Brambul (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group

VTCollection

Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References

2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan
Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor

2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan
Lazarus group's Brambul worm of the former Wannacry - 2
Brambul

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer

2018-06-13 ⋅ Acalvio ⋅ Team Acalvio
Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap

2018-05-29 ⋅ US-CERT ⋅ US-CERT
Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap

2018-05-29 ⋅ US-CERT ⋅ US-CERT
MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap

2015-10-26 ⋅ Symantec ⋅ A L Johnson
Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group

Yara Rules

[TLP:WHITE] win_brambul_auto (20260504 | Detects win.brambul.)

rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 730d 8d8d887fffff 2bc1 48 }
            // n = 4, score = 100
            //   730d                 | jae                 0xf
            //   8d8d887fffff         | lea                 ecx, [ebp - 0x8078]
            //   2bc1                 | sub                 eax, ecx
            //   48                   | dec                 eax

        $sequence_1 = { 83c40c 83f8ff 0f840d020000 a0???????? 3c34 7404 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   83f8ff               | cmp                 eax, -1
            //   0f840d020000         | je                  0x213
            //   a0????????           |                     
            //   3c34                 | cmp                 al, 0x34
            //   7404                 | je                  6

        $sequence_2 = { 68???????? 55 e8???????? 83c40c 83f8ff 0f8488010000 6800040000 }
            // n = 7, score = 100
            //   68????????           |                     
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   83f8ff               | cmp                 eax, -1
            //   0f8488010000         | je                  0x18e
            //   6800040000           | push                0x400

        $sequence_3 = { 8bd7 33d1 035054 8d9c13f87ca21f 8bd3 c1ea10 }
            // n = 6, score = 100
            //   8bd7                 | mov                 edx, edi
            //   33d1                 | xor                 edx, ecx
            //   035054               | add                 edx, dword ptr [eax + 0x54]
            //   8d9c13f87ca21f       | lea                 ebx, [ebx + edx + 0x1fa27cf8]
            //   8bd3                 | mov                 edx, ebx
            //   c1ea10               | shr                 edx, 0x10

        $sequence_4 = { 894d08 85c9 0fb64a01 0f8429010000 d3ee }
            // n = 5, score = 100
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   85c9                 | test                ecx, ecx
            //   0fb64a01             | movzx               ecx, byte ptr [edx + 1]
            //   0f8429010000         | je                  0x12f
            //   d3ee                 | shr                 esi, cl

        $sequence_5 = { 8bb4247c010000 b980000000 8d5624 c6460873 8bfa f3ab }
            // n = 6, score = 100
            //   8bb4247c010000       | mov                 esi, dword ptr [esp + 0x17c]
            //   b980000000           | mov                 ecx, 0x80
            //   8d5624               | lea                 edx, [esi + 0x24]
            //   c6460873             | mov                 byte ptr [esi + 8], 0x73
            //   8bfa                 | mov                 edi, edx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_6 = { 8dbc37604bbbf6 8bf7 c1ee10 c1e710 0bf7 }
            // n = 5, score = 100
            //   8dbc37604bbbf6       | lea                 edi, [edi + esi - 0x944b4a0]
            //   8bf7                 | mov                 esi, edi
            //   c1ee10               | shr                 esi, 0x10
            //   c1e710               | shl                 edi, 0x10
            //   0bf7                 | or                  esi, edi

        $sequence_7 = { 33c9 8a4e01 8bf9 8d5703 }
            // n = 4, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   8a4e01               | mov                 cl, byte ptr [esi + 1]
            //   8bf9                 | mov                 edi, ecx
            //   8d5703               | lea                 edx, [edi + 3]

        $sequence_8 = { 8d942474010000 57 52 8bf0 ff15???????? }
            // n = 5, score = 100
            //   8d942474010000       | lea                 edx, [esp + 0x174]
            //   57                   | push                edi
            //   52                   | push                edx
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     

        $sequence_9 = { 56 57 ff15???????? 8b7c2420 8b5c241c }
            // n = 5, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b7c2420             | mov                 edi, dword ptr [esp + 0x20]
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]

        $sequence_10 = { 8d95887fffff 8dbd887fffff 3bd0 730d }
            // n = 4, score = 100
            //   8d95887fffff         | lea                 edx, [ebp - 0x8078]
            //   8dbd887fffff         | lea                 edi, [ebp - 0x8078]
            //   3bd0                 | cmp                 edx, eax
            //   730d                 | jae                 0xf

        $sequence_11 = { 2bdf 2bcb 395df8 7612 295df8 8a11 }
            // n = 6, score = 100
            //   2bdf                 | sub                 ebx, edi
            //   2bcb                 | sub                 ecx, ebx
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   7612                 | jbe                 0x14
            //   295df8               | sub                 dword ptr [ebp - 8], ebx
            //   8a11                 | mov                 dl, byte ptr [ecx]

        $sequence_12 = { 66898dc0f5ffff 8d8dc4fdffff 8955dc 8945e0 51 8d9598e3ffff 68???????? }
            // n = 7, score = 100
            //   66898dc0f5ffff       | mov                 word ptr [ebp - 0xa40], cx
            //   8d8dc4fdffff         | lea                 ecx, [ebp - 0x23c]
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   51                   | push                ecx
            //   8d9598e3ffff         | lea                 edx, [ebp - 0x1c68]
            //   68????????           |                     

        $sequence_13 = { 8d85887fffff 2bd0 8955fc 837dfc00 }
            // n = 4, score = 100
            //   8d85887fffff         | lea                 eax, [ebp - 0x8078]
            //   2bd0                 | sub                 edx, eax
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0

        $sequence_14 = { 8d542464 c744246400020000 52 f3a5 e8???????? }
            // n = 5, score = 100
            //   8d542464             | lea                 edx, [esp + 0x64]
            //   c744246400020000     | mov                 dword ptr [esp + 0x64], 0x200
            //   52                   | push                edx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   e8????????           |                     

        $sequence_15 = { 8b442424 8b4c2428 8d9d28030000 6804010000 53 }
            // n = 5, score = 100
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   8d9d28030000         | lea                 ebx, [ebp + 0x328]
            //   6804010000           | push                0x104
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 188416
}

Download all Yara Rules

Brambul Propose Change

References

Yara Rules

Brambul