SYMBOLCOMMON_NAMEaka. SYNONYMS
win.banpolmex (Back to overview)

BanPolMex RAT

Actor(s): Lazarus Group

VTCollection    

BanPolMex is a remote access trojan that uses TCP for communication.

It uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.

It sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.

It supports almost 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.

It has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).

BanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.

References
2018-10-03Virus BulletinMichal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2017-02-16ESET ResearchPeter Kálnai
Demystifying targeted malware used against Polish banks
BanPolMex RAT HOTWAX NACHOCHEESE
Yara Rules
[TLP:WHITE] win_banpolmex_auto (20260504 | Detects win.banpolmex.)
rule win_banpolmex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.banpolmex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d05bd9c0700 0f1f440000 837afc00 7406 66833a00 7512 4883c206 }
            // n = 7, score = 100
            //   488d05bd9c0700       | test                byte ptr [ebx + 0x368], 0x10
            //   0f1f440000           | mov                 ecx, 0x300
            //   837afc00             | and                 word ptr [ebx + 0x368], ax
            //   7406                 | xor                 eax, eax
            //   66833a00             | cmp                 byte ptr [ebx + 0x25e], 0xfe
            //   7512                 | sete                al
            //   4883c206             | and                 ax, 1

        $sequence_1 = { 488b0f 85c0 488d55e0 410f45de e8???????? 488b0f 85c0 }
            // n = 7, score = 100
            //   488b0f               | dec                 eax
            //   85c0                 | add                 ecx, 0x1c4
            //   488d55e0             | test                eax, eax
            //   410f45de             | je                  0x1490
            //   e8????????           |                     
            //   488b0f               | dec                 eax
            //   85c0                 | test                edi, edi

        $sequence_2 = { 41bd04000000 488945f7 488d4577 4c8d45f7 488d557f 458bcd 4883c9ff }
            // n = 7, score = 100
            //   41bd04000000         | dec                 esp
            //   488945f7             | lea                 eax, [ebp - 9]
            //   488d4577             | dec                 eax
            //   4c8d45f7             | lea                 edx, [ebp + 0x7f]
            //   488d557f             | inc                 ebp
            //   458bcd               | mov                 ecx, ebp
            //   4883c9ff             | dec                 eax

        $sequence_3 = { 4d8bc5 2bde 413bde 410f4fde 4903cf 8d5302 e8???????? }
            // n = 7, score = 100
            //   4d8bc5               | lea                 edx, [eax + 1]
            //   2bde                 | mov                 ecx, 0x40
            //   413bde               | dec                 esp
            //   410f4fde             | mov                 dword ptr [esp + 0x2e8], esp
            //   4903cf               | dec                 esp
            //   8d5302               | mov                 dword ptr [esp + 0x298], esi
            //   e8????????           |                     

        $sequence_4 = { 0f85c7010000 498b4e08 448bff e8???????? 4d8b4e58 498b4650 4c8b23 }
            // n = 7, score = 100
            //   0f85c7010000         | lea                 edx, [0x3422e]
            //   498b4e08             | inc                 esp
            //   448bff               | mov                 eax, ebx
            //   e8????????           |                     
            //   4d8b4e58             | dec                 esp
            //   498b4650             | mov                 ecx, eax
            //   4c8b23               | dec                 eax

        $sequence_5 = { 85c0 0f857e020000 4885db 741f 488b4b18 4c8d86c0000000 488d9680000000 }
            // n = 7, score = 100
            //   85c0                 | je                  0xbae
            //   0f857e020000         | dec                 eax
            //   4885db               | lea                 edx, [ebx + 0x311]
            //   741f                 | dec                 ecx
            //   488b4b18             | mov                 ecx, ebp
            //   4c8d86c0000000       | inc                 ecx
            //   488d9680000000       | cmp                 esi, 0x3b

        $sequence_6 = { 488d4c2440 e8???????? 807c242200 0f848e000000 488d4c2440 e8???????? 8bd8 }
            // n = 7, score = 100
            //   488d4c2440           | dec                 eax
            //   e8????????           |                     
            //   807c242200           | add                 ecx, 0x168
            //   0f848e000000         | inc                 ecx
            //   488d4c2440           | mov                 eax, 0x30
            //   e8????????           |                     
            //   8bd8                 | dec                 eax

        $sequence_7 = { 4883ec20 b9d0000000 e8???????? 488bd8 4885c0 7430 33d2 }
            // n = 7, score = 100
            //   4883ec20             | lea                 eax, [0x1b20a]
            //   b9d0000000           | dec                 eax
            //   e8????????           |                     
            //   488bd8               | lea                 edx, [0x1c873]
            //   4885c0               | dec                 eax
            //   7430                 | mov                 ecx, ebx
            //   33d2                 | jne                 0x1fae

        $sequence_8 = { 897b08 33c0 4c8b6c2438 4c8b642440 4883c448 415f 415e }
            // n = 7, score = 100
            //   897b08               | lea                 ecx, [ebp + 0x5c0]
            //   33c0                 | dec                 esp
            //   4c8b6c2438           | mov                 ecx, esi
            //   4c8b642440           | mov                 edx, 0x103
            //   4883c448             | inc                 ecx
            //   415f                 | mov                 eax, 0x24c
            //   415e                 | mov                 dword ptr [esp + 0x30], edi

        $sequence_9 = { 5e 5d 5b e9???????? 83fe0e 7324 85ed }
            // n = 7, score = 100
            //   5e                   | inc                 ecx
            //   5d                   | mov                 eax, 4
            //   5b                   | dec                 eax
            //   e9????????           |                     
            //   83fe0e               | mov                 edx, ebx
            //   7324                 | test                eax, eax
            //   85ed                 | je                  0x1ba

    condition:
        7 of them and filesize < 1555456
}
Download all Yara Rules