SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20211008 | Detects win.contopee.)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.contopee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 83c408 c3 8b4c2408 85c9 7613 8b542404 }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   83c408               | add                 esp, 8
            //   c3                   | ret                 
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   85c9                 | test                ecx, ecx
            //   7613                 | jbe                 0x15
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_1 = { 57 8bf0 ff15???????? 8b94244c020000 52 56 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   8b94244c020000       | mov                 edx, dword ptr [esp + 0x24c]
            //   52                   | push                edx
            //   56                   | push                esi

        $sequence_2 = { 8b35???????? 6683bc24440200002e 7438 f684241802000010 752e 8d8c2444020000 }
            // n = 6, score = 100
            //   8b35????????         |                     
            //   6683bc24440200002e     | cmp    word ptr [esp + 0x244], 0x2e
            //   7438                 | je                  0x3a
            //   f684241802000010     | test                byte ptr [esp + 0x218], 0x10
            //   752e                 | jne                 0x30
            //   8d8c2444020000       | lea                 ecx, dword ptr [esp + 0x244]

        $sequence_3 = { 51 6a40 ff15???????? 85c0 89442414 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_4 = { 8b8c24581d0000 8d54240c 51 68401d0000 52 }
            // n = 5, score = 100
            //   8b8c24581d0000       | mov                 ecx, dword ptr [esp + 0x1d58]
            //   8d54240c             | lea                 edx, dword ptr [esp + 0xc]
            //   51                   | push                ecx
            //   68401d0000           | push                0x1d40
            //   52                   | push                edx

        $sequence_5 = { 663dffff 750a 8b4d00 c6817a06000000 8b4500 }
            // n = 5, score = 100
            //   663dffff             | cmp                 ax, 0xffff
            //   750a                 | jne                 0xc
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   c6817a06000000       | mov                 byte ptr [ecx + 0x67a], 0
            //   8b4500               | mov                 eax, dword ptr [ebp]

        $sequence_6 = { 85c0 74c1 3bc7 7202 8bc7 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   74c1                 | je                  0xffffffc3
            //   3bc7                 | cmp                 eax, edi
            //   7202                 | jb                  4
            //   8bc7                 | mov                 eax, edi

        $sequence_7 = { 7419 8b4c2408 8908 8b44240c }
            // n = 4, score = 100
            //   7419                 | je                  0x1b
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]

        $sequence_8 = { 6800080000 51 56 e8???????? 6a14 6a01 56 }
            // n = 7, score = 100
            //   6800080000           | push                0x800
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   6a14                 | push                0x14
            //   6a01                 | push                1
            //   56                   | push                esi

        $sequence_9 = { 8b963c040000 53 6a00 6a00 52 50 ffd1 }
            // n = 7, score = 100
            //   8b963c040000         | mov                 edx, dword ptr [esi + 0x43c]
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   52                   | push                edx
            //   50                   | push                eax
            //   ffd1                 | call                ecx

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules