SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20230407 | Detects win.contopee.)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.contopee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 746f 8b3d???????? 6683bc24400200002e 7442 }
            // n = 4, score = 100
            //   746f                 | je                  0x71
            //   8b3d????????         |                     
            //   6683bc24400200002e     | cmp    word ptr [esp + 0x240], 0x2e
            //   7442                 | je                  0x44

        $sequence_1 = { 56 8d4c2414 53 51 e8???????? eb7c 56 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   eb7c                 | jmp                 0x7e
            //   56                   | push                esi

        $sequence_2 = { 0f8dd2000000 53 53 53 55 ff15???????? 8a443418 }
            // n = 7, score = 100
            //   0f8dd2000000         | jge                 0xd8
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   8a443418             | mov                 al, byte ptr [esp + esi + 0x18]

        $sequence_3 = { 8d7c242a 6689742428 f3ab 8d8c2430020000 89742410 51 }
            // n = 6, score = 100
            //   8d7c242a             | lea                 edi, [esp + 0x2a]
            //   6689742428           | mov                 word ptr [esp + 0x28], si
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d8c2430020000       | lea                 ecx, [esp + 0x230]
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   51                   | push                ecx

        $sequence_4 = { 53 ff15???????? 8b54242c 52 ff15???????? 8b4610 33ff }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   33ff                 | xor                 edi, edi

        $sequence_5 = { 3bcb 770a c744241801000000 eb40 6a00 6a00 }
            // n = 6, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   770a                 | ja                  0xc
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   eb40                 | jmp                 0x42
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_6 = { 33c0 5f 5e 5b 81c404010000 c3 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   81c404010000         | add                 esp, 0x104
            //   c3                   | ret                 

        $sequence_7 = { 8d8c2450020000 6804010000 51 6802100000 }
            // n = 4, score = 100
            //   8d8c2450020000       | lea                 ecx, [esp + 0x250]
            //   6804010000           | push                0x104
            //   51                   | push                ecx
            //   6802100000           | push                0x1002

        $sequence_8 = { 68???????? 51 ff15???????? 8b84243c020000 8d542428 52 50 }
            // n = 7, score = 100
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b84243c020000       | mov                 eax, dword ptr [esp + 0x23c]
            //   8d542428             | lea                 edx, [esp + 0x28]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_9 = { e8???????? 89442408 8b44242c 50 8d4c240c 6a18 51 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   50                   | push                eax
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   6a18                 | push                0x18
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules