SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bistromath (Back to overview)

BISTROMATH

Actor(s): Lazarus Group

There is no description at this point.

References
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2021-11-03} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH Tiger RAT Unidentified 081 (Andariel Ransomware)
2021-05-11QianxinRed Raindrop Team
@online{team:20210511:analysis:d95ef63, author = {Red Raindrop Team}, title = {{Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait}}, date = {2021-05-11}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/}, language = {Chinese}, urldate = {2021-06-25} } Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait
BISTROMATH
2021-04-19MalwarebytesHossein Jazi
@online{jazi:20210419:lazarus:dd2c372, author = {Hossein Jazi}, title = {{Lazarus APT conceals malicious code within BMP image to drop its RAT}}, date = {2021-04-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/}, language = {English}, urldate = {2021-06-25} } Lazarus APT conceals malicious code within BMP image to drop its RAT
BISTROMATH
2020-02-25SentinelOneJim Walter
@online{walter:20200225:dprk:735f095, author = {Jim Walter}, title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}}, date = {2020-02-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/}, language = {English}, urldate = {2020-02-27} } DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:cdab5b7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045a}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH
BISTROMATH
Yara Rules
[TLP:WHITE] win_bistromath_auto (20220516 | Detects win.bistromath.)
rule win_bistromath_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.bistromath."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5510 8955f4 85d2 753d 52 8bcb e8???????? }
            // n = 7, score = 400
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   85d2                 | test                edx, edx
            //   753d                 | jne                 0x3f
            //   52                   | push                edx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_1 = { c684242b02000065 c684242c02000073 c684242d02000073 c684242e02000000 48 8d942420020000 48 }
            // n = 7, score = 400
            //   c684242b02000065     | mov                 byte ptr [esp + 0x22b], 0x65
            //   c684242c02000073     | mov                 byte ptr [esp + 0x22c], 0x73
            //   c684242d02000073     | mov                 byte ptr [esp + 0x22d], 0x73
            //   c684242e02000000     | mov                 byte ptr [esp + 0x22e], 0
            //   48                   | dec                 eax
            //   8d942420020000       | lea                 edx, [esp + 0x220]
            //   48                   | dec                 eax

        $sequence_2 = { 8b742410 f6462c10 0f858a000000 837c247000 0f857f000000 8b442464 3b442454 }
            // n = 7, score = 400
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   f6462c10             | test                byte ptr [esi + 0x2c], 0x10
            //   0f858a000000         | jne                 0x90
            //   837c247000           | cmp                 dword ptr [esp + 0x70], 0
            //   0f857f000000         | jne                 0x85
            //   8b442464             | mov                 eax, dword ptr [esp + 0x64]
            //   3b442454             | cmp                 eax, dword ptr [esp + 0x54]

        $sequence_3 = { 7472 98 8b8c8688000000 85c9 7408 8b4944 e8???????? }
            // n = 7, score = 400
            //   7472                 | je                  0x74
            //   98                   | cwde                
            //   8b8c8688000000       | mov                 ecx, dword ptr [esi + eax*4 + 0x88]
            //   85c9                 | test                ecx, ecx
            //   7408                 | je                  0xa
            //   8b4944               | mov                 ecx, dword ptr [ecx + 0x44]
            //   e8????????           |                     

        $sequence_4 = { 7de1 eb07 83caff 89542414 83f96c 7523 0fbe4e01 }
            // n = 7, score = 400
            //   7de1                 | jge                 0xffffffe3
            //   eb07                 | jmp                 9
            //   83caff               | or                  edx, 0xffffffff
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   83f96c               | cmp                 ecx, 0x6c
            //   7523                 | jne                 0x25
            //   0fbe4e01             | movsx               ecx, byte ptr [esi + 1]

        $sequence_5 = { c6434001 8bd6 ff4744 8bcb c7470c07000000 e8???????? 5f }
            // n = 7, score = 400
            //   c6434001             | mov                 byte ptr [ebx + 0x40], 1
            //   8bd6                 | mov                 edx, esi
            //   ff4744               | inc                 dword ptr [edi + 0x44]
            //   8bcb                 | mov                 ecx, ebx
            //   c7470c07000000       | mov                 dword ptr [edi + 0xc], 7
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_6 = { 8b7de0 8b45fc 33d2 f775d8 8b45f4 eb02 33d2 }
            // n = 7, score = 400
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   f775d8               | div                 dword ptr [ebp - 0x28]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   eb02                 | jmp                 4
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 807e0802 0f8587000000 8b5e04 e8???????? ff7508 8b0b 8bd7 }
            // n = 7, score = 400
            //   807e0802             | cmp                 byte ptr [esi + 8], 2
            //   0f8587000000         | jne                 0x8d
            //   8b5e04               | mov                 ebx, dword ptr [esi + 4]
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bd7                 | mov                 edx, edi

        $sequence_8 = { 8be5 5d c3 6aff 6a01 6aff 8d4e08 }
            // n = 7, score = 400
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   6aff                 | push                -1
            //   8d4e08               | lea                 ecx, [esi + 8]

        $sequence_9 = { 7530 8b4d0c e8???????? 85c0 7420 8b442410 f6402c20 }
            // n = 7, score = 400
            //   7530                 | jne                 0x32
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7420                 | je                  0x22
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   f6402c20             | test                byte ptr [eax + 0x2c], 0x20

    condition:
        7 of them and filesize < 33816576
}
Download all Yara Rules