SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2023-08-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee DYEPACK Sierra(Alfa,Bravo, ...) Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20230715 | Detects win.contopee.)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.contopee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bac2428020000 55 6a01 ff15???????? 8bd8 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   8bac2428020000       | mov                 ebp, dword ptr [esp + 0x228]
            //   55                   | push                ebp
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_1 = { 8b1c9530ea0010 8b56f8 33c3 8b1c8d30f60010 33c3 33c9 33c2 }
            // n = 7, score = 100
            //   8b1c9530ea0010       | mov                 ebx, dword ptr [edx*4 + 0x1000ea30]
            //   8b56f8               | mov                 edx, dword ptr [esi - 8]
            //   33c3                 | xor                 eax, ebx
            //   8b1c8d30f60010       | mov                 ebx, dword ptr [ecx*4 + 0x1000f630]
            //   33c3                 | xor                 eax, ebx
            //   33c9                 | xor                 ecx, ecx
            //   33c2                 | xor                 eax, edx

        $sequence_2 = { 8ac1 b2f3 fec0 f6ea 343d }
            // n = 5, score = 100
            //   8ac1                 | mov                 al, cl
            //   b2f3                 | mov                 dl, 0xf3
            //   fec0                 | inc                 al
            //   f6ea                 | imul                dl
            //   343d                 | xor                 al, 0x3d

        $sequence_3 = { 8b4c2410 33ff 33f6 3bc3 }
            // n = 4, score = 100
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   33ff                 | xor                 edi, edi
            //   33f6                 | xor                 esi, esi
            //   3bc3                 | cmp                 eax, ebx

        $sequence_4 = { 8b442418 85c0 740c 83ffff 7407 57 }
            // n = 6, score = 100
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe
            //   83ffff               | cmp                 edi, -1
            //   7407                 | je                  9
            //   57                   | push                edi

        $sequence_5 = { 6880020000 6a40 c744241000000000 c744240c80020000 ff15???????? 8bd8 }
            // n = 6, score = 100
            //   6880020000           | push                0x280
            //   6a40                 | push                0x40
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c80020000     | mov                 dword ptr [esp + 0xc], 0x280
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_6 = { 895610 ffd5 8d942478020000 56 52 }
            // n = 5, score = 100
            //   895610               | mov                 dword ptr [esi + 0x10], edx
            //   ffd5                 | call                ebp
            //   8d942478020000       | lea                 edx, [esp + 0x278]
            //   56                   | push                esi
            //   52                   | push                edx

        $sequence_7 = { 85ff 760d 6a00 6a00 }
            // n = 4, score = 100
            //   85ff                 | test                edi, edi
            //   760d                 | jbe                 0xf
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 51 8d5308 6aff 52 6a00 6a00 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   8d5308               | lea                 edx, [ebx + 8]
            //   6aff                 | push                -1
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_9 = { 13d5 894620 895624 8d542440 52 }
            // n = 5, score = 100
            //   13d5                 | adc                 edx, ebp
            //   894620               | mov                 dword ptr [esi + 0x20], eax
            //   895624               | mov                 dword ptr [esi + 0x24], edx
            //   8d542440             | lea                 edx, [esp + 0x40]
            //   52                   | push                edx

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules