SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group

VTCollection    

FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSymantec Security Response
SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
2016-05-26SymantecSecurity Response
SWIFT attackers’ malware linked to more financial attacks
Contopee DYEPACK Sierra(Alfa,Bravo, ...) Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20260504 | Detects win.contopee.)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.contopee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c410 55 53 6a03 6a00 68???????? 51 }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   55                   | push                ebp
            //   53                   | push                ebx
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   68????????           |                     
            //   51                   | push                ecx

        $sequence_1 = { ff5208 8b17 8b842420010000 8b0e 52 50 }
            // n = 6, score = 100
            //   ff5208               | call                dword ptr [edx + 8]
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   8b842420010000       | mov                 eax, dword ptr [esp + 0x120]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_2 = { 8d542410 51 52 8d842470040000 6a00 }
            // n = 5, score = 100
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   8d842470040000       | lea                 eax, [esp + 0x470]
            //   6a00                 | push                0

        $sequence_3 = { 51 e8???????? e9???????? 56 8d542414 53 52 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   56                   | push                esi
            //   8d542414             | lea                 edx, [esp + 0x14]
            //   53                   | push                ebx
            //   52                   | push                edx

        $sequence_4 = { 8d0480 6a00 8d0c80 8a842428010000 c1e103 84c0 894c2410 }
            // n = 7, score = 100
            //   8d0480               | lea                 eax, [eax + eax*4]
            //   6a00                 | push                0
            //   8d0c80               | lea                 ecx, [eax + eax*4]
            //   8a842428010000       | mov                 al, byte ptr [esp + 0x128]
            //   c1e103               | shl                 ecx, 3
            //   84c0                 | test                al, al
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx

        $sequence_5 = { c1e807 33d2 8a9094130110 8bc2 66ff848688090000 8b869c160000 8b96a0160000 }
            // n = 7, score = 100
            //   c1e807               | shr                 eax, 7
            //   33d2                 | xor                 edx, edx
            //   8a9094130110         | mov                 dl, byte ptr [eax + 0x10011394]
            //   8bc2                 | mov                 eax, edx
            //   66ff848688090000     | inc                 word ptr [esi + eax*4 + 0x988]
            //   8b869c160000         | mov                 eax, dword ptr [esi + 0x169c]
            //   8b96a0160000         | mov                 edx, dword ptr [esi + 0x16a0]

        $sequence_6 = { 8b542420 8b442424 89542418 8944241c eb0a ff15???????? 89442410 }
            // n = 7, score = 100
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   eb0a                 | jmp                 0xc
            //   ff15????????         |                     
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_7 = { 6a00 ff15???????? 8d85f8feffff 6883000000 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   6883000000           | push                0x83

        $sequence_8 = { 8d4c2424 50 53 53 51 ff15???????? 83c410 }
            // n = 7, score = 100
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10

        $sequence_9 = { 8b9c2428020000 6685db 0f84b7000000 6a06 6a01 }
            // n = 5, score = 100
            //   8b9c2428020000       | mov                 ebx, dword ptr [esp + 0x228]
            //   6685db               | test                bx, bx
            //   0f84b7000000         | je                  0xbd
            //   6a06                 | push                6
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules