4dac 898568f2ffff 8d5101 }
            // n = 6, score = 100
            //   68????????           |                     
            //   50                   | inc                 ecx
            //   ffd3                 | mov                 eax, 0x100
            //   8d4dac               | dec                 eax
            //   898568f2ffff         | mov                 ecx, esi
            //   8d5101               | imul                eax, eax, 0x3c

        $sequence_32 = { 1bc9 81e100308000 51 8d4dd4 }
            // n = 4, score = 100
            //   1bc9                 | mov                 byte ptr [ebp + eax - 0x894], 0
            //   81e100308000         | cmp                 dword ptr [ebp - 0x89c], 0x3b3009
            //   51                   | jne                 0x142
            //   8d4dd4               | mov                 dword ptr [esp + 0x20], esi

        $sequence_33 = { 8d95e8f8ffff 52 8b4d10 e8???????? 85c0 }
            // n = 5, score = 100
            //   8d95e8f8ffff         | mov                 eax, dword ptr [ebp - 0x7bc]
            //   52                   | mov                 dword ptr [ebp - 0x824], eax
            //   8b4d10               | mov                 ecx, dword ptr [ebp - 0x7d4]
            //   e8????????           |                     
            //   85c0                 | mov                 dl, byte ptr [ecx]

        $sequence_34 = { 488d55e0 488bcb ff15???????? 4885c0 0f85c9020000 448d4868 }
            // n = 6, score = 100
            //   488d55e0             | mov                 ecx, ebx
            //   488bcb               | je                  0x12
            //   ff15????????         |                     
            //   4885c0               | xor                 edx, edx
            //   0f85c9020000         | cmp                 eax, -1
            //   448d4868             | jne                 0x19

        $sequence_35 = { 7e04 33c0 eb2b 8b5508 0fbf4204 85c0 7e1b }
            // n = 7, score = 100
            //   7e04                 | mov                 ecx, 7
            //   33c0                 | add                 esp, 0xc
            //   eb2b                 | cdq                 
            //   8b5508               | mov                 ecx, 7
            //   0fbf4204             | idiv                ecx
            //   85c0                 | push                ecx
            //   7e1b                 | mov                 edx, esi

        $sequence_36 = { 8bd6 c1fa06 6bc830 8b0495c8887100 8a440828 a848 7404 }
            // n = 7, score = 100
            //   8bd6                 | jne                 0x18
            //   c1fa06               | mov                 eax, dword ptr [ebp - 4]
            //   6bc830               | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8b0495c8887100       | add                 esp, 0xc
            //   8a440828             | cdq                 
            //   a848                 | mov                 ecx, 7
            //   7404                 | idiv                ecx

        $sequence_37 = { 50 e8???????? 83c404 83bd88f8ffff00 740d 8b8d88f8ffff 51 }
            // n = 7, score = 100
            //   50                   | sar                 edx, 6
            //   e8????????           |                     
            //   83c404               | imul                ecx, eax, 0x30
            //   83bd88f8ffff00       | mov                 eax, dword ptr [edx*4 + 0x7188c8]
            //   740d                 | mov                 al, byte ptr [eax + ecx + 0x28]
            //   8b8d88f8ffff         | test                al, 0x48
            //   51                   | je                  0x19

        $sequence_38 = { 0f857c010000 33d2 41b800010000 488bce e8???????? }
            // n = 5, score = 100
            //   0f857c010000         | lea                 edx, [ebp - 0x20]
            //   33d2                 | dec                 eax
            //   41b800010000         | mov                 ecx, ebx
            //   488bce               | dec                 eax
            //   e8????????           |                     

        $sequence_39 = { c70300000000 8d8650200000 50 ff55cc 68240f0000 85c0 742f }
            // n = 7, score = 100
            //   c70300000000         | cmp                 eax, edx
            //   8d8650200000         | jg                  0x1a
            //   50                   | imul                eax, eax, 0x3c
            //   ff55cc               | dec                 eax
            //   68240f0000           | lea                 eax, [0xa478]
            //   85c0                 | mov                 dword ptr [eax + ebx*4], 0
            //   742f                 | xor                 eax, eax

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules