SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c004 6a1e 8d4c2434 50 51 }
            // n = 5, score = 100
            //   83c004               | add                 eax, 4
            //   6a1e                 | push                0x1e
            //   8d4c2434             | lea                 ecx, [esp + 0x34]
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_1 = { c3 56 8bb424f4040000 66837c24402e 7470 }
            // n = 5, score = 100
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bb424f4040000       | mov                 esi, dword ptr [esp + 0x4f4]
            //   66837c24402e         | cmp                 word ptr [esp + 0x40], 0x2e
            //   7470                 | je                  0x72

        $sequence_2 = { 8b74242c 89442404 8d4241 894c2408 6689442404 668906 8d442404 }
            // n = 7, score = 100
            //   8b74242c             | mov                 esi, dword ptr [esp + 0x2c]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d4241               | lea                 eax, [edx + 0x41]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   6689442404           | mov                 word ptr [esp + 4], ax
            //   668906               | mov                 word ptr [esi], ax
            //   8d442404             | lea                 eax, [esp + 4]

        $sequence_3 = { 894d54 8b9378020000 895578 8b837c020000 89457c 83c9ff 33c0 }
            // n = 7, score = 100
            //   894d54               | mov                 dword ptr [ebp + 0x54], ecx
            //   8b9378020000         | mov                 edx, dword ptr [ebx + 0x278]
            //   895578               | mov                 dword ptr [ebp + 0x78], edx
            //   8b837c020000         | mov                 eax, dword ptr [ebx + 0x27c]
            //   89457c               | mov                 dword ptr [ebp + 0x7c], eax
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 66c74424126700 66c74424142e00 66c74424186e00 66c744241c0000 66ab e8???????? 6803800000 }
            // n = 7, score = 100
            //   66c74424126700       | mov                 word ptr [esp + 0x12], 0x67
            //   66c74424142e00       | mov                 word ptr [esp + 0x14], 0x2e
            //   66c74424186e00       | mov                 word ptr [esp + 0x18], 0x6e
            //   66c744241c0000       | mov                 word ptr [esp + 0x1c], 0
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   e8????????           |                     
            //   6803800000           | push                0x8003

        $sequence_5 = { 81e2ff000000 33d3 c1e808 8b149530ea0010 }
            // n = 4, score = 100
            //   81e2ff000000         | and                 edx, 0xff
            //   33d3                 | xor                 edx, ebx
            //   c1e808               | shr                 eax, 8
            //   8b149530ea0010       | mov                 edx, dword ptr [edx*4 + 0x1000ea30]

        $sequence_6 = { 83c420 b812000000 33d2 8a90880d0110 6683bc967e0a000000 }
            // n = 5, score = 100
            //   83c420               | add                 esp, 0x20
            //   b812000000           | mov                 eax, 0x12
            //   33d2                 | xor                 edx, edx
            //   8a90880d0110         | mov                 dl, byte ptr [eax + 0x10010d88]
            //   6683bc967e0a000000     | cmp    word ptr [esi + edx*4 + 0xa7e], 0

        $sequence_7 = { a0???????? 84c0 755b 85db 7457 e8???????? }
            // n = 6, score = 100
            //   a0????????           |                     
            //   84c0                 | test                al, al
            //   755b                 | jne                 0x5d
            //   85db                 | test                ebx, ebx
            //   7457                 | je                  0x59
            //   e8????????           |                     

        $sequence_8 = { 85c0 740b 83c8ff 5e 81c410020000 c3 57 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   740b                 | je                  0xd
            //   83c8ff               | or                  eax, 0xffffffff
            //   5e                   | pop                 esi
            //   81c410020000         | add                 esp, 0x210
            //   c3                   | ret                 
            //   57                   | push                edi

        $sequence_9 = { 33c0 83faff 5f 0f95c0 5e 5d }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   83faff               | cmp                 edx, -1
            //   5f                   | pop                 edi
            //   0f95c0               | setne               al
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules