SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8bf8 8b84247c060000 50 57 e8???????? 83c408 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8b84247c060000       | mov                 eax, dword ptr [esp + 0x67c]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_1 = { 0f85b1000000 8bf3 8b4c2414 6a00 }
            // n = 4, score = 100
            //   0f85b1000000         | jne                 0xb7
            //   8bf3                 | mov                 esi, ebx
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   6a00                 | push                0

        $sequence_2 = { c3 6a00 50 ff15???????? 85c0 7508 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa

        $sequence_3 = { 5f 5e 83c454 c3 ff15???????? 5f 5e }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   83c454               | add                 esp, 0x54
            //   c3                   | ret                 
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { 741a 6a01 6a00 6a0a 55 e8???????? }
            // n = 6, score = 100
            //   741a                 | je                  0x1c
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a0a                 | push                0xa
            //   55                   | push                ebp
            //   e8????????           |                     

        $sequence_5 = { 8d942418020000 52 55 ff15???????? }
            // n = 4, score = 100
            //   8d942418020000       | lea                 edx, [esp + 0x218]
            //   52                   | push                edx
            //   55                   | push                ebp
            //   ff15????????         |                     

        $sequence_6 = { 33c0 5f 5e 5b 81c404010000 c3 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   81c404010000         | add                 esp, 0x104
            //   c3                   | ret                 

        $sequence_7 = { 6a00 55 56 e8???????? 83c410 85c0 7ede }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   55                   | push                ebp
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7ede                 | jle                 0xffffffe0

        $sequence_8 = { ffd6 8d8c247c040000 6a03 51 e8???????? }
            // n = 5, score = 100
            //   ffd6                 | call                esi
            //   8d8c247c040000       | lea                 ecx, [esp + 0x47c]
            //   6a03                 | push                3
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { 6a00 51 ff15???????? 8b54240c 57 52 ff15???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   57                   | push                edi
            //   52                   | push                edx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules