SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bistromath (Back to overview)

BISTROMATH

Actor(s): Lazarus Group, Silent Chollima


There is no description at this point.

References
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2023-09-22} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH TigerLite Tiger RAT Unidentified 081 (Andariel Ransomware)
2021-05-11QianxinRed Raindrop Team
@online{team:20210511:analysis:d95ef63, author = {Red Raindrop Team}, title = {{Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait}}, date = {2021-05-11}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/}, language = {Chinese}, urldate = {2023-09-22} } Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait
BISTROMATH TigerLite
2021-04-19MalwarebytesHossein Jazi
@online{jazi:20210419:lazarus:dd2c372, author = {Hossein Jazi}, title = {{Lazarus APT conceals malicious code within BMP image to drop its RAT}}, date = {2021-04-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/}, language = {English}, urldate = {2021-06-25} } Lazarus APT conceals malicious code within BMP image to drop its RAT
BISTROMATH
2020-02-25SentinelOneJim Walter
@online{walter:20200225:dprk:735f095, author = {Jim Walter}, title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}}, date = {2020-02-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/}, language = {English}, urldate = {2020-02-27} } DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:cdab5b7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045a}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH
BISTROMATH
Yara Rules
[TLP:WHITE] win_bistromath_auto (20230715 | Detects win.bistromath.)
rule win_bistromath_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.bistromath."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744242c00000000 eb0b 8bce e8???????? 8944242c 8b44240c 33f6 }
            // n = 7, score = 400
            //   c744242c00000000     | mov                 dword ptr [esp + 0x2c], 0
            //   eb0b                 | jmp                 0xd
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   33f6                 | xor                 esi, esi

        $sequence_1 = { 8bcb 23550c 234d10 0bd1 750f 0bf3 7506 }
            // n = 7, score = 400
            //   8bcb                 | mov                 ecx, ebx
            //   23550c               | and                 edx, dword ptr [ebp + 0xc]
            //   234d10               | and                 ecx, dword ptr [ebp + 0x10]
            //   0bd1                 | or                  edx, ecx
            //   750f                 | jne                 0x11
            //   0bf3                 | or                  esi, ebx
            //   7506                 | jne                 8

        $sequence_2 = { c704b0???????? 8b4748 8b75d8 894108 ff4748 8b4108 8945c0 }
            // n = 7, score = 400
            //   c704b0????????       |                     
            //   8b4748               | mov                 eax, dword ptr [edi + 0x48]
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   ff4748               | inc                 dword ptr [edi + 0x48]
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax

        $sequence_3 = { ff461c 8b55f8 89548804 8b55d4 66c704885d00 c644880300 89548808 }
            // n = 7, score = 400
            //   ff461c               | inc                 dword ptr [esi + 0x1c]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   89548804             | mov                 dword ptr [eax + ecx*4 + 4], edx
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   66c704885d00         | mov                 word ptr [eax + ecx*4], 0x5d
            //   c644880300           | mov                 byte ptr [eax + ecx*4 + 3], 0
            //   89548808             | mov                 dword ptr [eax + ecx*4 + 8], edx

        $sequence_4 = { 8bce e8???????? 837c242800 0f85e2000000 8b442418 8b480c f6412c20 }
            // n = 7, score = 400
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   837c242800           | cmp                 dword ptr [esp + 0x28], 0
            //   0f85e2000000         | jne                 0xe8
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   f6412c20             | test                byte ptr [ecx + 0x2c], 0x20

        $sequence_5 = { e8???????? 8b4df0 83c408 85c9 7421 8b7108 83ff01 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   83c408               | add                 esp, 8
            //   85c9                 | test                ecx, ecx
            //   7421                 | je                  0x23
            //   8b7108               | mov                 esi, dword ptr [ecx + 8]
            //   83ff01               | cmp                 edi, 1

        $sequence_6 = { 8b8a00020000 0101 eb3e 3b9a0c010000 721e 3b9a10010000 7316 }
            // n = 7, score = 400
            //   8b8a00020000         | mov                 ecx, dword ptr [edx + 0x200]
            //   0101                 | add                 dword ptr [ecx], eax
            //   eb3e                 | jmp                 0x40
            //   3b9a0c010000         | cmp                 ebx, dword ptr [edx + 0x10c]
            //   721e                 | jb                  0x20
            //   3b9a10010000         | cmp                 ebx, dword ptr [edx + 0x110]
            //   7316                 | jae                 0x18

        $sequence_7 = { 8d04dd04000000 894df8 8b4df4 50 e8???????? 83c404 8945fc }
            // n = 7, score = 400
            //   8d04dd04000000       | lea                 eax, [ebx*8 + 4]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_8 = { 730a 0fb6c0 8954811c fe4113 c681b800000000 c781c000000000000000 8b91d8000000 }
            // n = 7, score = 400
            //   730a                 | jae                 0xc
            //   0fb6c0               | movzx               eax, al
            //   8954811c             | mov                 dword ptr [ecx + eax*4 + 0x1c], edx
            //   fe4113               | inc                 byte ptr [ecx + 0x13]
            //   c681b800000000       | mov                 byte ptr [ecx + 0xb8], 0
            //   c781c000000000000000     | mov    dword ptr [ecx + 0xc0], 0
            //   8b91d8000000         | mov                 edx, dword ptr [ecx + 0xd8]

        $sequence_9 = { e8???????? 8b45f8 c7473400000000 894738 5f 5e 5b }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c7473400000000       | mov                 dword ptr [edi + 0x34], 0
            //   894738               | mov                 dword ptr [edi + 0x38], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 33816576
}
Download all Yara Rules